Hi Matthew Sorry about that. I did re-configure the linelog file (/etc/freeradius/3.0/mods-available/linelog) like this: linelog 802.1x_authz_log { filename = ${logdir}/authz.log reference = "sp.%{%{reply:Packet-Type}:-format}" sp { Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})" #Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] SID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})" } } And somehow (I really don't know why), it seems to work know: (11) Received Access-Request Id 55 from 130.92.42.20:56958 to 130.92.10.33:1812 length 443 (11) User-Name = "dominic.stalder@unibe.ch" (11) Service-Type = Framed-User (11) Cisco-AVPair = "service-type=Framed" (11) Framed-MTU = 1485 (11) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368 (11) Message-Authenticator = 0x694ebad2a4029567ecc08fd124414d26 (11) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (11) Cisco-AVPair = "method=dot1x" (11) Cisco-AVPair = "client-iif-id=2500003624" (11) Cisco-AVPair = "vlan-id=1876" (11) NAS-IP-Address = 130.92.42.20 (11) NAS-Port-Id = "capwap_9180059e" (11) NAS-Port-Type = Wireless-802.11 (11) NAS-Port = 4219 (11) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (11) Cisco-AVPair = "wlan-profile-name=eduroamV2" (11) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (11) Calling-Station-Id = "6a-05-bd-e0-f2-80" (11) Airespace-Wlan-Id = 98 (11) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11) authorize { (11) policy rewrite_called_station_id { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 3C-51-0E-72-2A-00 (11) &Called-Station-Id := 3C-51-0E-72-2A-00 (11) } # update request = noop (11) if ("%{8}") { (11) EXPAND %{8} (11) --> eduroam (11) if ("%{8}") -> TRUE (11) if ("%{8}") { (11) update request { (11) EXPAND %{8} (11) --> eduroam (11) &Called-Station-SSID := eduroam (11) } # update request = noop (11) } # if ("%{8}") = noop (11) [updated] = updated (11) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_called_station_id = updated (11) policy rewrite_calling_station_id { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 6A-05-BD-E0-F2-80 (11) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (11) } # update request = noop (11) [updated] = updated (11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_calling_station_id = updated (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = updated (11) } # policy filter_username = updated (11) suffix: Checking for suffix after "@" (11) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (11) suffix: Found realm "UNIBE.CH" (11) suffix: Adding Stripped-User-Name = "dominic.stalder" (11) suffix: Adding Realm = "UNIBE.CH" (11) suffix: Authentication realm is LOCAL (11) [suffix] = ok (11) update request { (11) EXPAND %{toupper:%{Realm}} (11) --> UNIBE.CH (11) Realm := UNIBE.CH (11) } # update request = noop (11) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (11) policy deny_no_realm { (11) if (User-Name && (User-Name !~ /@/)) { (11) if (User-Name && (User-Name !~ /@/)) -> FALSE (11) } # policy deny_no_realm = updated (11) switch &control:Called-Station-SSID { (11) } # switch &control:Called-Station-SSID = updated (11) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (11) eap: Peer sent EAP Response (code 2) ID 1 length 29 (11) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) Auth-Type eap { (11) eap: Peer sent packet with method EAP Identity (1) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: (TLS) Initiating new session (11) eap: Sending EAP Request (code 1) ID 2 length 6 (11) eap: EAP session adding &reply:State = 0x1de92fd31deb361c (11) [eap] = handled (11) if (handled && (Response-Packet-Type == Access-Challenge)) { (11) EXPAND Response-Packet-Type (11) --> Access-Challenge (11) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (11) if (handled && (Response-Packet-Type == Access-Challenge)) { (11) attr_filter.access_challenge: EXPAND %{User-Name} (11) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (11) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (11) [attr_filter.access_challenge.post-auth] = updated (11) [handled] = handled (11) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (11) } # Auth-Type eap = handled (11) Using Post-Auth-Type Challenge (11) Post-Auth-Type sub-section not found. Ignoring. (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) session-state: Saving cached attributes (11) Framed-MTU = 1014 (11) Sent Access-Challenge Id 55 from 130.92.10.33:1812 to 130.92.42.20:56958 length 64 (11) EAP-Message = 0x010200061920 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0x1de92fd31deb361c7d7fc55a3903ba57 (11) Finished request Waking up in 4.9 seconds. (12) Received Access-Request Id 63 from 130.92.42.20:56958 to 130.92.10.33:1812 length 593 (12) User-Name = "dominic.stalder@unibe.ch" (12) Service-Type = Framed-User (12) Cisco-AVPair = "service-type=Framed" (12) Framed-MTU = 1485 (12) EAP-Message = 0x020200a119800000009716030100920100008e0303661faab7c8f9e6c7d0b52b2ff41e68b74cec609bc8e752d9be7ef0bbfdb3d86600002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (12) Message-Authenticator = 0xc7079924fb998ffe2063c4354d944773 (12) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (12) Cisco-AVPair = "method=dot1x" (12) Cisco-AVPair = "client-iif-id=2500003624" (12) Cisco-AVPair = "vlan-id=1876" (12) NAS-IP-Address = 130.92.42.20 (12) NAS-Port-Id = "capwap_9180059e" (12) NAS-Port-Type = Wireless-802.11 (12) NAS-Port = 4219 (12) State = 0x1de92fd31deb361c7d7fc55a3903ba57 (12) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (12) Cisco-AVPair = "wlan-profile-name=eduroamV2" (12) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (12) Calling-Station-Id = "6a-05-bd-e0-f2-80" (12) Airespace-Wlan-Id = 98 (12) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (12) Restoring &session-state (12) &session-state:Framed-MTU = 1014 (12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (12) authorize { (12) policy rewrite_called_station_id { (12) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (12) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (12) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (12) update request { (12) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (12) --> 3C-51-0E-72-2A-00 (12) &Called-Station-Id := 3C-51-0E-72-2A-00 (12) } # update request = noop (12) if ("%{8}") { (12) EXPAND %{8} (12) --> eduroam (12) if ("%{8}") -> TRUE (12) if ("%{8}") { (12) update request { (12) EXPAND %{8} (12) --> eduroam (12) &Called-Station-SSID := eduroam (12) } # update request = noop (12) } # if ("%{8}") = noop (12) [updated] = updated (12) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (12) ... skipping else: Preceding "if" was taken (12) } # policy rewrite_called_station_id = updated (12) policy rewrite_calling_station_id { (12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (12) update request { (12) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (12) --> 6A-05-BD-E0-F2-80 (12) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (12) } # update request = noop (12) [updated] = updated (12) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (12) ... skipping else: Preceding "if" was taken (12) } # policy rewrite_calling_station_id = updated (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = updated (12) } # policy filter_username = updated (12) suffix: Checking for suffix after "@" (12) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (12) suffix: Found realm "UNIBE.CH" (12) suffix: Adding Stripped-User-Name = "dominic.stalder" (12) suffix: Adding Realm = "UNIBE.CH" (12) suffix: Authentication realm is LOCAL (12) [suffix] = ok (12) update request { (12) EXPAND %{toupper:%{Realm}} (12) --> UNIBE.CH (12) Realm := UNIBE.CH (12) } # update request = noop (12) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (12) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (12) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (12) policy deny_no_realm { (12) if (User-Name && (User-Name !~ /@/)) { (12) if (User-Name && (User-Name !~ /@/)) -> FALSE (12) } # policy deny_no_realm = updated (12) switch &control:Called-Station-SSID { (12) } # switch &control:Called-Station-SSID = updated (12) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (12) eap: Peer sent EAP Response (code 2) ID 2 length 161 (12) eap: Continuing tunnel setup (12) [eap] = ok (12) } # authorize = ok (12) Found Auth-Type = eap (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) Auth-Type eap { (12) eap: Expiring EAP session with state 0x1de92fd31deb361c (12) eap: Finished EAP session with state 0x1de92fd31deb361c (12) eap: Previous EAP request found for state 0x1de92fd31deb361c, released from the list (12) eap: Peer sent packet with method EAP PEAP (25) (12) eap: Calling submodule eap_peap to process data (12) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (12) eap_peap: (TLS) EAP Got all data (151 bytes) (12) eap_peap: (TLS) Handshake state - before SSL initialization (12) eap_peap: (TLS) Handshake state - Server before SSL initialization (12) eap_peap: (TLS) Handshake state - Server before SSL initialization (12) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello (12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello (12) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate (12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange (12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (12) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server done (12) eap_peap: (TLS) In Handshake Phase (12) eap: Sending EAP Request (code 1) ID 3 length 1024 (12) eap: EAP session adding &reply:State = 0x1de92fd31cea361c (12) [eap] = handled (12) if (handled && (Response-Packet-Type == Access-Challenge)) { (12) EXPAND Response-Packet-Type (12) --> Access-Challenge (12) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (12) if (handled && (Response-Packet-Type == Access-Challenge)) { (12) attr_filter.access_challenge: EXPAND %{User-Name} (12) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (12) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (12) [attr_filter.access_challenge.post-auth] = updated (12) [handled] = handled (12) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (12) } # Auth-Type eap = handled (12) Using Post-Auth-Type Challenge (12) Post-Auth-Type sub-section not found. Ignoring. (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) session-state: Saving cached attributes (12) Framed-MTU = 1014 (12) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (12) Sent Access-Challenge Id 63 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1090 (12) EAP-Message = 0x0103040019c000000e28160303003d0200003903039593c2bffb75e41c6f75008fc939ee87ad9af380f3c4f4a2444f574e4752440100c030000011ff01000100000b000403000102001700001603030c860b000c82000c7f0006f0308206ec308205d4a003020102021003b3054211bcb9b12dfd56f8887e7bb5300d06092a864886f70d01010b0500305c310b300906035504061302555331163014060355040a0c0d44696769436572742c20496e633135303306035504030c2c44696769436572742051756f566164697320544c53204943412051756f566164697320526f6f742043412032301e170d3233313130393030303030305a170d3234313130383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0x1de92fd31cea361c7d7fc55a3903ba57 (12) Finished request Waking up in 4.9 seconds. (13) Received Access-Request Id 71 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438 (13) User-Name = "dominic.stalder@unibe.ch" (13) Service-Type = Framed-User (13) Cisco-AVPair = "service-type=Framed" (13) Framed-MTU = 1485 (13) EAP-Message = 0x020300061900 (13) Message-Authenticator = 0x1ad7104e34710165cee7e703a1e285aa (13) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (13) Cisco-AVPair = "method=dot1x" (13) Cisco-AVPair = "client-iif-id=2500003624" (13) Cisco-AVPair = "vlan-id=1876" (13) NAS-IP-Address = 130.92.42.20 (13) NAS-Port-Id = "capwap_9180059e" (13) NAS-Port-Type = Wireless-802.11 (13) NAS-Port = 4219 (13) State = 0x1de92fd31cea361c7d7fc55a3903ba57 (13) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (13) Cisco-AVPair = "wlan-profile-name=eduroamV2" (13) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (13) Calling-Station-Id = "6a-05-bd-e0-f2-80" (13) Airespace-Wlan-Id = 98 (13) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (13) Restoring &session-state (13) &session-state:Framed-MTU = 1014 (13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (13) authorize { (13) policy rewrite_called_station_id { (13) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (13) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (13) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (13) update request { (13) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (13) --> 3C-51-0E-72-2A-00 (13) &Called-Station-Id := 3C-51-0E-72-2A-00 (13) } # update request = noop (13) if ("%{8}") { (13) EXPAND %{8} (13) --> eduroam (13) if ("%{8}") -> TRUE (13) if ("%{8}") { (13) update request { (13) EXPAND %{8} (13) --> eduroam (13) &Called-Station-SSID := eduroam (13) } # update request = noop (13) } # if ("%{8}") = noop (13) [updated] = updated (13) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (13) ... skipping else: Preceding "if" was taken (13) } # policy rewrite_called_station_id = updated (13) policy rewrite_calling_station_id { (13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (13) update request { (13) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (13) --> 6A-05-BD-E0-F2-80 (13) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (13) } # update request = noop (13) [updated] = updated (13) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (13) ... skipping else: Preceding "if" was taken (13) } # policy rewrite_calling_station_id = updated (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = updated (13) } # policy filter_username = updated (13) suffix: Checking for suffix after "@" (13) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (13) suffix: Found realm "UNIBE.CH" (13) suffix: Adding Stripped-User-Name = "dominic.stalder" (13) suffix: Adding Realm = "UNIBE.CH" (13) suffix: Authentication realm is LOCAL (13) [suffix] = ok (13) update request { (13) EXPAND %{toupper:%{Realm}} (13) --> UNIBE.CH (13) Realm := UNIBE.CH (13) } # update request = noop (13) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (13) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (13) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (13) policy deny_no_realm { (13) if (User-Name && (User-Name !~ /@/)) { (13) if (User-Name && (User-Name !~ /@/)) -> FALSE (13) } # policy deny_no_realm = updated (13) switch &control:Called-Station-SSID { (13) } # switch &control:Called-Station-SSID = updated (13) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (13) eap: Peer sent EAP Response (code 2) ID 3 length 6 (13) eap: Continuing tunnel setup (13) [eap] = ok (13) } # authorize = ok (13) Found Auth-Type = eap (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) Auth-Type eap { (13) eap: Expiring EAP session with state 0x1de92fd31cea361c (13) eap: Finished EAP session with state 0x1de92fd31cea361c (13) eap: Previous EAP request found for state 0x1de92fd31cea361c, released from the list (13) eap: Peer sent packet with method EAP PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: (TLS) Peer ACKed our handshake fragment (13) eap: Sending EAP Request (code 1) ID 4 length 1020 (13) eap: EAP session adding &reply:State = 0x1de92fd31fed361c (13) [eap] = handled (13) if (handled && (Response-Packet-Type == Access-Challenge)) { (13) EXPAND Response-Packet-Type (13) --> Access-Challenge (13) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (13) if (handled && (Response-Packet-Type == Access-Challenge)) { (13) attr_filter.access_challenge: EXPAND %{User-Name} (13) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (13) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (13) [attr_filter.access_challenge.post-auth] = updated (13) [handled] = handled (13) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (13) } # Auth-Type eap = handled (13) Using Post-Auth-Type Challenge (13) Post-Auth-Type sub-section not found. Ignoring. (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) session-state: Saving cached attributes (13) Framed-MTU = 1014 (13) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (13) Sent Access-Challenge Id 71 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1086 (13) EAP-Message = 0x010403fc194061646973544c5349434151756f5661646973526f6f744341322e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727451756f5661646973544c5349434151756f5661646973526f6f744341322e637274300c0603551d130101ff040230003082017e060a2b06010401d6790204020482016e0482016a0168007700eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000018bb41da9d8000004030048304602210096f259c2ee2c8db6a8f0ffc4dd56ae730dad06cdd15a9bdad058f1eb74fcebed022100ec4750255a870fbb409ab15ff79aca8e3ca0bb1b214f94dab4ef9687a1e82fb900760048b0e36bdaa647340fe56a02fa9d30eb1c5201cb56dd2c81d9bbbfab39d884730000018bb41d (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0x1de92fd31fed361c7d7fc55a3903ba57 (13) Finished request Waking up in 4.9 seconds. (14) Received Access-Request Id 79 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438 (14) User-Name = "dominic.stalder@unibe.ch" (14) Service-Type = Framed-User (14) Cisco-AVPair = "service-type=Framed" (14) Framed-MTU = 1485 (14) EAP-Message = 0x020400061900 (14) Message-Authenticator = 0xf31f29575e431c5f2f8a42e9fd12c70a (14) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (14) Cisco-AVPair = "method=dot1x" (14) Cisco-AVPair = "client-iif-id=2500003624" (14) Cisco-AVPair = "vlan-id=1876" (14) NAS-IP-Address = 130.92.42.20 (14) NAS-Port-Id = "capwap_9180059e" (14) NAS-Port-Type = Wireless-802.11 (14) NAS-Port = 4219 (14) State = 0x1de92fd31fed361c7d7fc55a3903ba57 (14) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (14) Cisco-AVPair = "wlan-profile-name=eduroamV2" (14) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (14) Calling-Station-Id = "6a-05-bd-e0-f2-80" (14) Airespace-Wlan-Id = 98 (14) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (14) Restoring &session-state (14) &session-state:Framed-MTU = 1014 (14) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (14) authorize { (14) policy rewrite_called_station_id { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> 3C-51-0E-72-2A-00 (14) &Called-Station-Id := 3C-51-0E-72-2A-00 (14) } # update request = noop (14) if ("%{8}") { (14) EXPAND %{8} (14) --> eduroam (14) if ("%{8}") -> TRUE (14) if ("%{8}") { (14) update request { (14) EXPAND %{8} (14) --> eduroam (14) &Called-Station-SSID := eduroam (14) } # update request = noop (14) } # if ("%{8}") = noop (14) [updated] = updated (14) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_called_station_id = updated (14) policy rewrite_calling_station_id { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> 6A-05-BD-E0-F2-80 (14) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (14) } # update request = noop (14) [updated] = updated (14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_calling_station_id = updated (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = updated (14) } # policy filter_username = updated (14) suffix: Checking for suffix after "@" (14) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (14) suffix: Found realm "UNIBE.CH" (14) suffix: Adding Stripped-User-Name = "dominic.stalder" (14) suffix: Adding Realm = "UNIBE.CH" (14) suffix: Authentication realm is LOCAL (14) [suffix] = ok (14) update request { (14) EXPAND %{toupper:%{Realm}} (14) --> UNIBE.CH (14) Realm := UNIBE.CH (14) } # update request = noop (14) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (14) policy deny_no_realm { (14) if (User-Name && (User-Name !~ /@/)) { (14) if (User-Name && (User-Name !~ /@/)) -> FALSE (14) } # policy deny_no_realm = updated (14) switch &control:Called-Station-SSID { (14) } # switch &control:Called-Station-SSID = updated (14) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (14) eap: Peer sent EAP Response (code 2) ID 4 length 6 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) Auth-Type eap { (14) eap: Expiring EAP session with state 0x1de92fd31fed361c (14) eap: Finished EAP session with state 0x1de92fd31fed361c (14) eap: Previous EAP request found for state 0x1de92fd31fed361c, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: (TLS) Peer ACKed our handshake fragment (14) eap: Sending EAP Request (code 1) ID 5 length 1020 (14) eap: EAP session adding &reply:State = 0x1de92fd31eec361c (14) [eap] = handled (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) EXPAND Response-Packet-Type (14) --> Access-Challenge (14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) attr_filter.access_challenge: EXPAND %{User-Name} (14) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (14) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (14) [attr_filter.access_challenge.post-auth] = updated (14) [handled] = handled (14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (14) } # Auth-Type eap = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) session-state: Saving cached attributes (14) Framed-MTU = 1014 (14) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (14) Sent Access-Challenge Id 79 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1086 (14) EAP-Message = 0x010503fc194031163014060355040a0c0d44696769436572742c20496e633135303306035504030c2c44696769436572742051756f566164697320544c53204943412051756f566164697320526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100c0276cfa8594d3ff27e084f9510e22adc882540fd8f499b54cbcc5b972f391772e189d184b507780746820ef2412d8cf26c4fd40b80087714fa2b7372e50b230e6fd4d52159fd7f6a740204fbc6b2b9ef3cfaaca04c0aacff4cc0782710db7d2c3bd4361c67e2bff6d60a99b67ed4d447a1371c375cb8feb080d0f6e136b285ff5eeecd4f4bb743a1c87c6bbb4e3449d3304a8cd0ac8d131252afbdb7942262839da4e8079d268c67c2ecbe68fd34f0bcb8c040f53f7b182deef3e7d4fd6a5c5caa877ee530d3fc5fee7cdd62d6030035d7f46f58d544349a7435d9a7c3352f33be3cec9d7a223c9bb023fbe528fb42146c1685cb8e89996197c9b39f013199902 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x1de92fd31eec361c7d7fc55a3903ba57 (14) Finished request Waking up in 4.9 seconds. (15) Received Access-Request Id 87 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438 (15) User-Name = "dominic.stalder@unibe.ch" (15) Service-Type = Framed-User (15) Cisco-AVPair = "service-type=Framed" (15) Framed-MTU = 1485 (15) EAP-Message = 0x020500061900 (15) Message-Authenticator = 0xf18ed8d8c98adb93b8213140f59a8378 (15) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (15) Cisco-AVPair = "method=dot1x" (15) Cisco-AVPair = "client-iif-id=2500003624" (15) Cisco-AVPair = "vlan-id=1876" (15) NAS-IP-Address = 130.92.42.20 (15) NAS-Port-Id = "capwap_9180059e" (15) NAS-Port-Type = Wireless-802.11 (15) NAS-Port = 4219 (15) State = 0x1de92fd31eec361c7d7fc55a3903ba57 (15) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (15) Cisco-AVPair = "wlan-profile-name=eduroamV2" (15) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (15) Calling-Station-Id = "6a-05-bd-e0-f2-80" (15) Airespace-Wlan-Id = 98 (15) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (15) Restoring &session-state (15) &session-state:Framed-MTU = 1014 (15) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15) authorize { (15) policy rewrite_called_station_id { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> 3C-51-0E-72-2A-00 (15) &Called-Station-Id := 3C-51-0E-72-2A-00 (15) } # update request = noop (15) if ("%{8}") { (15) EXPAND %{8} (15) --> eduroam (15) if ("%{8}") -> TRUE (15) if ("%{8}") { (15) update request { (15) EXPAND %{8} (15) --> eduroam (15) &Called-Station-SSID := eduroam (15) } # update request = noop (15) } # if ("%{8}") = noop (15) [updated] = updated (15) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_called_station_id = updated (15) policy rewrite_calling_station_id { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> 6A-05-BD-E0-F2-80 (15) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (15) } # update request = noop (15) [updated] = updated (15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_calling_station_id = updated (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = updated (15) } # policy filter_username = updated (15) suffix: Checking for suffix after "@" (15) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (15) suffix: Found realm "UNIBE.CH" (15) suffix: Adding Stripped-User-Name = "dominic.stalder" (15) suffix: Adding Realm = "UNIBE.CH" (15) suffix: Authentication realm is LOCAL (15) [suffix] = ok (15) update request { (15) EXPAND %{toupper:%{Realm}} (15) --> UNIBE.CH (15) Realm := UNIBE.CH (15) } # update request = noop (15) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (15) policy deny_no_realm { (15) if (User-Name && (User-Name !~ /@/)) { (15) if (User-Name && (User-Name !~ /@/)) -> FALSE (15) } # policy deny_no_realm = updated (15) switch &control:Called-Station-SSID { (15) } # switch &control:Called-Station-SSID = updated (15) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (15) eap: Peer sent EAP Response (code 2) ID 5 length 6 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # authorize = ok (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) Auth-Type eap { (15) eap: Expiring EAP session with state 0x1de92fd31eec361c (15) eap: Finished EAP session with state 0x1de92fd31eec361c (15) eap: Previous EAP request found for state 0x1de92fd31eec361c, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: (TLS) Peer ACKed our handshake fragment (15) eap: Sending EAP Request (code 1) ID 6 length 588 (15) eap: EAP session adding &reply:State = 0x1de92fd319ef361c (15) [eap] = handled (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) EXPAND Response-Packet-Type (15) --> Access-Challenge (15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) attr_filter.access_challenge: EXPAND %{User-Name} (15) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (15) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (15) [attr_filter.access_challenge.post-auth] = updated (15) [handled] = handled (15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (15) } # Auth-Type eap = handled (15) Using Post-Auth-Type Challenge (15) Post-Auth-Type sub-section not found. Ignoring. (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) session-state: Saving cached attributes (15) Framed-MTU = 1014 (15) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (15) Sent Access-Challenge Id 87 from 130.92.10.33:1812 to 130.92.42.20:56958 length 650 (15) EAP-Message = 0x0106024c190092dd4a3f6f4a476dce8054dcc67a57c7efffd02a530da7129206cf2d59743367135e3238837f3915851242955fc5b8517786f16d34b6872189b4e3e01005c5f9436cb4341721ddd33be24eaa920f8bd7f3f06b48f9c1de57460ad46f66e46a65c749cf786d0afadbc0812eae6da881a6a3e7dbc8aac3d8f3443ae4f1614e4c9f4f80f9c26e35d5d67994f3f07db48ec18f369b282e7b0d9178f3ca6dc74bd4f9d0b11385dbe0add5465a8a07ebdd590a7145f7d9deb1436636202d59496850bfdf3427f97f2b0989a6eec0f8d7444ce5e69cd0b5460ae57efc0e259c16227376bc8774a255010d721f9ec9160303014d0c0001490300174104e24dea9bac02fa89350a2a9907808663b23db0dcffb0c3942c4e3e768589e14a53ad8a938b48a08546b6adcc29bfa64a726170e0b8b2c2b499690ec9d5d59b300401010049a41dd7d2618931e2d16fa22e869397478ff177fc2301eef652e6042defcf82f60897df4af82c6bb00a12f52a239964f55de72b (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x1de92fd319ef361c7d7fc55a3903ba57 (15) Finished request Waking up in 4.9 seconds. (16) Received Access-Request Id 95 from 130.92.42.20:56958 to 130.92.10.33:1812 length 568 (16) User-Name = "dominic.stalder@unibe.ch" (16) Service-Type = Framed-User (16) Cisco-AVPair = "service-type=Framed" (16) Framed-MTU = 1485 (16) EAP-Message = 0x0206008819800000007e16030300461000004241044b18bc5103fb19b4b172d827bebc8fb6e5a89caa86ecd2d2af20d96592e46b5ede6df542983d8a4b7d178b59644148f098333e0333f58ba0bac27972d54d107014030300010116030300280eb44ab0540a84b463a92404ef78c91d26aa51ff96e86301c8d7ddbf9e12724aa933f1a64c868dea (16) Message-Authenticator = 0xdbfc267b0e764874e63c61f643fb722e (16) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (16) Cisco-AVPair = "method=dot1x" (16) Cisco-AVPair = "client-iif-id=2500003624" (16) Cisco-AVPair = "vlan-id=1876" (16) NAS-IP-Address = 130.92.42.20 (16) NAS-Port-Id = "capwap_9180059e" (16) NAS-Port-Type = Wireless-802.11 (16) NAS-Port = 4219 (16) State = 0x1de92fd319ef361c7d7fc55a3903ba57 (16) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (16) Cisco-AVPair = "wlan-profile-name=eduroamV2" (16) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (16) Calling-Station-Id = "6a-05-bd-e0-f2-80" (16) Airespace-Wlan-Id = 98 (16) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (16) Restoring &session-state (16) &session-state:Framed-MTU = 1014 (16) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (16) authorize { (16) policy rewrite_called_station_id { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> 3C-51-0E-72-2A-00 (16) &Called-Station-Id := 3C-51-0E-72-2A-00 (16) } # update request = noop (16) if ("%{8}") { (16) EXPAND %{8} (16) --> eduroam (16) if ("%{8}") -> TRUE (16) if ("%{8}") { (16) update request { (16) EXPAND %{8} (16) --> eduroam (16) &Called-Station-SSID := eduroam (16) } # update request = noop (16) } # if ("%{8}") = noop (16) [updated] = updated (16) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_called_station_id = updated (16) policy rewrite_calling_station_id { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> 6A-05-BD-E0-F2-80 (16) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (16) } # update request = noop (16) [updated] = updated (16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_calling_station_id = updated (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = updated (16) } # policy filter_username = updated (16) suffix: Checking for suffix after "@" (16) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (16) suffix: Found realm "UNIBE.CH" (16) suffix: Adding Stripped-User-Name = "dominic.stalder" (16) suffix: Adding Realm = "UNIBE.CH" (16) suffix: Authentication realm is LOCAL (16) [suffix] = ok (16) update request { (16) EXPAND %{toupper:%{Realm}} (16) --> UNIBE.CH (16) Realm := UNIBE.CH (16) } # update request = noop (16) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (16) policy deny_no_realm { (16) if (User-Name && (User-Name !~ /@/)) { (16) if (User-Name && (User-Name !~ /@/)) -> FALSE (16) } # policy deny_no_realm = updated (16) switch &control:Called-Station-SSID { (16) } # switch &control:Called-Station-SSID = updated (16) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (16) eap: Peer sent EAP Response (code 2) ID 6 length 136 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) Auth-Type eap { (16) eap: Expiring EAP session with state 0x1de92fd319ef361c (16) eap: Finished EAP session with state 0x1de92fd319ef361c (16) eap: Previous EAP request found for state 0x1de92fd319ef361c, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (16) eap_peap: (TLS) EAP Got all data (126 bytes) (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (16) eap_peap: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (16) eap_peap: (TLS) recv TLS 1.2 Handshake, Finished (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read finished (16) eap_peap: (TLS) send TLS 1.2 ChangeCipherSpec (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (16) eap_peap: (TLS) send TLS 1.2 Handshake, Finished (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished (16) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully (16) eap_peap: (TLS) Connection Established (16) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (16) eap_peap: TLS-Session-Version = "TLS 1.2" (16) eap: Sending EAP Request (code 1) ID 7 length 57 (16) eap: EAP session adding &reply:State = 0x1de92fd318ee361c (16) [eap] = handled (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) EXPAND Response-Packet-Type (16) --> Access-Challenge (16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) attr_filter.access_challenge: EXPAND %{User-Name} (16) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (16) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (16) [attr_filter.access_challenge.post-auth] = updated (16) [handled] = handled (16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (16) } # Auth-Type eap = handled (16) Using Post-Auth-Type Challenge (16) Post-Auth-Type sub-section not found. Ignoring. (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) session-state: Saving cached attributes (16) Framed-MTU = 1014 (16) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (16) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (16) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (16) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (16) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (16) TLS-Session-Version = "TLS 1.2" (16) Sent Access-Challenge Id 95 from 130.92.10.33:1812 to 130.92.42.20:56958 length 115 (16) EAP-Message = 0x0107003919001403030001011603030028ee81289b38b966971e6a8bb4192ebcb8c0668f81a560a0e83c8f2f358c5048da4e4502dad8f52a42 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x1de92fd318ee361c7d7fc55a3903ba57 (16) Finished request Waking up in 4.8 seconds. (17) Received Access-Request Id 103 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438 (17) User-Name = "dominic.stalder@unibe.ch" (17) Service-Type = Framed-User (17) Cisco-AVPair = "service-type=Framed" (17) Framed-MTU = 1485 (17) EAP-Message = 0x020700061900 (17) Message-Authenticator = 0x93382dc058a6fc411428994f06077c45 (17) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (17) Cisco-AVPair = "method=dot1x" (17) Cisco-AVPair = "client-iif-id=2500003624" (17) Cisco-AVPair = "vlan-id=1876" (17) NAS-IP-Address = 130.92.42.20 (17) NAS-Port-Id = "capwap_9180059e" (17) NAS-Port-Type = Wireless-802.11 (17) NAS-Port = 4219 (17) State = 0x1de92fd318ee361c7d7fc55a3903ba57 (17) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (17) Cisco-AVPair = "wlan-profile-name=eduroamV2" (17) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (17) Calling-Station-Id = "6a-05-bd-e0-f2-80" (17) Airespace-Wlan-Id = 98 (17) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (17) Restoring &session-state (17) &session-state:Framed-MTU = 1014 (17) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (17) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (17) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (17) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (17) &session-state:TLS-Session-Version = "TLS 1.2" (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (17) authorize { (17) policy rewrite_called_station_id { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> 3C-51-0E-72-2A-00 (17) &Called-Station-Id := 3C-51-0E-72-2A-00 (17) } # update request = noop (17) if ("%{8}") { (17) EXPAND %{8} (17) --> eduroam (17) if ("%{8}") -> TRUE (17) if ("%{8}") { (17) update request { (17) EXPAND %{8} (17) --> eduroam (17) &Called-Station-SSID := eduroam (17) } # update request = noop (17) } # if ("%{8}") = noop (17) [updated] = updated (17) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_called_station_id = updated (17) policy rewrite_calling_station_id { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> 6A-05-BD-E0-F2-80 (17) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (17) } # update request = noop (17) [updated] = updated (17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_calling_station_id = updated (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = updated (17) } # policy filter_username = updated (17) suffix: Checking for suffix after "@" (17) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (17) suffix: Found realm "UNIBE.CH" (17) suffix: Adding Stripped-User-Name = "dominic.stalder" (17) suffix: Adding Realm = "UNIBE.CH" (17) suffix: Authentication realm is LOCAL (17) [suffix] = ok (17) update request { (17) EXPAND %{toupper:%{Realm}} (17) --> UNIBE.CH (17) Realm := UNIBE.CH (17) } # update request = noop (17) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (17) policy deny_no_realm { (17) if (User-Name && (User-Name !~ /@/)) { (17) if (User-Name && (User-Name !~ /@/)) -> FALSE (17) } # policy deny_no_realm = updated (17) switch &control:Called-Station-SSID { (17) } # switch &control:Called-Station-SSID = updated (17) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (17) eap: Peer sent EAP Response (code 2) ID 7 length 6 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) Auth-Type eap { (17) eap: Expiring EAP session with state 0x1de92fd318ee361c (17) eap: Finished EAP session with state 0x1de92fd318ee361c (17) eap: Previous EAP request found for state 0x1de92fd318ee361c, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (17) eap_peap: Session established. Decoding tunneled attributes (17) eap_peap: PEAP state TUNNEL ESTABLISHED (17) eap: Sending EAP Request (code 1) ID 8 length 40 (17) eap: EAP session adding &reply:State = 0x1de92fd31be1361c (17) [eap] = handled (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) EXPAND Response-Packet-Type (17) --> Access-Challenge (17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) attr_filter.access_challenge: EXPAND %{User-Name} (17) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (17) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (17) [attr_filter.access_challenge.post-auth] = updated (17) [handled] = handled (17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (17) } # Auth-Type eap = handled (17) Using Post-Auth-Type Challenge (17) Post-Auth-Type sub-section not found. Ignoring. (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) session-state: Saving cached attributes (17) Framed-MTU = 1014 (17) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (17) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (17) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (17) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (17) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (17) TLS-Session-Version = "TLS 1.2" (17) Sent Access-Challenge Id 103 from 130.92.10.33:1812 to 130.92.42.20:56958 length 98 (17) EAP-Message = 0x010800281900170303001dee81289b38b966986346a9c5260f98ec8918724d9885a5054c41aac2f6 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x1de92fd31be1361c7d7fc55a3903ba57 (17) Finished request Waking up in 4.8 seconds. (18) Received Access-Request Id 111 from 130.92.42.20:56958 to 130.92.10.33:1812 length 492 (18) User-Name = "dominic.stalder@unibe.ch" (18) Service-Type = Framed-User (18) Cisco-AVPair = "service-type=Framed" (18) Framed-MTU = 1485 (18) EAP-Message = 0x0208003c190017030300310eb44ab0540a84b5ba10d71cb3cafd821018d4f9504190b41636a547d19a561c7362bf3cc1b8af6ff924ab0511352a4b3b (18) Message-Authenticator = 0x852d8279186eef24f4927cf9cbb3522b (18) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (18) Cisco-AVPair = "method=dot1x" (18) Cisco-AVPair = "client-iif-id=2500003624" (18) Cisco-AVPair = "vlan-id=1876" (18) NAS-IP-Address = 130.92.42.20 (18) NAS-Port-Id = "capwap_9180059e" (18) NAS-Port-Type = Wireless-802.11 (18) NAS-Port = 4219 (18) State = 0x1de92fd31be1361c7d7fc55a3903ba57 (18) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (18) Cisco-AVPair = "wlan-profile-name=eduroamV2" (18) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (18) Calling-Station-Id = "6a-05-bd-e0-f2-80" (18) Airespace-Wlan-Id = 98 (18) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (18) Restoring &session-state (18) &session-state:Framed-MTU = 1014 (18) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (18) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (18) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (18) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (18) &session-state:TLS-Session-Version = "TLS 1.2" (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (18) authorize { (18) policy rewrite_called_station_id { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) update request { (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> 3C-51-0E-72-2A-00 (18) &Called-Station-Id := 3C-51-0E-72-2A-00 (18) } # update request = noop (18) if ("%{8}") { (18) EXPAND %{8} (18) --> eduroam (18) if ("%{8}") -> TRUE (18) if ("%{8}") { (18) update request { (18) EXPAND %{8} (18) --> eduroam (18) &Called-Station-SSID := eduroam (18) } # update request = noop (18) } # if ("%{8}") = noop (18) [updated] = updated (18) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_called_station_id = updated (18) policy rewrite_calling_station_id { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) update request { (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> 6A-05-BD-E0-F2-80 (18) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (18) } # update request = noop (18) [updated] = updated (18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_calling_station_id = updated (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = updated (18) } # policy filter_username = updated (18) suffix: Checking for suffix after "@" (18) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (18) suffix: Found realm "UNIBE.CH" (18) suffix: Adding Stripped-User-Name = "dominic.stalder" (18) suffix: Adding Realm = "UNIBE.CH" (18) suffix: Authentication realm is LOCAL (18) [suffix] = ok (18) update request { (18) EXPAND %{toupper:%{Realm}} (18) --> UNIBE.CH (18) Realm := UNIBE.CH (18) } # update request = noop (18) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (18) policy deny_no_realm { (18) if (User-Name && (User-Name !~ /@/)) { (18) if (User-Name && (User-Name !~ /@/)) -> FALSE (18) } # policy deny_no_realm = updated (18) switch &control:Called-Station-SSID { (18) } # switch &control:Called-Station-SSID = updated (18) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (18) eap: Peer sent EAP Response (code 2) ID 8 length 60 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) Auth-Type eap { (18) eap: Expiring EAP session with state 0x1de92fd31be1361c (18) eap: Finished EAP session with state 0x1de92fd31be1361c (18) eap: Previous EAP request found for state 0x1de92fd31be1361c, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: (TLS) EAP Done initial handshake (18) eap_peap: Session established. Decoding tunneled attributes (18) eap_peap: PEAP state WAITING FOR INNER IDENTITY (18) eap_peap: Identity - dominic.stalder@unibe.ch (18) eap_peap: Got inner identity 'dominic.stalder@unibe.ch' (18) eap_peap: Setting default EAP type for tunneled EAP session (18) eap_peap: Got tunneled request (18) eap_peap: EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368 (18) eap_peap: Setting User-Name to dominic.stalder@unibe.ch (18) eap_peap: Sending tunneled request to proxy-inner-tunnel (18) eap_peap: EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368 (18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (18) eap_peap: User-Name = "dominic.stalder@unibe.ch" (18) eap_peap: Service-Type = Framed-User (18) eap_peap: Cisco-AVPair = "service-type=Framed" (18) eap_peap: Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (18) eap_peap: Cisco-AVPair = "method=dot1x" (18) eap_peap: Cisco-AVPair = "client-iif-id=2500003624" (18) eap_peap: Cisco-AVPair = "vlan-id=1876" (18) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (18) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroamV2" (18) eap_peap: Framed-MTU = 1485 (18) eap_peap: NAS-IP-Address = 130.92.42.20 (18) eap_peap: NAS-Port-Id = "capwap_9180059e" (18) eap_peap: NAS-Port-Type = Wireless-802.11 (18) eap_peap: NAS-Port = 4219 (18) eap_peap: Called-Station-Id := "3C-51-0E-72-2A-00" (18) eap_peap: Calling-Station-Id := "6A-05-BD-E0-F2-80" (18) eap_peap: Airespace-Wlan-Id = 98 (18) eap_peap: NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (18) Virtual server proxy-inner-tunnel received request (18) EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368 (18) FreeRADIUS-Proxied-To = 127.0.0.1 (18) User-Name = "dominic.stalder@unibe.ch" (18) Service-Type = Framed-User (18) Cisco-AVPair = "service-type=Framed" (18) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (18) Cisco-AVPair = "method=dot1x" (18) Cisco-AVPair = "client-iif-id=2500003624" (18) Cisco-AVPair = "vlan-id=1876" (18) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (18) Cisco-AVPair = "wlan-profile-name=eduroamV2" (18) Framed-MTU = 1485 (18) NAS-IP-Address = 130.92.42.20 (18) NAS-Port-Id = "capwap_9180059e" (18) NAS-Port-Type = Wireless-802.11 (18) NAS-Port = 4219 (18) Called-Station-Id := "3C-51-0E-72-2A-00" (18) Calling-Station-Id := "6A-05-BD-E0-F2-80" (18) Airespace-Wlan-Id = 98 (18) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (18) WARNING: Outer and inner identities are the same. User privacy is compromised. (18) server proxy-inner-tunnel { (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel (18) authorize { (18) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){ (18) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (18) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){ (18) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE (18) if (!NAS-Port-Type){ (18) if (!NAS-Port-Type) -> FALSE (18) update control { (18) &Proxy-To-Realm := NPS-DEV (18) } # update control = noop (18) } # authorize = noop (18) } # server proxy-inner-tunnel (18) Virtual server sending reply (18) eap_peap: Got tunneled reply code 0 (18) eap_peap: Tunnelled authentication will be proxied to NPS-DEV (18) eap: WARNING: Tunneled session will be proxied. Not doing EAP (18) [eap] = handled (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) EXPAND Response-Packet-Type (18) --> (18) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (18) } # Auth-Type eap = handled (18) Starting proxy to home server 130.92.14.27 port 1812 (18) server default { (18) # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default (18) pre-proxy { (18) attr_filter.pre-proxy: EXPAND %{Realm} (18) attr_filter.pre-proxy: --> UNIBE.CH (18) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (18) [attr_filter.pre-proxy] = updated (18) } # pre-proxy = updated (18) } (18) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (18) Sent Access-Request Id 3 from 0.0.0.0:41351 to 130.92.14.27:1812 length 188 (18) Operator-Name := "1unibe.ch" (18) EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368 (18) User-Name = "dominic.stalder@unibe.ch" (18) NAS-IP-Address = 130.92.42.20 (18) NAS-Port-Type = Wireless-802.11 (18) Called-Station-Id := "3C-51-0E-72-2A-00" (18) Calling-Station-Id := "6A-05-BD-E0-F2-80" (18) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (18) Message-Authenticator = 0x (18) Proxy-State = 0x313131 Waking up in 0.3 seconds. (18) Clearing existing &reply: attributes (18) Received Access-Challenge Id 3 from 130.92.14.27:1812 to 130.92.10.33:41351 length 128 (18) Proxy-State = 0x313131 (18) Session-Timeout = 60 (18) EAP-Message = 0x010900271a010900221025092d03febd7f1db20ee0eb3a6f3f604141492d4e50532d4544555632 (18) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (18) Message-Authenticator = 0x6010087d40d157005d3540778ed46280 (18) server default { (18) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (18) post-proxy { (18) attr_filter.post-proxy: EXPAND %{Realm} (18) attr_filter.post-proxy: --> UNIBE.CH (18) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121 (18) [attr_filter.post-proxy] = updated (18) eap: Doing post-proxy callback (18) eap: Passing reply from proxy back into the tunnel (18) eap: Got tunneled reply RADIUS code 11 (18) eap: Tunnel-Type := VLAN (18) eap: Tunnel-Medium-Type := IEEE-802 (18) eap: Proxy-State = 0x313131 (18) eap: EAP-Message = 0x010900271a010900221025092d03febd7f1db20ee0eb3a6f3f604141492d4e50532d4544555632 (18) eap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (18) eap: Message-Authenticator = 0x6010087d40d157005d3540778ed46280 (18) eap: Got tunneled Access-Challenge (18) eap: Reply was handled (18) eap: Sending EAP Request (code 1) ID 9 length 70 (18) eap: EAP session adding &reply:State = 0x1de92fd31ae0361c (18) [eap] = ok (18) } # post-proxy = updated (18) } (18) session-state: Saving cached attributes (18) Framed-MTU = 1014 (18) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (18) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (18) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (18) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (18) TLS-Session-Version = "TLS 1.2" (18) Using Post-Auth-Type Challenge (18) Post-Auth-Type sub-section not found. Ignoring. (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) Sent Access-Challenge Id 111 from 130.92.10.33:1812 to 130.92.42.20:56958 length 128 (18) EAP-Message = 0x010900461900170303003bee81289b38b96699838bacf9ab8471d9a0c0522c8f7b32d458a0fded96c04c4a3ee53c690abbbdd4ab41013b7988b57e521af8dc7bcd467b297af9 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x1de92fd31ae0361c7d7fc55a3903ba57 (18) Finished request Waking up in 4.8 seconds. (19) Received Access-Request Id 119 from 130.92.42.20:56958 to 130.92.10.33:1812 length 546 (19) User-Name = "dominic.stalder@unibe.ch" (19) Service-Type = Framed-User (19) Cisco-AVPair = "service-type=Framed" (19) Framed-MTU = 1485 (19) EAP-Message = 0x02090072190017030300670eb44ab0540a84b6c847c1e4cd47b9f36e37fc528705aed180287420c6730fc360d9458c0c4df8b8eccc6529f567f80b13cffefbfcaa6155a88b3ceb96c7958abf1e8b86ec337c25d154d8ab4915b9daebdcf7b1ac0fa7c2ffbfee5c6b880cbc458625358dfc7c (19) Message-Authenticator = 0xb41636b5706cfcd2a98e05828ea1a1e0 (19) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (19) Cisco-AVPair = "method=dot1x" (19) Cisco-AVPair = "client-iif-id=2500003624" (19) Cisco-AVPair = "vlan-id=1876" (19) NAS-IP-Address = 130.92.42.20 (19) NAS-Port-Id = "capwap_9180059e" (19) NAS-Port-Type = Wireless-802.11 (19) NAS-Port = 4219 (19) State = 0x1de92fd31ae0361c7d7fc55a3903ba57 (19) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (19) Cisco-AVPair = "wlan-profile-name=eduroamV2" (19) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (19) Calling-Station-Id = "6a-05-bd-e0-f2-80" (19) Airespace-Wlan-Id = 98 (19) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (19) Restoring &session-state (19) &session-state:Framed-MTU = 1014 (19) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (19) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (19) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (19) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (19) &session-state:TLS-Session-Version = "TLS 1.2" (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (19) authorize { (19) policy rewrite_called_station_id { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> 3C-51-0E-72-2A-00 (19) &Called-Station-Id := 3C-51-0E-72-2A-00 (19) } # update request = noop (19) if ("%{8}") { (19) EXPAND %{8} (19) --> eduroam (19) if ("%{8}") -> TRUE (19) if ("%{8}") { (19) update request { (19) EXPAND %{8} (19) --> eduroam (19) &Called-Station-SSID := eduroam (19) } # update request = noop (19) } # if ("%{8}") = noop (19) [updated] = updated (19) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_called_station_id = updated (19) policy rewrite_calling_station_id { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> 6A-05-BD-E0-F2-80 (19) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (19) } # update request = noop (19) [updated] = updated (19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_calling_station_id = updated (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = updated (19) } # policy filter_username = updated (19) suffix: Checking for suffix after "@" (19) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (19) suffix: Found realm "UNIBE.CH" (19) suffix: Adding Stripped-User-Name = "dominic.stalder" (19) suffix: Adding Realm = "UNIBE.CH" (19) suffix: Authentication realm is LOCAL (19) [suffix] = ok (19) update request { (19) EXPAND %{toupper:%{Realm}} (19) --> UNIBE.CH (19) Realm := UNIBE.CH (19) } # update request = noop (19) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (19) policy deny_no_realm { (19) if (User-Name && (User-Name !~ /@/)) { (19) if (User-Name && (User-Name !~ /@/)) -> FALSE (19) } # policy deny_no_realm = updated (19) switch &control:Called-Station-SSID { (19) } # switch &control:Called-Station-SSID = updated (19) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (19) eap: Peer sent EAP Response (code 2) ID 9 length 114 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) Auth-Type eap { (19) eap: Expiring EAP session with state 0x1de92fd31ae0361c (19) eap: Finished EAP session with state 0x1de92fd31ae0361c (19) eap: Previous EAP request found for state 0x1de92fd31ae0361c, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: (TLS) EAP Done initial handshake (19) eap_peap: Session established. Decoding tunneled attributes (19) eap_peap: PEAP state phase2 (19) eap_peap: EAP method MSCHAPv2 (26) (19) eap_peap: Got tunneled request (19) eap_peap: EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368 (19) eap_peap: Setting User-Name to dominic.stalder@unibe.ch (19) eap_peap: Sending tunneled request to proxy-inner-tunnel (19) eap_peap: EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368 (19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (19) eap_peap: User-Name = "dominic.stalder@unibe.ch" (19) eap_peap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) eap_peap: Service-Type = Framed-User (19) eap_peap: Cisco-AVPair = "service-type=Framed" (19) eap_peap: Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (19) eap_peap: Cisco-AVPair = "method=dot1x" (19) eap_peap: Cisco-AVPair = "client-iif-id=2500003624" (19) eap_peap: Cisco-AVPair = "vlan-id=1876" (19) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (19) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroamV2" (19) eap_peap: Framed-MTU = 1485 (19) eap_peap: NAS-IP-Address = 130.92.42.20 (19) eap_peap: NAS-Port-Id = "capwap_9180059e" (19) eap_peap: NAS-Port-Type = Wireless-802.11 (19) eap_peap: NAS-Port = 4219 (19) eap_peap: Called-Station-Id := "3C-51-0E-72-2A-00" (19) eap_peap: Calling-Station-Id := "6A-05-BD-E0-F2-80" (19) eap_peap: Airespace-Wlan-Id = 98 (19) eap_peap: NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (19) Virtual server proxy-inner-tunnel received request (19) EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368 (19) FreeRADIUS-Proxied-To = 127.0.0.1 (19) User-Name = "dominic.stalder@unibe.ch" (19) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) Service-Type = Framed-User (19) Cisco-AVPair = "service-type=Framed" (19) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (19) Cisco-AVPair = "method=dot1x" (19) Cisco-AVPair = "client-iif-id=2500003624" (19) Cisco-AVPair = "vlan-id=1876" (19) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (19) Cisco-AVPair = "wlan-profile-name=eduroamV2" (19) Framed-MTU = 1485 (19) NAS-IP-Address = 130.92.42.20 (19) NAS-Port-Id = "capwap_9180059e" (19) NAS-Port-Type = Wireless-802.11 (19) NAS-Port = 4219 (19) Called-Station-Id := "3C-51-0E-72-2A-00" (19) Calling-Station-Id := "6A-05-BD-E0-F2-80" (19) Airespace-Wlan-Id = 98 (19) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (19) WARNING: Outer and inner identities are the same. User privacy is compromised. (19) server proxy-inner-tunnel { (19) session-state: No cached attributes (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel (19) authorize { (19) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){ (19) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (19) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){ (19) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE (19) if (!NAS-Port-Type){ (19) if (!NAS-Port-Type) -> FALSE (19) update control { (19) &Proxy-To-Realm := NPS-DEV (19) } # update control = noop (19) } # authorize = noop (19) } # server proxy-inner-tunnel (19) Virtual server sending reply (19) eap_peap: Got tunneled reply code 0 (19) eap_peap: Tunnelled authentication will be proxied to NPS-DEV (19) eap: WARNING: Tunneled session will be proxied. Not doing EAP (19) [eap] = handled (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) EXPAND Response-Packet-Type (19) --> (19) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (19) } # Auth-Type eap = handled (19) Starting proxy to home server 130.92.14.27 port 1812 (19) server default { (19) # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default (19) pre-proxy { (19) attr_filter.pre-proxy: EXPAND %{Realm} (19) attr_filter.pre-proxy: --> UNIBE.CH (19) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (19) [attr_filter.pre-proxy] = updated (19) } # pre-proxy = updated (19) } (19) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (19) Sent Access-Request Id 80 from 0.0.0.0:41351 to 130.92.14.27:1812 length 280 (19) Operator-Name := "1unibe.ch" (19) EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368 (19) User-Name = "dominic.stalder@unibe.ch" (19) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) NAS-IP-Address = 130.92.42.20 (19) NAS-Port-Type = Wireless-802.11 (19) Called-Station-Id := "3C-51-0E-72-2A-00" (19) Calling-Station-Id := "6A-05-BD-E0-F2-80" (19) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (19) Message-Authenticator = 0x (19) Proxy-State = 0x313139 Waking up in 0.3 seconds. (19) Clearing existing &reply: attributes (19) Received Access-Challenge Id 80 from 130.92.14.27:1812 to 130.92.10.33:41351 length 140 (19) Proxy-State = 0x313139 (19) Session-Timeout = 60 (19) EAP-Message = 0x010a00331a0309002e533d31304136344538394431443745423543444337394130373934343732333343414144393842353734 (19) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) Message-Authenticator = 0x8fe2c05842f247418bddf150ece42063 (19) server default { (19) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (19) post-proxy { (19) attr_filter.post-proxy: EXPAND %{Realm} (19) attr_filter.post-proxy: --> UNIBE.CH (19) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121 (19) [attr_filter.post-proxy] = updated (19) eap: Doing post-proxy callback (19) eap: Passing reply from proxy back into the tunnel (19) eap: Got tunneled reply RADIUS code 11 (19) eap: Tunnel-Type := VLAN (19) eap: Tunnel-Medium-Type := IEEE-802 (19) eap: Proxy-State = 0x313139 (19) eap: EAP-Message = 0x010a00331a0309002e533d31304136344538394431443745423543444337394130373934343732333343414144393842353734 (19) eap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) eap: Message-Authenticator = 0x8fe2c05842f247418bddf150ece42063 (19) eap: Got tunneled Access-Challenge (19) eap: Reply was handled (19) eap: Sending EAP Request (code 1) ID 10 length 82 (19) eap: EAP session adding &reply:State = 0x1de92fd315e3361c (19) [eap] = ok (19) } # post-proxy = updated (19) } (19) session-state: Saving cached attributes (19) Framed-MTU = 1014 (19) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (19) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (19) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (19) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (19) TLS-Session-Version = "TLS 1.2" (19) Using Post-Auth-Type Challenge (19) Post-Auth-Type sub-section not found. Ignoring. (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) Sent Access-Challenge Id 119 from 130.92.10.33:1812 to 130.92.42.20:56958 length 140 (19) EAP-Message = 0x010a005219001703030047ee81289b38b9669adba1fab65405736dbbfcb27f2717a52264a47659030722d29939aea776b86fec481bda6d4c07a1e792afe6d888bca68031b6b939f2c2be7faeef6adc05a6e3 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0x1de92fd315e3361c7d7fc55a3903ba57 (19) Finished request Waking up in 4.8 seconds. (20) Received Access-Request Id 127 from 130.92.42.20:56958 to 130.92.10.33:1812 length 469 (20) User-Name = "dominic.stalder@unibe.ch" (20) Service-Type = Framed-User (20) Cisco-AVPair = "service-type=Framed" (20) Framed-MTU = 1485 (20) EAP-Message = 0x020a00251900170303001a0eb44ab0540a84b7c31a7ba33522878ffe2eeebc82ccb08cf952 (20) Message-Authenticator = 0xbad5ba1b57de86e7ebe12ecfcafd37ea (20) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (20) Cisco-AVPair = "method=dot1x" (20) Cisco-AVPair = "client-iif-id=2500003624" (20) Cisco-AVPair = "vlan-id=1876" (20) NAS-IP-Address = 130.92.42.20 (20) NAS-Port-Id = "capwap_9180059e" (20) NAS-Port-Type = Wireless-802.11 (20) NAS-Port = 4219 (20) State = 0x1de92fd315e3361c7d7fc55a3903ba57 (20) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (20) Cisco-AVPair = "wlan-profile-name=eduroamV2" (20) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (20) Calling-Station-Id = "6a-05-bd-e0-f2-80" (20) Airespace-Wlan-Id = 98 (20) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (20) Restoring &session-state (20) &session-state:Framed-MTU = 1014 (20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (20) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) &session-state:TLS-Session-Version = "TLS 1.2" (20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (20) authorize { (20) policy rewrite_called_station_id { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> 3C-51-0E-72-2A-00 (20) &Called-Station-Id := 3C-51-0E-72-2A-00 (20) } # update request = noop (20) if ("%{8}") { (20) EXPAND %{8} (20) --> eduroam (20) if ("%{8}") -> TRUE (20) if ("%{8}") { (20) update request { (20) EXPAND %{8} (20) --> eduroam (20) &Called-Station-SSID := eduroam (20) } # update request = noop (20) } # if ("%{8}") = noop (20) [updated] = updated (20) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_called_station_id = updated (20) policy rewrite_calling_station_id { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> 6A-05-BD-E0-F2-80 (20) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (20) } # update request = noop (20) [updated] = updated (20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_calling_station_id = updated (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = updated (20) } # policy filter_username = updated (20) suffix: Checking for suffix after "@" (20) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (20) suffix: Found realm "UNIBE.CH" (20) suffix: Adding Stripped-User-Name = "dominic.stalder" (20) suffix: Adding Realm = "UNIBE.CH" (20) suffix: Authentication realm is LOCAL (20) [suffix] = ok (20) update request { (20) EXPAND %{toupper:%{Realm}} (20) --> UNIBE.CH (20) Realm := UNIBE.CH (20) } # update request = noop (20) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (20) policy deny_no_realm { (20) if (User-Name && (User-Name !~ /@/)) { (20) if (User-Name && (User-Name !~ /@/)) -> FALSE (20) } # policy deny_no_realm = updated (20) switch &control:Called-Station-SSID { (20) } # switch &control:Called-Station-SSID = updated (20) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (20) eap: Peer sent EAP Response (code 2) ID 10 length 37 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # authorize = ok (20) Found Auth-Type = eap (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) Auth-Type eap { (20) eap: Expiring EAP session with state 0x1de92fd315e3361c (20) eap: Finished EAP session with state 0x1de92fd315e3361c (20) eap: Previous EAP request found for state 0x1de92fd315e3361c, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: (TLS) EAP Done initial handshake (20) eap_peap: Session established. Decoding tunneled attributes (20) eap_peap: PEAP state phase2 (20) eap_peap: EAP method MSCHAPv2 (26) (20) eap_peap: Got tunneled request (20) eap_peap: EAP-Message = 0x020a00061a03 (20) eap_peap: Setting User-Name to dominic.stalder@unibe.ch (20) eap_peap: Sending tunneled request to proxy-inner-tunnel (20) eap_peap: EAP-Message = 0x020a00061a03 (20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (20) eap_peap: User-Name = "dominic.stalder@unibe.ch" (20) eap_peap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (20) eap_peap: Service-Type = Framed-User (20) eap_peap: Cisco-AVPair = "service-type=Framed" (20) eap_peap: Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (20) eap_peap: Cisco-AVPair = "method=dot1x" (20) eap_peap: Cisco-AVPair = "client-iif-id=2500003624" (20) eap_peap: Cisco-AVPair = "vlan-id=1876" (20) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (20) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroamV2" (20) eap_peap: Framed-MTU = 1485 (20) eap_peap: NAS-IP-Address = 130.92.42.20 (20) eap_peap: NAS-Port-Id = "capwap_9180059e" (20) eap_peap: NAS-Port-Type = Wireless-802.11 (20) eap_peap: NAS-Port = 4219 (20) eap_peap: Called-Station-Id := "3C-51-0E-72-2A-00" (20) eap_peap: Calling-Station-Id := "6A-05-BD-E0-F2-80" (20) eap_peap: Airespace-Wlan-Id = 98 (20) eap_peap: NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (20) Virtual server proxy-inner-tunnel received request (20) EAP-Message = 0x020a00061a03 (20) FreeRADIUS-Proxied-To = 127.0.0.1 (20) User-Name = "dominic.stalder@unibe.ch" (20) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (20) Service-Type = Framed-User (20) Cisco-AVPair = "service-type=Framed" (20) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (20) Cisco-AVPair = "method=dot1x" (20) Cisco-AVPair = "client-iif-id=2500003624" (20) Cisco-AVPair = "vlan-id=1876" (20) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (20) Cisco-AVPair = "wlan-profile-name=eduroamV2" (20) Framed-MTU = 1485 (20) NAS-IP-Address = 130.92.42.20 (20) NAS-Port-Id = "capwap_9180059e" (20) NAS-Port-Type = Wireless-802.11 (20) NAS-Port = 4219 (20) Called-Station-Id := "3C-51-0E-72-2A-00" (20) Calling-Station-Id := "6A-05-BD-E0-F2-80" (20) Airespace-Wlan-Id = 98 (20) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (20) WARNING: Outer and inner identities are the same. User privacy is compromised. (20) server proxy-inner-tunnel { (20) session-state: No cached attributes (20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel (20) authorize { (20) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){ (20) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (20) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){ (20) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE (20) if (!NAS-Port-Type){ (20) if (!NAS-Port-Type) -> FALSE (20) update control { (20) &Proxy-To-Realm := NPS-DEV (20) } # update control = noop (20) } # authorize = noop (20) } # server proxy-inner-tunnel (20) Virtual server sending reply (20) eap_peap: Got tunneled reply code 0 (20) eap_peap: Tunnelled authentication will be proxied to NPS-DEV (20) eap: WARNING: Tunneled session will be proxied. Not doing EAP (20) [eap] = handled (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) EXPAND Response-Packet-Type (20) --> (20) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (20) } # Auth-Type eap = handled (20) Starting proxy to home server 130.92.14.27 port 1812 (20) server default { (20) # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default (20) pre-proxy { (20) attr_filter.pre-proxy: EXPAND %{Realm} (20) attr_filter.pre-proxy: --> UNIBE.CH (20) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (20) [attr_filter.pre-proxy] = updated (20) } # pre-proxy = updated (20) } (20) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (20) Sent Access-Request Id 107 from 0.0.0.0:41351 to 130.92.14.27:1812 length 203 (20) Operator-Name := "1unibe.ch" (20) EAP-Message = 0x020a00061a03 (20) User-Name = "dominic.stalder@unibe.ch" (20) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (20) NAS-IP-Address = 130.92.42.20 (20) NAS-Port-Type = Wireless-802.11 (20) Called-Station-Id := "3C-51-0E-72-2A-00" (20) Calling-Station-Id := "6A-05-BD-E0-F2-80" (20) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (20) Message-Authenticator = 0x (20) Proxy-State = 0x313237 Waking up in 0.3 seconds. (20) Clearing existing &reply: attributes (20) Received Access-Accept Id 107 from 130.92.14.27:1812 to 130.92.10.33:41351 length 289 (20) Proxy-State = 0x313237 (20) Class = "staff" (20) Filter-Id = "staff" (20) Framed-Protocol = PPP (20) Service-Type = Framed-User (20) Tunnel-Medium-Type:0 = IEEE-802 (20) Tunnel-Private-Group-Id:0 = "1874" (20) Tunnel-Type:0 = VLAN (20) EAP-Message = 0x030a0004 (20) Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374" (20) MS-CHAP-Domain = "\001CAMPUS" (20) MS-MPPE-Send-Key = 0x4da623cf76bcf255c5d52f7ba82488a0 (20) MS-MPPE-Recv-Key = 0xa8148861904eab68c776ff971b7a06ae (20) MS-CHAP2-Success = 0x01533d31304136344538394431443745423543444337394130373934343732333343414144393842353734 (20) Message-Authenticator = 0x62374c9831706e64b8f2a66d9de2e4af (20) server default { (20) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (20) post-proxy { (20) attr_filter.post-proxy: EXPAND %{Realm} (20) attr_filter.post-proxy: --> UNIBE.CH (20) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121 (20) [attr_filter.post-proxy] = updated (20) eap: Doing post-proxy callback (20) eap: Passing reply from proxy back into the tunnel (20) eap: Got tunneled reply RADIUS code 2 (20) eap: Tunnel-Type := VLAN (20) eap: Tunnel-Medium-Type := IEEE-802 (20) eap: Proxy-State = 0x313237 (20) eap: Class = "staff" (20) eap: Filter-Id = "staff" (20) eap: Tunnel-Private-Group-Id:0 = "1874" (20) eap: EAP-Message = 0x030a0004 (20) eap: Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374" (20) eap: MS-MPPE-Send-Key = 0x4da623cf76bcf255c5d52f7ba82488a0 (20) eap: MS-MPPE-Recv-Key = 0xa8148861904eab68c776ff971b7a06ae (20) eap: Message-Authenticator = 0x62374c9831706e64b8f2a66d9de2e4af (20) eap: Tunneled authentication was successful (20) eap: SUCCESS (20) eap: Saving tunneled attributes for later (20) eap: Reply was handled (20) eap: Sending EAP Request (code 1) ID 11 length 46 (20) eap: EAP session adding &reply:State = 0x1de92fd314e2361c (20) [eap] = ok (20) } # post-proxy = updated (20) } (20) session-state: Saving cached attributes (20) Framed-MTU = 1014 (20) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (20) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (20) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (20) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) TLS-Session-Version = "TLS 1.2" (20) Using Post-Auth-Type Challenge (20) Post-Auth-Type sub-section not found. Ignoring. (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) Sent Access-Challenge Id 127 from 130.92.10.33:1812 to 130.92.42.20:56958 length 104 (20) EAP-Message = 0x010b002e19001703030023ee81289b38b9669bfa1166346ea479e73ee4d39cc73b0e97a63d2f4face2bc55c99f2f (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0x1de92fd314e2361c7d7fc55a3903ba57 (20) Finished request Waking up in 4.8 seconds. (21) Received Access-Request Id 135 from 130.92.42.20:56958 to 130.92.10.33:1812 length 478 (21) User-Name = "dominic.stalder@unibe.ch" (21) Service-Type = Framed-User (21) Cisco-AVPair = "service-type=Framed" (21) Framed-MTU = 1485 (21) EAP-Message = 0x020b002e190017030300230eb44ab0540a84b8149c5ba395783899c1e875d9932d9debabc348893b31b12bd0f358 (21) Message-Authenticator = 0x3f983eae845159512b2c2a6dcc8a6e62 (21) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (21) Cisco-AVPair = "method=dot1x" (21) Cisco-AVPair = "client-iif-id=2500003624" (21) Cisco-AVPair = "vlan-id=1876" (21) NAS-IP-Address = 130.92.42.20 (21) NAS-Port-Id = "capwap_9180059e" (21) NAS-Port-Type = Wireless-802.11 (21) NAS-Port = 4219 (21) State = 0x1de92fd314e2361c7d7fc55a3903ba57 (21) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (21) Cisco-AVPair = "wlan-profile-name=eduroamV2" (21) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (21) Calling-Station-Id = "6a-05-bd-e0-f2-80" (21) Airespace-Wlan-Id = 98 (21) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (21) Restoring &session-state (21) &session-state:Framed-MTU = 1014 (21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) &session-state:TLS-Session-Version = "TLS 1.2" (21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (21) authorize { (21) policy rewrite_called_station_id { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> 3C-51-0E-72-2A-00 (21) &Called-Station-Id := 3C-51-0E-72-2A-00 (21) } # update request = noop (21) if ("%{8}") { (21) EXPAND %{8} (21) --> eduroam (21) if ("%{8}") -> TRUE (21) if ("%{8}") { (21) update request { (21) EXPAND %{8} (21) --> eduroam (21) &Called-Station-SSID := eduroam (21) } # update request = noop (21) } # if ("%{8}") = noop (21) [updated] = updated (21) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_called_station_id = updated (21) policy rewrite_calling_station_id { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> 6A-05-BD-E0-F2-80 (21) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (21) } # update request = noop (21) [updated] = updated (21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_calling_station_id = updated (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = updated (21) } # policy filter_username = updated (21) suffix: Checking for suffix after "@" (21) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (21) suffix: Found realm "UNIBE.CH" (21) suffix: Adding Stripped-User-Name = "dominic.stalder" (21) suffix: Adding Realm = "UNIBE.CH" (21) suffix: Authentication realm is LOCAL (21) [suffix] = ok (21) update request { (21) EXPAND %{toupper:%{Realm}} (21) --> UNIBE.CH (21) Realm := UNIBE.CH (21) } # update request = noop (21) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (21) policy deny_no_realm { (21) if (User-Name && (User-Name !~ /@/)) { (21) if (User-Name && (User-Name !~ /@/)) -> FALSE (21) } # policy deny_no_realm = updated (21) switch &control:Called-Station-SSID { (21) } # switch &control:Called-Station-SSID = updated (21) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (21) eap: Peer sent EAP Response (code 2) ID 11 length 46 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # authorize = ok (21) Found Auth-Type = eap (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) Auth-Type eap { (21) eap: Expiring EAP session with state 0x1de92fd314e2361c (21) eap: Finished EAP session with state 0x1de92fd314e2361c (21) eap: Previous EAP request found for state 0x1de92fd314e2361c, released from the list (21) eap: Peer sent packet with method EAP PEAP (25) (21) eap: Calling submodule eap_peap to process data (21) eap_peap: (TLS) EAP Done initial handshake (21) eap_peap: Session established. Decoding tunneled attributes (21) eap_peap: PEAP state send tlv success (21) eap_peap: Received EAP-TLV response (21) eap_peap: Success (21) eap_peap: Using saved attributes from the original Access-Accept (21) eap_peap: Tunnel-Type := VLAN (21) eap_peap: Tunnel-Medium-Type := IEEE-802 (21) eap_peap: Class = "staff" (21) eap_peap: Filter-Id = "staff" (21) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (21) eap_peap: Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374" (21) eap: Sending EAP Success (code 3) ID 11 length 4 (21) eap: Freeing handler (21) [eap] = ok (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (21) } # Auth-Type eap = ok (21) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (21) post-auth { (21) update { (21) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014 (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (21) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (21) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (21) } # update = noop (21) if (EAP-Message) { (21) if (EAP-Message) -> TRUE (21) if (EAP-Message) { (21) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format} (21) 802.1x_authz_log: --> sp.Access-Accept (21) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown}) (21) 802.1x_authz_log: --> Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) (21) 802.1x_authz_log: EXPAND /var/log/freeradius/authz.log (21) 802.1x_authz_log: --> /var/log/freeradius/authz.log (21) [802.1x_authz_log] = ok (21) } # if (EAP-Message) = ok (21) policy remove_reply_message_if_eap { (21) if (&reply:EAP-Message && &reply:Reply-Message) { (21) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (21) else { (21) [noop] = noop (21) } # else = noop (21) } # policy remove_reply_message_if_eap = noop (21) } # post-auth = ok (21) Login OK: [dominic.stalder@unibe.ch] (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) (21) Sent Access-Accept Id 135 from 130.92.10.33:1812 to 130.92.42.20:56958 length 270 (21) Tunnel-Type := VLAN (21) Tunnel-Medium-Type := IEEE-802 (21) Class = "staff" (21) Filter-Id = "staff" (21) Tunnel-Private-Group-Id:0 = "1874" (21) Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374" (21) MS-MPPE-Recv-Key = 0x683a26deb424ef81dda94ff52b54b2a7025ac4e6e5b331f264948cdcd9c529a3 (21) MS-MPPE-Send-Key = 0x5e2a7f4ec95429b176dd4235ea7c5ab7beecd50d27ed463169c0cd1fc751e3f6 (21) EAP-Message = 0x030b0004 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) User-Name = "dominic.stalder@unibe.ch" (21) Framed-MTU += 1014 (21) Finished request Waking up in 4.8 seconds. (11) Cleaning up request packet ID 55 with timestamp +32 due to cleanup_delay was reached (12) Cleaning up request packet ID 63 with timestamp +32 due to cleanup_delay was reached (13) Cleaning up request packet ID 71 with timestamp +32 due to cleanup_delay was reached (14) Cleaning up request packet ID 79 with timestamp +32 due to cleanup_delay was reached (15) Cleaning up request packet ID 87 with timestamp +32 due to cleanup_delay was reached (16) Cleaning up request packet ID 95 with timestamp +32 due to cleanup_delay was reached (17) Cleaning up request packet ID 103 with timestamp +32 due to cleanup_delay was reached (18) Cleaning up request packet ID 111 with timestamp +32 due to cleanup_delay was reached (19) Cleaning up request packet ID 119 with timestamp +32 due to cleanup_delay was reached (20) Cleaning up request packet ID 127 with timestamp +32 due to cleanup_delay was reached (21) Cleaning up request packet ID 135 with timestamp +32 due to cleanup_delay was reached Ready to process requests Output in /var/log/freeradius/authz.log: Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) As written above, I am sorry "that it works", more so that I don't know why it is working now, because in my opinion I did not really change any thing than before lunch time... But do we somehow need to close this "discussion" an mark it as resovled or how does this work? __ Anyhow, thank you so much for helping out! Best reards Dominic