I guess my explanation was too concise.
The REST setup differences are as follows:
[Specify DATA directly] post-auth { uri = "${..connect_uri}/post-auth/user/%{User-Name}" method = 'post' body = 'json' data = '{ "reply": "%{reply:Packet-Type}", "replyMessage": "%{reply:Reply-Message}", "moduleFailureMessage" : "%{Module-Failure-Message}", \ "callingStationId": "%{Calling-Station-Id}", "calledStationId": "%{Called-Station-Id}", "eapType": "%{EAP-Type}", "nasIpAddress": "%{ NAS-IP-Address}" }' tls = ${..tls} }
[Receive all available properties] post-auth { uri = "${..connect_uri}/post-auth/user/%{User-Name}" method = 'post' body = 'json' tls = ${..tls} }
In other words, the difference is whether I wrote the data or not.
If I wrote data, only the properties I wrote are sent.
If I did not write the Data attribute, FreeRADIUS determines the attributes that can be transmitted and transmits them.
The problem arises when I do not write data.
And I'll post the debug contents.
(0) Received Access-Request Id 123 from 175.210.165.10:58812 to 10.10.10.244:1812 length 202 (0) User-Name = "maxtest" (0) Calling-Station-Id = "36-D7-B2-E6-FA-80" (0) NAS-IP-Address = 175.210.165.10 (0) NAS-Port = 70 (0) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (0) Service-Type = Framed-User (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Identifier = "80-03-84-B6-D0-CC" (0) Connect-Info = "CONNECT 802.11a/n/ac/ax" (0) EAP-Message = 0x0200000c016d617874657374 (0) Ruckus-SSID = "radius 122" (0) Message-Authenticator = 0x1ca4474733509d1bade6deeba47b5274 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) update { (0) EXPAND %{Packet-Src-IP-Address} (0) --> 175.210.165.10 (0) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (0) } # update = noop (0) eap: Peer sent EAP Response (code 2) ID 0 length 12 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: (TLS) Initiating new session (0) eap: Sending EAP Request (code 1) ID 1 length 6 (0) eap: EAP session adding &reply:State = 0xe9ee35bde9ef2c47 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 123 from 10.10.10.244:1812 to 175.210.165.10:58812 length 64 (0) EAP-Message = 0x010100061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xe9ee35bde9ef2c4724969f3f23e5bbf8 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 124 from 175.210.165.10:58812 to 10.10.10.244:1812 length 349 (1) User-Name = "maxtest" (1) Calling-Station-Id = "36-D7-B2-E6-FA-80" (1) NAS-IP-Address = 175.210.165.10 (1) NAS-Port = 70 (1) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (1) Service-Type = Framed-User (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) NAS-Identifier = "80-03-84-B6-D0-CC" (1) Connect-Info = "CONNECT 802.11a/n/ac/ax" (1) EAP-Message = 0x0201008d198000000083160301007e0100007a0303f36ed3434734cf84e960507f5f2a12403307288c67fbc1317ff274381d96fb4f00001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201 (1) State = 0xe9ee35bde9ef2c4724969f3f23e5bbf8 (1) Ruckus-SSID = "radius 122" (1) Message-Authenticator = 0xeadd8fe5dd24499ba069bdc361735562 (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) update { (1) EXPAND %{Packet-Src-IP-Address} (1) --> 175.210.165.10 (1) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (1) } # update = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 141 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xe9ee35bde9ef2c47 (1) eap: Finished EAP session with state 0xe9ee35bde9ef2c47 (1) eap: Previous EAP request found for state 0xe9ee35bde9ef2c47, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) EAP Peer says that the final record size will be 131 bytes (1) eap_peap: (TLS) EAP Got all data (131 bytes) (1) eap_peap: (TLS) Handshake state - before SSL initialization (1) eap_peap: (TLS) Handshake state - Server before SSL initialization (1) eap_peap: (TLS) Handshake state - Server before SSL initialization (1) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello (1) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello (1) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello (1) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello (1) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate (1) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate (1) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (1) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange (1) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone (1) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (1) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server done (1) eap_peap: (TLS) In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 2 length 1004 (1) eap: EAP session adding &reply:State = 0xe9ee35bde8ec2c47 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 124 from 10.10.10.244:1812 to 175.210.165.10:58812 length 1068 (1) EAP-Message = 0x010203ec19c000000d21160303003d020000390303c644698754dc096274be07adaf4a72ed4f507bdfdf5b2fc06f003b82769ac8f200c02f000011ff01000100000b000403000102001700001603030b200b000b1c000b1900052d3082052930820391a003020102020101300d06092a864886f70d01010c050030818b310b3009060355040613024b52310e300c06035504080c0553656f756c3114301206035504070c0b4765756d6368656f6e677531153013060355040a0c0c52656d6f6e6e20436f72702e3123302106092a864886f70d01090116146d61782e6e616d4072656d6f6e6e2e636f2e6b72311a301806035504030c11776966692e72656d6f6e6e2e636f2e6b72301e170d3234303632343035333530395a170d3236303532353035333530395a3077310b3009060355040613024b52310e300c06035504080c0553656f756c31153013060355040a0c0c52656d6f6e6e20436f72702e311c301a06035504030c137365727665722e72656d6f6e6e2e (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xe9ee35bde8ec2c4724969f3f23e5bbf8 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 125 from 175.210.165.10:58812 to 10.10.10.244:1812 length 214 (2) User-Name = "maxtest" (2) Calling-Station-Id = "36-D7-B2-E6-FA-80" (2) NAS-IP-Address = 175.210.165.10 (2) NAS-Port = 70 (2) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (2) Service-Type = Framed-User (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) NAS-Identifier = "80-03-84-B6-D0-CC" (2) Connect-Info = "CONNECT 802.11a/n/ac/ax" (2) EAP-Message = 0x020200061900 (2) State = 0xe9ee35bde8ec2c4724969f3f23e5bbf8 (2) Ruckus-SSID = "radius 122" (2) Message-Authenticator = 0x632e668a70c0a92180ce0f0bff737264 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) update { (2) EXPAND %{Packet-Src-IP-Address} (2) --> 175.210.165.10 (2) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (2) } # update = noop (2) eap: Peer sent EAP Response (code 2) ID 2 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xe9ee35bde8ec2c47 (2) eap: Finished EAP session with state 0xe9ee35bde8ec2c47 (2) eap: Previous EAP request found for state 0xe9ee35bde8ec2c47, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 3 length 1000 (2) eap: EAP session adding &reply:State = 0xe9ee35bdebed2c47 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 125 from 10.10.10.244:1812 to 175.210.165.10:58812 length 1064 (2) EAP-Message = 0x010303e81940bae12fcf5e6a07c9300d06092a864886f70d01010c050003820181004a914505c53f7706215a7bb8415af7107989a331d2b76fb3b0d276a999daa75b6dd9831028593d1dedd8906c02f49dc86bc2acd8752ee90315198c751e55d68220fb7b670fc92c20cb6477c05034f7746d0a393857e6050d1cf3b4e6811300ed52c2260dde2b491bf1ecb0ddaa0b306c5cdb209c6b0de917615d308fcb705100713aee1a10355f7acad73c80f8bb092389d928d7fcb338f861f3bff9c9af237e76aa15ed5713fc3013c409e20c8bb4846047342559f2ac33e9da3321742f50b83ba56b4fcc930db1008afd8bef4c35e49f0d1fd091f3609ea43d44a245c0c5f05c9de5841300db3d14150edb931d1082307b9cf2b421a9048b2c808257327de23d03e9a784bf1253c05bab835dcd1f9dd10ba1f43b8586ceab09bf34981fb0339c880500e55527bbcf5e5ce408564f574044bfa8b797a0bf2e9dab2bd61c3ea1193a95ed922f09579b2692e8d60795269fd9f17b4a (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xe9ee35bdebed2c4724969f3f23e5bbf8 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 126 from 175.210.165.10:58812 to 10.10.10.244:1812 length 214 (3) User-Name = "maxtest" (3) Calling-Station-Id = "36-D7-B2-E6-FA-80" (3) NAS-IP-Address = 175.210.165.10 (3) NAS-Port = 70 (3) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (3) Service-Type = Framed-User (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) NAS-Identifier = "80-03-84-B6-D0-CC" (3) Connect-Info = "CONNECT 802.11a/n/ac/ax" (3) EAP-Message = 0x020300061900 (3) State = 0xe9ee35bdebed2c4724969f3f23e5bbf8 (3) Ruckus-SSID = "radius 122" (3) Message-Authenticator = 0xaea672afe929db25c5a766e7f4ea8b27 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) update { (3) EXPAND %{Packet-Src-IP-Address} (3) --> 175.210.165.10 (3) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (3) } # update = noop (3) eap: Peer sent EAP Response (code 2) ID 3 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xe9ee35bdebed2c47 (3) eap: Finished EAP session with state 0xe9ee35bdebed2c47 (3) eap: Previous EAP request found for state 0xe9ee35bdebed2c47, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 4 length 1000 (3) eap: EAP session adding &reply:State = 0xe9ee35bdeaea2c47 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 126 from 10.10.10.244:1812 to 175.210.165.10:58812 length 1064 (3) EAP-Message = 0x010403e81940ccfc3d34bc6cb5d398ad9cb0367cd6312e01c133caf41f4569c759ff56fc28b0d914c96c60f5ed09b57e16d8beff68568db30d224ed90617a475ecda05458f644d3243e1f1db66966a9f82e63e08b4bf67970f975c61dcc475975bc916bff684ca1e22735612e2dfa630d579d4f1d77ee211930958d1b7724f7ec08ad1d5089c55995bbf01a5709af056e072340ecc2418d60f11c836ac0951cccb59b5c5d1d0d68e314a82249649647f60a9250ae6e534022e0498663794a24a5149b3b47450836f6fbf8f71c125a8b3531f0203010001a382013a30820136301d0603551d0e041604147c4402c79caed9cc885c721abae12fcf5e6a07c93081cb0603551d230481c33081c080147c4402c79caed9cc885c721abae12fcf5e6a07c9a18191a4818e30818b310b3009060355040613024b52310e300c06035504080c0553656f756c3114301206035504070c0b4765756d6368656f6e677531153013060355040a0c0c52656d6f6e6e20436f72702e3123 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xe9ee35bdeaea2c4724969f3f23e5bbf8 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 127 from 175.210.165.10:58812 to 10.10.10.244:1812 length 214 (4) User-Name = "maxtest" (4) Calling-Station-Id = "36-D7-B2-E6-FA-80" (4) NAS-IP-Address = 175.210.165.10 (4) NAS-Port = 70 (4) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (4) Service-Type = Framed-User (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) NAS-Identifier = "80-03-84-B6-D0-CC" (4) Connect-Info = "CONNECT 802.11a/n/ac/ax" (4) EAP-Message = 0x020400061900 (4) State = 0xe9ee35bdeaea2c4724969f3f23e5bbf8 (4) Ruckus-SSID = "radius 122" (4) Message-Authenticator = 0x088c439c217e982b18f92b178a42f40f (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) update { (4) EXPAND %{Packet-Src-IP-Address} (4) --> 175.210.165.10 (4) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (4) } # update = noop (4) eap: Peer sent EAP Response (code 2) ID 4 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xe9ee35bdeaea2c47 (4) eap: Finished EAP session with state 0xe9ee35bdeaea2c47 (4) eap: Previous EAP request found for state 0xe9ee35bdeaea2c47, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 5 length 385 (4) eap: EAP session adding &reply:State = 0xe9ee35bdedeb2c47 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 127 from 10.10.10.244:1812 to 175.210.165.10:58812 length 445 (4) EAP-Message = 0x0105018119007ab009cc2f82047edd6bc5f8bce07f735d00a6f5a247bec4bae5f4bff95f3f58eb421dc6b46685f212f223768a12fa490ac20dc34526036bc7bf94f8d7b24d8dba118d35396d86c7461f97fc322d5ff7e2664cc6fa653ff868d67989be48fe38f03acfd1821e665d4d5f286ad53ee0f3ddecdc0e4afa6a7ab38a7605ef402ca16ae484b382c450fc904719e1039370c26a4370a4db9d84b7e444118c8f41b3b929375a028d18b15c8bd5c8c83036674699b3ba26a695a0853d7a1e329db6d77990d01d617602eb36d67316f4e5281a63849efc018610878ad336aa5ef11bf54bfde650818a0385e2c7ceee09d0e9b957b6e44478bbd52762206bba9ad126343dab03952d419abba4ccab6777582bd316fd93c59c23fb8ab2fdd2458aa162240a6a7d13a6ec9d83c67a3751bf76eece7dbe8d80e973e003580f01d26b0058f3a10cd7c172f13ffa09140c70c3d565d6e44fb4f75aa7878c167d7b8bea6acbed278c899daef5f30612e4724bb91d3e3ba491 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xe9ee35bdedeb2c4724969f3f23e5bbf8 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 128 from 175.210.165.10:58812 to 10.10.10.244:1812 length 311 (5) User-Name = "maxtest" (5) Calling-Station-Id = "36-D7-B2-E6-FA-80" (5) NAS-IP-Address = 175.210.165.10 (5) NAS-Port = 70 (5) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (5) Service-Type = Framed-User (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) NAS-Identifier = "80-03-84-B6-D0-CC" (5) Connect-Info = "CONNECT 802.11a/n/ac/ax" (5) EAP-Message = 0x0205006719800000005d16030300251000002120a37aa82754f3a510d9b591316fea831b8696c7b6bea7e22dbcca4e43e79c482314030300010116030300280000000000000000035649145112eae371253c5b12af493b3bff2f2cdcbaff3359bd8f4bf65a48f8 (5) State = 0xe9ee35bdedeb2c4724969f3f23e5bbf8 (5) Ruckus-SSID = "radius 122" (5) Message-Authenticator = 0xdff61e1b111c15e93373974754818b58 (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) update { (5) EXPAND %{Packet-Src-IP-Address} (5) --> 175.210.165.10 (5) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (5) } # update = noop (5) eap: Peer sent EAP Response (code 2) ID 5 length 103 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xe9ee35bdedeb2c47 (5) eap: Finished EAP session with state 0xe9ee35bdedeb2c47 (5) eap: Previous EAP request found for state 0xe9ee35bdedeb2c47, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: (TLS) EAP Peer says that the final record size will be 93 bytes (5) eap_peap: (TLS) EAP Got all data (93 bytes) (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (5) eap_peap: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (5) eap_peap: (TLS) recv TLS 1.2 Handshake, Finished (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read finished (5) eap_peap: (TLS) send TLS 1.2 ChangeCipherSpec (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (5) eap_peap: (TLS) send TLS 1.2 Handshake, Finished (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished (5) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully (5) eap_peap: (TLS) Connection Established (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (5) eap_peap: TLS-Session-Version = "TLS 1.2" (5) eap: Sending EAP Request (code 1) ID 6 length 57 (5) eap: EAP session adding &reply:State = 0xe9ee35bdece82c47 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 128 from 10.10.10.244:1812 to 175.210.165.10:58812 length 115 (5) EAP-Message = 0x01060039190014030300010116030300285290e8c0f157684af3d9a69252b6d7cf4a3f0df22b82c75fd27385fade3f58e2c4ae76df3c4afd6a (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xe9ee35bdece82c4724969f3f23e5bbf8 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 129 from 175.210.165.10:58812 to 10.10.10.244:1812 length 214 (6) User-Name = "maxtest" (6) Calling-Station-Id = "36-D7-B2-E6-FA-80" (6) NAS-IP-Address = 175.210.165.10 (6) NAS-Port = 70 (6) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (6) Service-Type = Framed-User (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) NAS-Identifier = "80-03-84-B6-D0-CC" (6) Connect-Info = "CONNECT 802.11a/n/ac/ax" (6) EAP-Message = 0x020600061900 (6) State = 0xe9ee35bdece82c4724969f3f23e5bbf8 (6) Ruckus-SSID = "radius 122" (6) Message-Authenticator = 0xf5e0141eb1e4c29513685b827e383d0e (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) update { (6) EXPAND %{Packet-Src-IP-Address} (6) --> 175.210.165.10 (6) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (6) } # update = noop (6) eap: Peer sent EAP Response (code 2) ID 6 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xe9ee35bdece82c47 (6) eap: Finished EAP session with state 0xe9ee35bdece82c47 (6) eap: Previous EAP request found for state 0xe9ee35bdece82c47, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 7 length 40 (6) eap: EAP session adding &reply:State = 0xe9ee35bdefe92c47 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 129 from 10.10.10.244:1812 to 175.210.165.10:58812 length 98 (6) EAP-Message = 0x010700281900170303001d5290e8c0f157684b6c2f43c8330fec371ce68d3fb0f73b851fea9017d1 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xe9ee35bdefe92c4724969f3f23e5bbf8 (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 130 from 175.210.165.10:58812 to 10.10.10.244:1812 length 251 (7) User-Name = "maxtest" (7) Calling-Station-Id = "36-D7-B2-E6-FA-80" (7) NAS-IP-Address = 175.210.165.10 (7) NAS-Port = 70 (7) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (7) Service-Type = Framed-User (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) NAS-Identifier = "80-03-84-B6-D0-CC" (7) Connect-Info = "CONNECT 802.11a/n/ac/ax" (7) EAP-Message = 0x0207002b190017030300200000000000000001457892eb08520bdb2f0f9cd353de0561046f1c4a0adeccf4 (7) State = 0xe9ee35bdefe92c4724969f3f23e5bbf8 (7) Ruckus-SSID = "radius 122" (7) Message-Authenticator = 0x7896ecf53384ed69b7a774afe45f1f88 (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) update { (7) EXPAND %{Packet-Src-IP-Address} (7) --> 175.210.165.10 (7) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (7) } # update = noop (7) eap: Peer sent EAP Response (code 2) ID 7 length 43 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xe9ee35bdefe92c47 (7) eap: Finished EAP session with state 0xe9ee35bdefe92c47 (7) eap: Previous EAP request found for state 0xe9ee35bdefe92c47, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) EAP Done initial handshake (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - maxtest (7) eap_peap: Got inner identity 'maxtest' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0207000c016d617874657374 (7) eap_peap: Setting User-Name to maxtest (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0207000c016d617874657374 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "maxtest" (7) eap_peap: Calling-Station-Id = "36-D7-B2-E6-FA-80" (7) eap_peap: NAS-IP-Address = 175.210.165.10 (7) eap_peap: NAS-Port = 70 (7) eap_peap: Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (7) eap_peap: Service-Type = Framed-User (7) eap_peap: Framed-MTU = 1400 (7) eap_peap: NAS-Port-Type = Wireless-802.11 (7) eap_peap: NAS-Identifier = "80-03-84-B6-D0-CC" (7) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac/ax" (7) eap_peap: Ruckus-SSID = "radius 122" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0207000c016d617874657374 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "maxtest" (7) Calling-Station-Id = "36-D7-B2-E6-FA-80" (7) NAS-IP-Address = 175.210.165.10 (7) NAS-Port = 70 (7) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (7) Service-Type = Framed-User (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) NAS-Identifier = "80-03-84-B6-D0-CC" (7) Connect-Info = "CONNECT 802.11a/n/ac/ax" (7) Ruckus-SSID = "radius 122" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) update control { (7) MS-CHAP-Use-NTLM-Auth := No (7) } # update control = noop (7) inner-eap: Peer sent EAP Response (code 2) ID 7 length 12 (7) inner-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [inner-eap] = ok (7) } # authorize = ok (7) Found Auth-Type = inner-eap (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) inner-eap: Peer sent packet with method EAP Identity (1) (7) inner-eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) inner-eap: Sending EAP Request (code 1) ID 8 length 43 (7) inner-eap: EAP session adding &reply:State = 0xbd5639b8bd5e2319 (7) [inner-eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x0108002b1a01080026100076da58077d6ab5ad7b0006d56842df667265657261646975732d332e302e3236 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xbd5639b8bd5e2319a409320f2fa8aa30 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x0108002b1a01080026100076da58077d6ab5ad7b0006d56842df667265657261646975732d332e302e3236 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xbd5639b8bd5e2319a409320f2fa8aa30 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x0108002b1a01080026100076da58077d6ab5ad7b0006d56842df667265657261646975732d332e302e3236 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xbd5639b8bd5e2319a409320f2fa8aa30 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 8 length 74 (7) eap: EAP session adding &reply:State = 0xe9ee35bdeee62c47 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 130 from 10.10.10.244:1812 to 175.210.165.10:58812 length 132 (7) EAP-Message = 0x0108004a1900170303003f5290e8c0f157684c4a7ff8c090644026536cf43b19f450ecb9ff15cac7fed24da204bb55c5e7f6a0fbefe4c9b5c1d0926c7410f9ec3cfde52bbda921ffd4b2 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xe9ee35bdeee62c4724969f3f23e5bbf8 (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 131 from 175.210.165.10:58812 to 10.10.10.244:1812 length 305 (8) User-Name = "maxtest" (8) Calling-Station-Id = "36-D7-B2-E6-FA-80" (8) NAS-IP-Address = 175.210.165.10 (8) NAS-Port = 70 (8) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (8) Service-Type = Framed-User (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) NAS-Identifier = "80-03-84-B6-D0-CC" (8) Connect-Info = "CONNECT 802.11a/n/ac/ax" (8) EAP-Message = 0x020800611900170303005600000000000000029ee99cc794c6d78d75324f1882a9679ee99e2e85b17a28b03b8cf5d4e4e3bd5d33c2222d69d0fef714faaab622e59d990bb5a9e9c4b2ade34203f8cc65612d4a2a67d3ea5e7fd05a02d48d6c0660 (8) State = 0xe9ee35bdeee62c4724969f3f23e5bbf8 (8) Ruckus-SSID = "radius 122" (8) Message-Authenticator = 0xb12259c3a791c097d20cad0005e88e77 (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) update { (8) EXPAND %{Packet-Src-IP-Address} (8) --> 175.210.165.10 (8) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (8) } # update = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 97 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xe9ee35bdeee62c47 (8) eap: Finished EAP session with state 0xe9ee35bdeee62c47 (8) eap: Previous EAP request found for state 0xe9ee35bdeee62c47, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020800421a0208003d318512314bf596c78b3371fdcf42de822a000000000000000082cf20b5df37ed30fcdd0b29d19d76a2bbc2b0536639a7a2006d617874657374 (8) eap_peap: Setting User-Name to maxtest (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020800421a0208003d318512314bf596c78b3371fdcf42de822a000000000000000082cf20b5df37ed30fcdd0b29d19d76a2bbc2b0536639a7a2006d617874657374 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "maxtest" (8) eap_peap: State = 0xbd5639b8bd5e2319a409320f2fa8aa30 (8) eap_peap: Calling-Station-Id = "36-D7-B2-E6-FA-80" (8) eap_peap: NAS-IP-Address = 175.210.165.10 (8) eap_peap: NAS-Port = 70 (8) eap_peap: Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Framed-MTU = 1400 (8) eap_peap: NAS-Port-Type = Wireless-802.11 (8) eap_peap: NAS-Identifier = "80-03-84-B6-D0-CC" (8) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac/ax" (8) eap_peap: Ruckus-SSID = "radius 122" (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020800421a0208003d318512314bf596c78b3371fdcf42de822a000000000000000082cf20b5df37ed30fcdd0b29d19d76a2bbc2b0536639a7a2006d617874657374 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "maxtest" (8) State = 0xbd5639b8bd5e2319a409320f2fa8aa30 (8) Calling-Station-Id = "36-D7-B2-E6-FA-80" (8) NAS-IP-Address = 175.210.165.10 (8) NAS-Port = 70 (8) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (8) Service-Type = Framed-User (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) NAS-Identifier = "80-03-84-B6-D0-CC" (8) Connect-Info = "CONNECT 802.11a/n/ac/ax" (8) Ruckus-SSID = "radius 122" (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) update control { (8) MS-CHAP-Use-NTLM-Auth := No (8) } # update control = noop (8) inner-eap: Peer sent EAP Response (code 2) ID 8 length 66 (8) inner-eap: No EAP Start, assuming it's an on-going EAP conversation (8) [inner-eap] = updated (8) if (!&outer.session-state:Done-Rest) { (8) if (!&outer.session-state:Done-Rest) -> TRUE (8) if (!&outer.session-state:Done-Rest) { rlm_rest (rest): Reserved connection (0) (8) rest: Expanding URI components (8) rest: EXPAND http://220.79.39.2:9012 (8) rest: --> http://220.79.39.2:9012 (8) rest: EXPAND /auth/user/%{User-Name} (8) rest: --> /auth/user/maxtest (8) rest: Sending HTTP POST to "http://220.79.39.2:9012/auth/user/maxtest" (8) rest: Encoding attribute "User-Name" (8) rest: Encoding attribute "NAS-IP-Address" (8) rest: Encoding attribute "NAS-Port" (8) rest: Encoding attribute "Service-Type" (8) rest: Encoding attribute "Framed-MTU" (8) rest: Encoding attribute "State" (8) rest: Encoding attribute "Called-Station-Id" (8) rest: Encoding attribute "Calling-Station-Id" (8) rest: Encoding attribute "NAS-Identifier" (8) rest: Encoding attribute "NAS-Port-Type" (8) rest: Encoding attribute "Connect-Info" (8) rest: Encoding attribute "EAP-Message" (8) rest: Encoding attribute "FreeRADIUS-Proxied-To" (8) rest: Encoding attribute "Ruckus-SSID" (8) rest: Encoding attribute "EAP-Type" (8) rest: Returning 1018 bytes of JSON data (buffer full or chunk exceeded) (8) rest: Processing response header (8) rest: Status : 401 () (8) rest: Type : json (application/json) (8) rest: Adding reply:REST-HTTP-Status-Code = "401" (8) rest: Parsing attribute "request:Module-Failure-Message" (8) rest: EXPAND rest: SSID 인증 실패 (CODE: FORBIDDEN_BY_SSID) (8) rest: --> rest: SSID 인증 실패 (CODE: FORBIDDEN_BY_SSID) (8) rest: Module-Failure-Message := "rest: SSID 인증 실패 (CODE: FORBIDDEN_BY_SSID)" (8) rest: Parsing attribute "request:Decide-SSID" (8) rest: EXPAND radius 122 (8) rest: --> radius 122 (8) rest: Decide-SSID := "radius 122" rlm_rest (rest): Released connection (0) Need more connections to reach 10 spares rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used rlm_rest (rest): Connecting to "http://220.79.39.2:9012" (8) [rest] = reject (8) } # if (!&outer.session-state:Done-Rest) = reject (8) } # authorize = reject (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'rest: SSID 인증 실패 (CODE: FORBIDDEN_BY_SSID)' (8) &Decide-SSID := &request:Decide-SSID -> 'radius 122' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) REST-HTTP-Status-Code := 401 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: REST-HTTP-Status-Code := 401 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: REST-HTTP-Status-Code := 401 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 9 length 46 (8) eap: EAP session adding &reply:State = 0xe9ee35bde1e72c47 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) Framed-MTU = 994 (8) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (8) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (8) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (8) TLS-Session-Version = "TLS 1.2" (8) Module-Failure-Message := "rest: SSID 인증 실패 (CODE: FORBIDDEN_BY_SSID)" (8) Decide-SSID := "radius 122" (8) Sent Access-Challenge Id 131 from 10.10.10.244:1812 to 175.210.165.10:58812 length 104 (8) EAP-Message = 0x0109002e190017030300235290e8c0f157684dd641a2f7b054f38f9b4bd54c391520973f218d63a24a015fe89216 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xe9ee35bde1e72c4724969f3f23e5bbf8 (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 132 from 175.210.165.10:58812 to 10.10.10.244:1812 length 254 (9) User-Name = "maxtest" (9) Calling-Station-Id = "36-D7-B2-E6-FA-80" (9) NAS-IP-Address = 175.210.165.10 (9) NAS-Port = 70 (9) Called-Station-Id = "80-03-84-B6-D0-CC:radius 122" (9) Service-Type = Framed-User (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) NAS-Identifier = "80-03-84-B6-D0-CC" (9) Connect-Info = "CONNECT 802.11a/n/ac/ax" (9) EAP-Message = 0x0209002e19001703030023000000000000000379d9811e080749f7bcaf72336546ca9088de34bd80700f45219b4c (9) State = 0xe9ee35bde1e72c4724969f3f23e5bbf8 (9) Ruckus-SSID = "radius 122" (9) Message-Authenticator = 0x0016110877745695ed87613b85650aaf (9) Restoring &session-state (9) &session-state:Framed-MTU = 994 (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) &session-state:Module-Failure-Message := "rest: SSID 인증 실패 (CODE: FORBIDDEN_BY_SSID)" (9) &session-state:Decide-SSID := "radius 122" (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) update { (9) EXPAND %{Packet-Src-IP-Address} (9) --> 175.210.165.10 (9) &FreeRADIUS-Client-IP-Address := 175.210.165.10 (9) } # update = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xe9ee35bde1e72c47 (9) eap: Finished EAP session with state 0xe9ee35bde1e72c47 (9) eap: Previous EAP request found for state 0xe9ee35bde1e72c47, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: (TLS) EAP Done initial handshake (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 9 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) update { (9) EXPAND %{reply:Packet-Type} (9) --> Access-Reject (9) &Packet-Type := Access-Reject (9) &Decide-SSID := &session-state:Decide-SSID -> 'radius 122' (9) } # update = noop (9) if (session-state:Module-Failure-Message) { (9) if (session-state:Module-Failure-Message) -> TRUE (9) if (session-state:Module-Failure-Message) { (9) update { (9) &Module-Failure-Message := &session-state:Module-Failure-Message -> 'rest: SSID 인증 실패 (CODE: FORBIDDEN_BY_SSID)' (9) } # update = noop (9) } # if (session-state:Module-Failure-Message) = noop (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> maxtest (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated rlm_rest (rest): Reserved connection (1) (9) rest: Expanding URI components (9) rest: EXPAND http://220.79.39.2:9012 (9) rest: --> http://220.79.39.2:9012 (9) rest: EXPAND /post-auth/user/%{User-Name} (9) rest: --> /post-auth/user/maxtest (9) rest: Sending HTTP POST to " http://220.79.39.2:9012/post-auth/user/maxtest" (9) rest: Encoding attribute "User-Name" (9) rest: Encoding attribute "NAS-IP-Address" (9) rest: Encoding attribute "NAS-Port" (9) rest: Encoding attribute "Service-Type" (9) rest: Encoding attribute "Framed-MTU" (9) rest: Encoding attribute "State" (9) rest: Encoding attribute "Called-Station-Id" (9) rest: Encoding attribute "Calling-Station-Id" (9) rest: Encoding attribute "NAS-Identifier" (9) rest: Encoding attribute "NAS-Port-Type" (9) rest: Encoding attribute "Connect-Info" (9) rest: Encoding attribute "EAP-Message" (9) rest: Encoding attribute "Message-Authenticator" (9) rest: Encoding attribute "Ruckus-SSID" (9) rest: Encoding attribute "EAP-Type" (9) rest: Encoding attribute "Packet-Type" (9) rest: Encoding attribute "Module-Failure-Message" (9) rest: Encoding attribute "FreeRADIUS-Client-IP-Address" (9) rest: Encoding attribute "Decide-SSID" (9) rest: Processing response header (9) rest: Status : 204 () (9) rest: Adding reply:REST-HTTP-Status-Code = "204" rlm_rest (rest): Released connection (1) (9) [rest] = ok (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 132 from 10.10.10.244:1812 to 175.210.165.10:58812 length 44 (9) EAP-Message = 0x04090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 123 with timestamp +2 due to cleanup_delay was reached (1) Cleaning up request packet ID 124 with timestamp +2 due to cleanup_delay was reached (2) Cleaning up request packet ID 125 with timestamp +2 due to cleanup_delay was reached (3) Cleaning up request packet ID 126 with timestamp +2 due to cleanup_delay was reached (4) Cleaning up request packet ID 127 with timestamp +2 due to cleanup_delay was reached (5) Cleaning up request packet ID 128 with timestamp +2 due to cleanup_delay was reached (6) Cleaning up request packet ID 129 with timestamp +2 due to cleanup_delay was reached (7) Cleaning up request packet ID 130 with timestamp +2 due to cleanup_delay was reached (8) Cleaning up request packet ID 131 with timestamp +2 due to cleanup_delay was reached (9) Cleaning up request packet ID 132 with timestamp +2 due to cleanup_delay was reached Ready to process requests The debug content above is the debug content for “a situation in which I did not write a Data field.” (9) &Module-Failure-Message := &session-state:Module-Failure-Message -> 'rest: SSID authentication failed (CODE: FORBIDDEN_BY_SSID)' With this part, (9) rest: Encoding attribute "Module-Failure-Message" This part is key. Korean is displayed correctly in the log. However, the REST module is called after going through the Encoding attribute, and then a broken string arrives at my REST server. I am guessing that this part is converted to ISO-8859-1 encoding. This is because if you decompose this broken string into ISO-8859-1 byte format and then assemble it into UTF-8 format, the correct string will appear. If I specify "Module-Failure-Message" directly in the Data item of the Rest module, the "Encoding attribute" is not visible. And my Rest server also receives it correctly. This is a problem that only occurs when “Encoding attribute” is enabled. [image: image.png]