Following Alan's guidance from his post earlier, I have: 1) Removed FreeRADIUS 4.0.x and installed 3.0.12 2) I've read through the debug when a failure occurs. It looks like while I have the LDAP check enabled the computers using certificates get rejected because they are not found by the LDAP search/filter. (5) if (Ldap-Group == "WiFi") -> FALSE (5) else { (5) [reject] = reject (5) } # else = reject (5) } # post-auth = reject (5) Using Post-Auth-Type Reject 3) When the LDAP check is commented out the computers using certificates can connect so I have not reissued all certificates yet. From the debug failure it appears to be an LDAP query/filter issue. Am I interpreting the output correctly?
We upgraded the functional level to 2012R2 Native and it broke everything.
It's probably LDAP.
I believe it may be the LDAP group membership filter which is: membership_filter = "(|(member=%{control:Ldap-UserDn})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" The computers are joined to our domain and their computer accounts are in the WiFi security group. Their sAMAccountName ends with a $ Is that why there is not a match with the membership_filter?
post-auth {
# if (Ldap-Group == "WiFi") { # noop # }
So you've commented out the Ldap-Group check and it works. My guess is that the AD functional upgrade has changed the schema or LDAP permissions and your group query is failing now.
and watching the radiusd -X debug.
As Alan says - you need to post a debug of a *failing* case. Better yet, look carefully at it the debug before posting it - the failure will probably be obvious.
If not, post the full debug of a failure.
Please see debug below. I would like to configure it so that if the computer has a valid certificate it would use EAP-TLS and be connected, if no certificate is presented FreeRADIUS would prompt for username and password and use LDAP-Group membership being the determining factor whether or not the user is granted access. Thank you for your input. ***DEBUG*** Ready to process requests (0) Received Access-Request Id 27 from 10.10.2.5:32809 to 10.10.0.238:1812 length 197 (0) User-Name = "host/TElsberry10-Tab" (0) NAS-IP-Address = 10.10.2.5 (0) NAS-Identifier = "dc9fdb7003d4" (0) NAS-Port = 0 (0) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (0) Calling-Station-Id = "88-53-2E-7C-FD-DA" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x0231001901686f73742f54456c73626572727931302d546162 (0) Message-Authenticator = 0x8b480d049454b1777cceef127c71a9bc (0) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) ntdomain: Checking for prefix before "\" (0) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (0) ntdomain: No such realm "NULL" (0) [ntdomain] = noop (0) eap: Peer sent EAP Response (code 2) ID 49 length 25 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: Initiating new EAP-TLS session (0) eap_tls: Flushing SSL sessions (of #0) (0) eap_tls: Setting verify mode to require certificate from client (0) eap_tls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 50 length 6 (0) eap: EAP session adding &reply:State = 0xe1b5c235e187cf19 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 27 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (0) EAP-Message = 0x013200060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xe1b5c235e187cf190cf7c580ecd5b37c (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 28 from 10.10.2.5:32809 to 10.10.0.238:1812 length 404 (1) User-Name = "host/TElsberry10-Tab" (1) NAS-IP-Address = 10.10.2.5 (1) NAS-Identifier = "dc9fdb7003d4" (1) NAS-Port = 0 (1) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (1) Calling-Station-Id = "88-53-2E-7C-FD-DA" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x023200d60d80000000cc16030300c7010000c30303580e438e2c3ba26409542c6b43b8236cc0add76d5f301b22f977a5639f4ee00420b34e87a7414a2363c38f425676fe4f42d2ae22d16561ca32a2d9ed6aaa5463fa003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013003900 (1) State = 0xe1b5c235e187cf190cf7c580ecd5b37c (1) Message-Authenticator = 0x3de565fdd57ae1d8ecf2966261faf36d (1) session-state: No cached attributes (1) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) ntdomain: Checking for prefix before "\" (1) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (1) ntdomain: No such realm "NULL" (1) [ntdomain] = noop (1) eap: Peer sent EAP Response (code 2) ID 50 length 214 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xe1b5c235e187cf19 (1) eap: Finished EAP session with state 0xe1b5c235e187cf19 (1) eap: Previous EAP request found for state 0xe1b5c235e187cf19, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: Continuing EAP-TLS (1) eap_tls: Peer indicated complete TLS record size will be 204 bytes (1) eap_tls: Got complete TLS record (204 bytes) (1) eap_tls: [eaptls verify] = length included (1) eap_tls: (other): before/accept initialization (1) eap_tls: TLS_accept: before/accept initialization (1) eap_tls: <<< recv TLS 1.2 [length 00c7] (1) eap_tls: TLS_accept: SSLv3 read client hello A (1) eap_tls: >>> send TLS 1.2 [length 0059] (1) eap_tls: TLS_accept: SSLv3 write server hello A (1) eap_tls: >>> send TLS 1.2 [length 085c] (1) eap_tls: TLS_accept: SSLv3 write certificate A (1) eap_tls: >>> send TLS 1.2 [length 014d] (1) eap_tls: TLS_accept: SSLv3 write key exchange A (1) eap_tls: >>> send TLS 1.2 [length 00c6] (1) eap_tls: TLS_accept: SSLv3 write certificate request A (1) eap_tls: TLS_accept: SSLv3 flush data (1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_tls: In SSL Handshake Phase (1) eap_tls: In SSL Accept mode (1) eap_tls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 51 length 1004 (1) eap: EAP session adding &reply:State = 0xe1b5c235e086cf19 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 28 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (1) EAP-Message = 0x013303ec0dc000000adc160303005902000055030354f2b96677d828e24af212a93d25dc6911e0f6d5662710489e0f21fd09b95c69201a364ac83fb12e7e36891f3bab987c5f3155520aa2fb3391dac9551a778e70b0c03000000dff01000100000b000403000102160303085c0b0008580008550003a4 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xe1b5c235e086cf190cf7c580ecd5b37c (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 29 from 10.10.2.5:32809 to 10.10.0.238:1812 length 196 (2) User-Name = "host/TElsberry10-Tab" (2) NAS-IP-Address = 10.10.2.5 (2) NAS-Identifier = "dc9fdb7003d4" (2) NAS-Port = 0 (2) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (2) Calling-Station-Id = "88-53-2E-7C-FD-DA" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x023300060d00 (2) State = 0xe1b5c235e086cf190cf7c580ecd5b37c (2) Message-Authenticator = 0xeba2bda8b2853a7e3d1ae63406185608 (2) session-state: No cached attributes (2) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) ntdomain: Checking for prefix before "\" (2) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (2) ntdomain: No such realm "NULL" (2) [ntdomain] = noop (2) eap: Peer sent EAP Response (code 2) ID 51 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xe1b5c235e086cf19 (2) eap: Finished EAP session with state 0xe1b5c235e086cf19 (2) eap: Previous EAP request found for state 0xe1b5c235e086cf19, released from the list (2) eap: Peer sent packet with method EAP TLS (13) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: Continuing EAP-TLS (2) eap_tls: Peer ACKed our handshake fragment (2) eap_tls: [eaptls verify] = request (2) eap_tls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 52 length 1004 (2) eap: EAP session adding &reply:State = 0xe1b5c235e381cf19 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 29 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (2) EAP-Message = 0x013403ec0dc000000adc3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b300906035504061302555331133011 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xe1b5c235e381cf190cf7c580ecd5b37c (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 30 from 10.10.2.5:32809 to 10.10.0.238:1812 length 196 (3) User-Name = "host/TElsberry10-Tab" (3) NAS-IP-Address = 10.10.2.5 (3) NAS-Identifier = "dc9fdb7003d4" (3) NAS-Port = 0 (3) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (3) Calling-Station-Id = "88-53-2E-7C-FD-DA" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x023400060d00 (3) State = 0xe1b5c235e381cf190cf7c580ecd5b37c (3) Message-Authenticator = 0x3ed9b3db9703668243209cb24444213b (3) session-state: No cached attributes (3) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) ntdomain: Checking for prefix before "\" (3) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (3) ntdomain: No such realm "NULL" (3) [ntdomain] = noop (3) eap: Peer sent EAP Response (code 2) ID 52 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xe1b5c235e381cf19 (3) eap: Finished EAP session with state 0xe1b5c235e381cf19 (3) eap: Previous EAP request found for state 0xe1b5c235e381cf19, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: Continuing EAP-TLS (3) eap_tls: Peer ACKed our handshake fragment (3) eap_tls: [eaptls verify] = request (3) eap_tls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 53 length 802 (3) eap: EAP session adding &reply:State = 0xe1b5c235e280cf19 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 30 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (3) EAP-Message = 0x013503220d8000000adc57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa1329 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xe1b5c235e280cf190cf7c580ecd5b37c (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 31 from 10.10.2.5:32809 to 10.10.0.238:1812 length 1535 (4) User-Name = "host/TElsberry10-Tab" (4) NAS-IP-Address = 10.10.2.5 (4) NAS-Identifier = "dc9fdb7003d4" (4) NAS-Port = 0 (4) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (4) Calling-Station-Id = "88-53-2E-7C-FD-DA" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x023505370d800000052d16030304f50b0003a30003a000039d3082039930820281a0030201020202009c300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c30 (4) State = 0xe1b5c235e280cf190cf7c580ecd5b37c (4) Message-Authenticator = 0xe4d02148bbf11903f7995c2ea5760ecc (4) session-state: No cached attributes (4) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) ntdomain: Checking for prefix before "\" (4) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (4) ntdomain: No such realm "NULL" (4) [ntdomain] = noop (4) eap: Peer sent EAP Response (code 2) ID 53 length 1335 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xe1b5c235e280cf19 (4) eap: Finished EAP session with state 0xe1b5c235e280cf19 (4) eap: Previous EAP request found for state 0xe1b5c235e280cf19, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: Continuing EAP-TLS (4) eap_tls: Peer indicated complete TLS record size will be 1325 bytes (4) eap_tls: Got complete TLS record (1325 bytes) (4) eap_tls: [eaptls verify] = length included (4) eap_tls: <<< recv TLS 1.2 [length 03a7] (4) eap_tls: Creating attributes from certificate OIDs (4) eap_tls: TLS-Cert-Serial := "a793227a08ee79ec" (4) eap_tls: TLS-Cert-Expiration := "400316212404Z" (4) eap_tls: TLS-Cert-Subject := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (4) eap_tls: TLS-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (4) eap_tls: TLS-Cert-Common-Name := "RSD RADIUS Certificate Authority" (4) eap_tls: Creating attributes from certificate OIDs (4) eap_tls: TLS-Client-Cert-Serial := "9c" (4) eap_tls: TLS-Client-Cert-Expiration := "260822222730Z" (4) eap_tls: TLS-Client-Cert-Subject := "/C=US/ST=California/O=RSD/CN=TElsberry10-Tab/emailAddress=TElsberry10-Tab@rsd.net" (4) eap_tls: TLS-Client-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (4) eap_tls: TLS-Client-Cert-Common-Name := "TElsberry10-Tab" (4) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (4) eap_tls: TLS_accept: SSLv3 read client certificate A (4) eap_tls: <<< recv TLS 1.2 [length 0046] (4) eap_tls: TLS_accept: SSLv3 read client key exchange A (4) eap_tls: <<< recv TLS 1.2 [length 0108] (4) eap_tls: TLS_accept: SSLv3 read certificate verify A (4) eap_tls: <<< recv TLS 1.2 [length 0001] (4) eap_tls: <<< recv TLS 1.2 [length 0010] (4) eap_tls: TLS_accept: SSLv3 read finished A (4) eap_tls: >>> send TLS 1.2 [length 0001] (4) eap_tls: TLS_accept: SSLv3 write change cipher spec A (4) eap_tls: >>> send TLS 1.2 [length 0010] (4) eap_tls: TLS_accept: SSLv3 write finished A (4) eap_tls: TLS_accept: SSLv3 flush data (4) eap_tls: (other): SSL negotiation finished successfully (4) eap_tls: SSL Connection Established (4) eap_tls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 54 length 61 (4) eap: EAP session adding &reply:State = 0xe1b5c235e583cf19 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 31 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (4) EAP-Message = 0x0136003d0d8000000033140303000101160303002842b8eeefd7fa470e6317261c9fbe1ab5c6ba81a8691930eecd62774bb3bd248f9cbfac2dc45404ec (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xe1b5c235e583cf190cf7c580ecd5b37c (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 32 from 10.10.2.5:32809 to 10.10.0.238:1812 length 196 (5) User-Name = "host/TElsberry10-Tab" (5) NAS-IP-Address = 10.10.2.5 (5) NAS-Identifier = "dc9fdb7003d4" (5) NAS-Port = 0 (5) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (5) Calling-Station-Id = "88-53-2E-7C-FD-DA" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x023600060d00 (5) State = 0xe1b5c235e583cf190cf7c580ecd5b37c (5) Message-Authenticator = 0xb44d62e8c23068a4e0c13849488f835d (5) session-state: No cached attributes (5) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) ntdomain: Checking for prefix before "\" (5) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (5) ntdomain: No such realm "NULL" (5) [ntdomain] = noop (5) eap: Peer sent EAP Response (code 2) ID 54 length 6 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xe1b5c235e583cf19 (5) eap: Finished EAP session with state 0xe1b5c235e583cf19 (5) eap: Previous EAP request found for state 0xe1b5c235e583cf19, released from the list (5) eap: Peer sent packet with method EAP TLS (13) (5) eap: Calling submodule eap_tls to process data (5) eap_tls: Continuing EAP-TLS (5) eap_tls: Peer ACKed our handshake fragment. handshake is finished (5) eap_tls: [eaptls verify] = success (5) eap_tls: [eaptls process] = success (5) eap_tls: caching TLS-Cert-Serial := "a793227a08ee79ec" (5) eap_tls: caching TLS-Cert-Expiration := "400316212404Z" (5) eap_tls: caching TLS-Cert-Subject := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (5) eap_tls: caching TLS-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (5) eap_tls: caching TLS-Cert-Common-Name := "RSD RADIUS Certificate Authority" (5) eap_tls: caching TLS-Client-Cert-Serial := "9c" (5) eap_tls: caching TLS-Client-Cert-Expiration := "260822222730Z" (5) eap_tls: caching TLS-Client-Cert-Subject := "/C=US/ST=California/O=RSD/CN=TElsberry10-Tab/emailAddress=TElsberry10-Tab@rsd.net" (5) eap_tls: caching TLS-Client-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (5) eap_tls: caching TLS-Client-Cert-Common-Name := "TElsberry10-Tab" (5) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (5) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk. (5) eap: Sending EAP Success (code 3) ID 54 length 4 (5) eap: Freeing handler (5) [eap] = ok (5) } # authenticate = ok (5) # Executing section post-auth from file /opt/freeradius/etc/raddb/sites-enabled/default (5) post-auth { (5) if (!&reply:State) { (5) if (!&reply:State) -> TRUE (5) if (!&reply:State) { (5) update reply { (5) EXPAND 0x%{randstr:16h} (5) --> 0x20d7cf39b7874998bcfb45bb907815d98a (5) State := 0x20d7cf39b7874998bcfb45bb907815d98a (5) } # update reply = noop (5) } # if (!&reply:State) = noop (5) update { (5) No attributes updated (5) } # update = noop (5) [exec] = noop (5) if (Ldap-Group == "WiFi") { (5) Searching for user in group "WiFi" rlm_ldap (ldap): Reserved connection (0) (5) EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (5) --> (sAMAccountName=host/TElsberry10-Tab) (5) Performing search in "dc=rsdtc,dc=com" with filter "(sAMAccountName=host/TElsberry10-Tab)", scope "sub" (5) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.RSDTC.COM/DC=ForestDnsZones,DC=RSDTC,DC=COM rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.RSDTC.COM/DC=DomainDnsZones,DC=RSDTC,DC=COM rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://RSDTC.COM/CN=Configuration,DC=RSDTC,DC=COM rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (5) Search returned no results rlm_ldap (ldap): Deleting connection (0) rlm_ldap (ldap): Need 6 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldap://dc12vm.rsdtc.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (5) if (Ldap-Group == "WiFi") -> FALSE (5) else { (5) [reject] = reject (5) } # else = reject (5) } # post-auth = reject (5) Using Post-Auth-Type Reject (5) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (5) Post-Auth-Type REJECT { (5) [eap] = noop (5) } # Post-Auth-Type REJECT = noop (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 32 from 10.10.0.238:1812 to 10.10.2.5:32809 length 201 (5) MS-MPPE-Recv-Key = 0xdc168503ebb9e9734af7d32965b70a9405abf628204ab5e1dd626bccc9e820d0 (5) MS-MPPE-Send-Key = 0xd395f9b1bcb934dc4ccdfeb8e7bb2bd26d136d1ec1eadb9770d165200a08d35e (5) EAP-Message = 0x03360004 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) User-Name = "host/TElsberry10-Tab" (5) State := 0x20d7cf39b7874998bcfb45bb907815d98a Waking up in 3.7 seconds. (0) Cleaning up request packet ID 27 with timestamp +6 (1) Cleaning up request packet ID 28 with timestamp +6 (2) Cleaning up request packet ID 29 with timestamp +6 (3) Cleaning up request packet ID 30 with timestamp +6 (4) Cleaning up request packet ID 31 with timestamp +6 (5) Cleaning up request packet ID 32 with timestamp +6 Ready to process requests