Hi Alan I have updated the system to the following version, which includes your last patches: root@id-radiustest1:/etc/freeradius# freeradius -v radiusd: FreeRADIUS Version 3.2.9 (git #8efdca0c6), for host x86_64-pc-linux-gnu FreeRADIUS Version 3.2.9 Again, this is the situation i am fighting with and maybe you have an finger point, what else I can try to „workaround“ the disadvantages with your current setup: - FreeRADIUS 3.2.9 - PEAP with MS-CHAPv2 - Proxying is always done internally / locally first - ONLY the inner tunnel is proxied to a Microsoft NPS server - the MS NPS server is not able to return the inner username in the Access-Accept message - I hit defect / bug #5288: "[defect]: session-state is empty in post_auth section after proxying request to home server, branch 3.2.x“ - I will change our setup to „not doing internal proxying“ in the near future, but this takes time and I will have to involve another team, which takes care of the Microsoft server infrastructure —> I know, this will help in the future, but as I said, not changeble in a timely fashion - Files involved (in my opinion): sites-available/default, sites-available/proxy-inner-tunnel, mods-available/eap I have tried to save the inner username to an attribute called locInner-User-Name in either the session-state namespace (which is affected by the defect / bug #5288) or another namespace like control. In both cases, the variable is not persistent till the end of the RADIUS process, please see debug output below. Again, do you have any idea how to overcome the actual situation with our setup (internal proxying) and the current defect / bug #5288? Any help is appreciated. Regards Dominic (0) Received Access-Request Id 0 from 127.0.0.1:58298 to 127.0.0.1:1812 length 177 (0) User-Name = "anonymous@example.com" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) Called-Station-Id = "11-22-33-44-55-66:eduroam" (0) EAP-Message = 0x020d001701616e6f6e796d6f757340756e6962652e6368 (0) Message-Authenticator = 0x06c1c680b3ef95df1202c79fb45166a2 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy rewrite_called_station_id { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 11-22-33-44-55-66 (0) &Called-Station-Id := 11-22-33-44-55-66 (0) } # update request = noop (0) if ("%{8}") { (0) EXPAND %{8} (0) --> eduroam (0) if ("%{8}") -> TRUE (0) if ("%{8}") { (0) update request { (0) EXPAND %{8} (0) --> eduroam (0) &Called-Station-SSID := eduroam (0) EXPAND %{Called-Station-Id}:%{8} (0) --> 11-22-33-44-55-66:eduroam (0) &Called-Station-Id := 11-22-33-44-55-66:eduroam (0) } # update request = noop (0) } # if ("%{8}") = noop (0) [updated] = updated (0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_called_station_id = updated (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 02-00-00-00-00-01 (0) &Calling-Station-Id := 02-00-00-00-00-01 (0) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (0) --> 02:00:00:00:00:01 (0) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (0) } # update request = noop (0) [updated] = updated (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_calling_station_id = updated (0) if (Service-Type == Call-Check) { (0) if (Service-Type == Call-Check) -> FALSE (0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (0) EXPAND Packet-Src-IP-Address (0) --> 127.0.0.1 (0) EXPAND Packet-Src-IP-Address (0) --> 127.0.0.1 (0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (0) if (EAP-Message) { (0) if (EAP-Message) -> TRUE (0) if (EAP-Message) { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = updated (0) } # policy filter_username = updated (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (0) suffix: Found realm "EXAMPLE.COM" (0) suffix: Adding Realm = "EXAMPLE.COM" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) policy deny_no_realm { (0) if (User-Name && (User-Name !~ /@/)) { (0) if (User-Name && (User-Name !~ /@/)) -> FALSE (0) } # policy deny_no_realm = updated (0) update request { (0) EXPAND %{toupper:%{Realm}} (0) --> EXAMPLE.COM (0) Realm := EXAMPLE.COM (0) } # update request = noop (0) eap: Peer sent EAP Response (code 2) ID 13 length 23 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # if (EAP-Message) = ok (0) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (0) } # authorize = updated (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type eap { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Using default_eap_type = PEAP (0) eap: Calling submodule eap_peap to process data (0) eap_peap: (TLS) PEAP -Initiating new session (0) eap: Sending EAP Request (code 1) ID 14 length 6 (0) eap: EAP session adding &reply:State = 0xafa7dc71afa9c54b (0) [eap] = handled (0) if (handled && (Response-Packet-Type == Access-Challenge)) { (0) EXPAND Response-Packet-Type (0) --> Access-Challenge (0) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (0) if (handled && (Response-Packet-Type == Access-Challenge)) { (0) attr_filter.access_challenge: EXPAND %{User-Name} (0) attr_filter.access_challenge: --> anonymous@example.com (0) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (0) [attr_filter.access_challenge.post-auth] = updated (0) [handled] = handled (0) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (0) } # Auth-Type eap = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) session-state: Saving cached attributes for server default (0) Framed-MTU = 1014 (0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:58298 length 64 (0) EAP-Message = 0x010e00061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xafa7dc71afa9c54bd50cde17df51e2b7 (0) Finished request Thread 4 waiting to be assigned a request Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) (1) Received Access-Request Id 1 from 127.0.0.1:58298 to 127.0.0.1:1812 length 366 (1) User-Name = "anonymous@example.com" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) Called-Station-Id = "11-22-33-44-55-66:eduroam" (1) EAP-Message = 0x020e00c21980000000b816030100b3010000af0303a6603acb0ad334b1a7514619e97a2ed5509c041248ca4cc446156e535d62be04000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602 (1) State = 0xafa7dc71afa9c54bd50cde17df51e2b7 (1) Message-Authenticator = 0xf80e555becc8e15c44c723043ac11b4b (1) session-state: Restoring attributes for server default (1) &session-state:Framed-MTU = 1014 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 11-22-33-44-55-66 (1) &Called-Station-Id := 11-22-33-44-55-66 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> eduroam (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> eduroam (1) &Called-Station-SSID := eduroam (1) EXPAND %{Called-Station-Id}:%{8} (1) --> 11-22-33-44-55-66:eduroam (1) &Called-Station-Id := 11-22-33-44-55-66:eduroam (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) policy rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 02-00-00-00-00-01 (1) &Calling-Station-Id := 02-00-00-00-00-01 (1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> 02:00:00:00:00:01 (1) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_calling_station_id = updated (1) if (Service-Type == Call-Check) { (1) if (Service-Type == Call-Check) -> FALSE (1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (1) EXPAND Packet-Src-IP-Address (1) --> 127.0.0.1 (1) EXPAND Packet-Src-IP-Address (1) --> 127.0.0.1 (1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (1) if (EAP-Message) { (1) if (EAP-Message) -> TRUE (1) if (EAP-Message) { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = updated (1) } # policy filter_username = updated (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (1) suffix: Found realm "EXAMPLE.COM" (1) suffix: Adding Realm = "EXAMPLE.COM" (1) suffix: Authentication realm is LOCAL (1) [suffix] = ok (1) policy deny_no_realm { (1) if (User-Name && (User-Name !~ /@/)) { (1) if (User-Name && (User-Name !~ /@/)) -> FALSE (1) } # policy deny_no_realm = updated (1) update request { (1) EXPAND %{toupper:%{Realm}} (1) --> EXAMPLE.COM (1) Realm := EXAMPLE.COM (1) } # update request = noop (1) eap: Peer sent EAP Response (code 2) ID 14 length 194 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # if (EAP-Message) = ok (1) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Auth-Type eap { (1) eap: Removing EAP session with state 0xafa7dc71afa9c54b (1) eap: Previous EAP request found for state 0xafa7dc71afa9c54b, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) EAP Peer says that the final record size will be 184 bytes (1) eap_peap: (TLS) EAP Got all data (184 bytes) (1) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (1) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (1) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (1) eap_peap: (TLS) PEAP - In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 15 length 1024 (1) eap: EAP session adding &reply:State = 0xafa7dc71aea8c54b (1) [eap] = handled (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) EXPAND Response-Packet-Type (1) --> Access-Challenge (1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) attr_filter.access_challenge: EXPAND %{User-Name} (1) attr_filter.access_challenge: --> anonymous@example.com (1) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (1) [attr_filter.access_challenge.post-auth] = updated (1) [handled] = handled (1) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (1) } # Auth-Type eap = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) session-state: Saving cached attributes for server default (1) Framed-MTU = 1014 (1) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1090 (1) EAP-Message = 0x010f040019c000001135160303003d020000390303c6dc5fc2f65c269aa22fac4d563962cfd78795555dc90102444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xafa7dc71aea8c54bd50cde17df51e2b7 (1) Finished request Thread 2 waiting to be assigned a request Thread 5 got semaphore Thread 5 handling request 2, (1 handled so far) (2) Received Access-Request Id 2 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (2) User-Name = "anonymous@example.com" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) Called-Station-Id = "11-22-33-44-55-66:eduroam" (2) EAP-Message = 0x020f00061900 (2) State = 0xafa7dc71aea8c54bd50cde17df51e2b7 (2) Message-Authenticator = 0xc0f08954ac4322ac403afe73ba484134 (2) session-state: Restoring attributes for server default (2) &session-state:Framed-MTU = 1014 (2) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" Waking up in 0.3 seconds. (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy rewrite_called_station_id { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 11-22-33-44-55-66 (2) &Called-Station-Id := 11-22-33-44-55-66 (2) } # update request = noop (2) if ("%{8}") { (2) EXPAND %{8} (2) --> eduroam (2) if ("%{8}") -> TRUE (2) if ("%{8}") { (2) update request { (2) EXPAND %{8} (2) --> eduroam (2) &Called-Station-SSID := eduroam (2) EXPAND %{Called-Station-Id}:%{8} (2) --> 11-22-33-44-55-66:eduroam (2) &Called-Station-Id := 11-22-33-44-55-66:eduroam (2) } # update request = noop (2) } # if ("%{8}") = noop (2) [updated] = updated (2) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_called_station_id = updated (2) policy rewrite_calling_station_id { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 02-00-00-00-00-01 (2) &Calling-Station-Id := 02-00-00-00-00-01 (2) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2) --> 02:00:00:00:00:01 (2) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_calling_station_id = updated (2) if (Service-Type == Call-Check) { (2) if (Service-Type == Call-Check) -> FALSE (2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (2) EXPAND Packet-Src-IP-Address (2) --> 127.0.0.1 (2) EXPAND Packet-Src-IP-Address (2) --> 127.0.0.1 (2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (2) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (2) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (2) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (2) if (EAP-Message) { (2) if (EAP-Message) -> TRUE (2) if (EAP-Message) { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = updated (2) } # policy filter_username = updated (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (2) suffix: Found realm "EXAMPLE.COM" (2) suffix: Adding Realm = "EXAMPLE.COM" (2) suffix: Authentication realm is LOCAL (2) [suffix] = ok (2) policy deny_no_realm { (2) if (User-Name && (User-Name !~ /@/)) { (2) if (User-Name && (User-Name !~ /@/)) -> FALSE (2) } # policy deny_no_realm = updated (2) update request { (2) EXPAND %{toupper:%{Realm}} (2) --> EXAMPLE.COM (2) Realm := EXAMPLE.COM (2) } # update request = noop (2) eap: Peer sent EAP Response (code 2) ID 15 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # if (EAP-Message) = ok (2) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Auth-Type eap { (2) eap: Removing EAP session with state 0xafa7dc71aea8c54b (2) eap: Previous EAP request found for state 0xafa7dc71aea8c54b, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 16 length 1020 (2) eap: EAP session adding &reply:State = 0xafa7dc71adb7c54b (2) [eap] = handled (2) if (handled && (Response-Packet-Type == Access-Challenge)) { (2) EXPAND Response-Packet-Type (2) --> Access-Challenge (2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (2) if (handled && (Response-Packet-Type == Access-Challenge)) { (2) attr_filter.access_challenge: EXPAND %{User-Name} (2) attr_filter.access_challenge: --> anonymous@example.com (2) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (2) [attr_filter.access_challenge.post-auth] = updated (2) [handled] = handled (2) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (2) } # Auth-Type eap = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) session-state: Saving cached attributes for server default (2) Framed-MTU = 1014 (2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1086 (2) EAP-Message = 0x011003fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xafa7dc71adb7c54bd50cde17df51e2b7 (2) Finished request Thread 5 waiting to be assigned a request Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 3, (1 handled so far) (3) Received Access-Request Id 3 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (3) User-Name = "anonymous@example.com" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) Called-Station-Id = "11-22-33-44-55-66:eduroam" (3) EAP-Message = 0x021000061900 (3) State = 0xafa7dc71adb7c54bd50cde17df51e2b7 (3) Message-Authenticator = 0xcb3fb191e4250283a6d6250e964b3200 (3) session-state: Restoring attributes for server default (3) &session-state:Framed-MTU = 1014 (3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy rewrite_called_station_id { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> 11-22-33-44-55-66 (3) &Called-Station-Id := 11-22-33-44-55-66 (3) } # update request = noop (3) if ("%{8}") { (3) EXPAND %{8} (3) --> eduroam (3) if ("%{8}") -> TRUE (3) if ("%{8}") { (3) update request { (3) EXPAND %{8} (3) --> eduroam (3) &Called-Station-SSID := eduroam (3) EXPAND %{Called-Station-Id}:%{8} (3) --> 11-22-33-44-55-66:eduroam (3) &Called-Station-Id := 11-22-33-44-55-66:eduroam (3) } # update request = noop (3) } # if ("%{8}") = noop (3) [updated] = updated (3) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_called_station_id = updated (3) policy rewrite_calling_station_id { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> 02-00-00-00-00-01 (3) &Calling-Station-Id := 02-00-00-00-00-01 (3) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3) --> 02:00:00:00:00:01 (3) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (3) } # update request = noop (3) [updated] = updated (3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_calling_station_id = updated (3) if (Service-Type == Call-Check) { (3) if (Service-Type == Call-Check) -> FALSE (3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (3) EXPAND Packet-Src-IP-Address (3) --> 127.0.0.1 (3) EXPAND Packet-Src-IP-Address (3) --> 127.0.0.1 (3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (3) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (3) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (3) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (3) if (EAP-Message) { (3) if (EAP-Message) -> TRUE (3) if (EAP-Message) { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = updated (3) } # policy filter_username = updated (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (3) suffix: Found realm "EXAMPLE.COM" (3) suffix: Adding Realm = "EXAMPLE.COM" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) policy deny_no_realm { (3) if (User-Name && (User-Name !~ /@/)) { (3) if (User-Name && (User-Name !~ /@/)) -> FALSE (3) } # policy deny_no_realm = updated (3) update request { (3) EXPAND %{toupper:%{Realm}} (3) --> EXAMPLE.COM (3) Realm := EXAMPLE.COM (3) } # update request = noop (3) eap: Peer sent EAP Response (code 2) ID 16 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # if (EAP-Message) = ok (3) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Auth-Type eap { (3) eap: Removing EAP session with state 0xafa7dc71adb7c54b (3) eap: Previous EAP request found for state 0xafa7dc71adb7c54b, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 17 length 1020 (3) eap: EAP session adding &reply:State = 0xafa7dc71acb6c54b (3) [eap] = handled (3) if (handled && (Response-Packet-Type == Access-Challenge)) { (3) EXPAND Response-Packet-Type (3) --> Access-Challenge (3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (3) if (handled && (Response-Packet-Type == Access-Challenge)) { (3) attr_filter.access_challenge: EXPAND %{User-Name} (3) attr_filter.access_challenge: --> anonymous@example.com (3) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (3) [attr_filter.access_challenge.post-auth] = updated (3) [handled] = handled (3) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (3) } # Auth-Type eap = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) session-state: Saving cached attributes for server default (3) Framed-MTU = 1014 (3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1086 (3) EAP-Message = 0x011103fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xafa7dc71acb6c54bd50cde17df51e2b7 (3) Finished request Thread 1 waiting to be assigned a request Waking up in 0.3 seconds. Thread 3 got semaphore Thread 3 handling request 4, (1 handled so far) (4) Received Access-Request Id 4 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (4) User-Name = "anonymous@example.com" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) Called-Station-Id = "11-22-33-44-55-66:eduroam" (4) EAP-Message = 0x021100061900 (4) State = 0xafa7dc71acb6c54bd50cde17df51e2b7 (4) Message-Authenticator = 0x95ae360623a91d8e19ce9b76b3238fad (4) session-state: Restoring attributes for server default (4) &session-state:Framed-MTU = 1014 (4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy rewrite_called_station_id { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> 11-22-33-44-55-66 (4) &Called-Station-Id := 11-22-33-44-55-66 (4) } # update request = noop (4) if ("%{8}") { (4) EXPAND %{8} (4) --> eduroam (4) if ("%{8}") -> TRUE (4) if ("%{8}") { (4) update request { (4) EXPAND %{8} (4) --> eduroam (4) &Called-Station-SSID := eduroam (4) EXPAND %{Called-Station-Id}:%{8} (4) --> 11-22-33-44-55-66:eduroam (4) &Called-Station-Id := 11-22-33-44-55-66:eduroam (4) } # update request = noop (4) } # if ("%{8}") = noop (4) [updated] = updated (4) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_called_station_id = updated (4) policy rewrite_calling_station_id { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> 02-00-00-00-00-01 (4) &Calling-Station-Id := 02-00-00-00-00-01 (4) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4) --> 02:00:00:00:00:01 (4) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (4) } # update request = noop (4) [updated] = updated (4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_calling_station_id = updated (4) if (Service-Type == Call-Check) { (4) if (Service-Type == Call-Check) -> FALSE (4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (4) EXPAND Packet-Src-IP-Address (4) --> 127.0.0.1 (4) EXPAND Packet-Src-IP-Address (4) --> 127.0.0.1 (4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (4) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (4) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (4) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (4) if (EAP-Message) { (4) if (EAP-Message) -> TRUE (4) if (EAP-Message) { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = updated (4) } # policy filter_username = updated (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (4) suffix: Found realm "EXAMPLE.COM" (4) suffix: Adding Realm = "EXAMPLE.COM" (4) suffix: Authentication realm is LOCAL (4) [suffix] = ok (4) policy deny_no_realm { (4) if (User-Name && (User-Name !~ /@/)) { (4) if (User-Name && (User-Name !~ /@/)) -> FALSE (4) } # policy deny_no_realm = updated (4) update request { (4) EXPAND %{toupper:%{Realm}} (4) --> EXAMPLE.COM (4) Realm := EXAMPLE.COM (4) } # update request = noop (4) eap: Peer sent EAP Response (code 2) ID 17 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # if (EAP-Message) = ok (4) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Auth-Type eap { (4) eap: Removing EAP session with state 0xafa7dc71acb6c54b (4) eap: Previous EAP request found for state 0xafa7dc71acb6c54b, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 18 length 1020 (4) eap: EAP session adding &reply:State = 0xafa7dc71abb5c54b (4) [eap] = handled (4) if (handled && (Response-Packet-Type == Access-Challenge)) { (4) EXPAND Response-Packet-Type (4) --> Access-Challenge (4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (4) if (handled && (Response-Packet-Type == Access-Challenge)) { (4) attr_filter.access_challenge: EXPAND %{User-Name} (4) attr_filter.access_challenge: --> anonymous@example.com (4) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (4) [attr_filter.access_challenge.post-auth] = updated (4) [handled] = handled (4) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (4) } # Auth-Type eap = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) session-state: Saving cached attributes for server default (4) Framed-MTU = 1014 (4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1086 (4) EAP-Message = 0x011203fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xafa7dc71abb5c54bd50cde17df51e2b7 (4) Finished request Waking up in 0.3 seconds. Thread 4 got semaphore Thread 4 handling request 5, (2 handled so far) (5) Received Access-Request Id 5 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (5) User-Name = "anonymous@example.com" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) Called-Station-Id = "11-22-33-44-55-66:eduroam" (5) EAP-Message = 0x021200061900 (5) State = 0xafa7dc71abb5c54bd50cde17df51e2b7 (5) Message-Authenticator = 0x110895b87d5f426939588767952b980e (5) session-state: Restoring attributes for server default (5) &session-state:Framed-MTU = 1014 (5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy rewrite_called_station_id { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> 11-22-33-44-55-66 (5) &Called-Station-Id := 11-22-33-44-55-66 (5) } # update request = noop (5) if ("%{8}") { (5) EXPAND %{8} (5) --> eduroam (5) if ("%{8}") -> TRUE (5) if ("%{8}") { (5) update request { (5) EXPAND %{8} (5) --> eduroam (5) &Called-Station-SSID := eduroam (5) EXPAND %{Called-Station-Id}:%{8} (5) --> 11-22-33-44-55-66:eduroam (5) &Called-Station-Id := 11-22-33-44-55-66:eduroam Thread 3 waiting to be assigned a request (5) } # update request = noop (5) } # if ("%{8}") = noop (5) [updated] = updated (5) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_called_station_id = updated (5) policy rewrite_calling_station_id { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> 02-00-00-00-00-01 (5) &Calling-Station-Id := 02-00-00-00-00-01 (5) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5) --> 02:00:00:00:00:01 (5) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (5) } # update request = noop (5) [updated] = updated (5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_calling_station_id = updated (5) if (Service-Type == Call-Check) { (5) if (Service-Type == Call-Check) -> FALSE (5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (5) EXPAND Packet-Src-IP-Address (5) --> 127.0.0.1 (5) EXPAND Packet-Src-IP-Address (5) --> 127.0.0.1 (5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (5) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (5) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (5) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (5) if (EAP-Message) { (5) if (EAP-Message) -> TRUE (5) if (EAP-Message) { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = updated (5) } # policy filter_username = updated (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (5) suffix: Found realm "EXAMPLE.COM" (5) suffix: Adding Realm = "EXAMPLE.COM" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) policy deny_no_realm { (5) if (User-Name && (User-Name !~ /@/)) { (5) if (User-Name && (User-Name !~ /@/)) -> FALSE (5) } # policy deny_no_realm = updated (5) update request { (5) EXPAND %{toupper:%{Realm}} (5) --> EXAMPLE.COM (5) Realm := EXAMPLE.COM (5) } # update request = noop (5) eap: Peer sent EAP Response (code 2) ID 18 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # if (EAP-Message) = ok (5) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Auth-Type eap { (5) eap: Removing EAP session with state 0xafa7dc71abb5c54b (5) eap: Previous EAP request found for state 0xafa7dc71abb5c54b, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: (TLS) Peer ACKed our handshake fragment (5) eap: Sending EAP Request (code 1) ID 19 length 355 (5) eap: EAP session adding &reply:State = 0xafa7dc71aab4c54b (5) [eap] = handled (5) if (handled && (Response-Packet-Type == Access-Challenge)) { (5) EXPAND Response-Packet-Type (5) --> Access-Challenge (5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (5) if (handled && (Response-Packet-Type == Access-Challenge)) { (5) attr_filter.access_challenge: EXPAND %{User-Name} (5) attr_filter.access_challenge: --> anonymous@example.com (5) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (5) [attr_filter.access_challenge.post-auth] = updated (5) [handled] = handled (5) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (5) } # Auth-Type eap = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) session-state: Saving cached attributes for server default (5) Framed-MTU = 1014 (5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:58298 length 415 (5) EAP-Message = 0x01130163190032b6160303014d0c0001490300174104d6c25131955fa9d5a32b82fe0c9946faa04077b64b76fd5f22e57029916c464206ae3b257202f4dbdfe1e232fefa15c33e76d79f90734cf2cf51224d83add402080401002b481341defb4b68e8c1fc1c89928bbfe7b34c4a6c331e2dad3c23fe2c97e36be88fa8f03eaa3a37f4597fc8e7a5130b15b6b117d6efa5ed8e41e380f60275bc361a21ef3c3c38d0f7ce1caa34748c3fdbd13176c71bfeff614668912c8443e2407d4d63bbf843c0a48ca4bb96050bf1339d63a54c7c1b81c37da94df70b03b93de626466c45c241c1592bc18764d5903b6190312461866f0daff4b4d07877be03946eb340cbb691bf61dbbe7c00c574447f2cfc213997406f40b375840bec78e375f39ecf5fae42e505a91676c8db7e5e4d11e13ab14cf87ed90a14a404ed4bc0792b060a1fcb096483e0ec609bc243a47d7f84a135bcfa4fcfa863ab7a2ee316030300040e000000 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xafa7dc71aab4c54bd50cde17df51e2b7 (5) Finished request Thread 4 waiting to be assigned a request Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 6, (2 handled so far) (6) Received Access-Request Id 6 from 127.0.0.1:58298 to 127.0.0.1:1812 length 308 (6) User-Name = "anonymous@example.com" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) Called-Station-Id = "11-22-33-44-55-66:eduroam" (6) EAP-Message = 0x0213008819800000007e1603030046100000424104cde4725a02e51628adb570203425942e8376b7eb917052c91cf73ee58f4549727707cefd46163decb23e5bce3a9abbc967fd7ee5b51977503f6af2fbb44023e1140303000101160303002875b785dd798fea122dc888bf79c0739b1388ab79106c0ebdcd9b56ddf7860757295939c2bc9b9c1f (6) State = 0xafa7dc71aab4c54bd50cde17df51e2b7 (6) Message-Authenticator = 0x3f4dfe266ae453efe5a645253d32a41f (6) session-state: Restoring attributes for server default (6) &session-state:Framed-MTU = 1014 (6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 11-22-33-44-55-66 (6) &Called-Station-Id := 11-22-33-44-55-66 (6) } # update request = noop (6) if ("%{8}") { (6) EXPAND %{8} (6) --> eduroam (6) if ("%{8}") -> TRUE (6) if ("%{8}") { (6) update request { (6) EXPAND %{8} (6) --> eduroam (6) &Called-Station-SSID := eduroam (6) EXPAND %{Called-Station-Id}:%{8} (6) --> 11-22-33-44-55-66:eduroam (6) &Called-Station-Id := 11-22-33-44-55-66:eduroam (6) } # update request = noop (6) } # if ("%{8}") = noop (6) [updated] = updated (6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) policy rewrite_calling_station_id { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 02-00-00-00-00-01 (6) &Calling-Station-Id := 02-00-00-00-00-01 (6) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6) --> 02:00:00:00:00:01 (6) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (6) } # update request = noop (6) [updated] = updated (6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_calling_station_id = updated (6) if (Service-Type == Call-Check) { (6) if (Service-Type == Call-Check) -> FALSE (6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (6) EXPAND Packet-Src-IP-Address (6) --> 127.0.0.1 (6) EXPAND Packet-Src-IP-Address (6) --> 127.0.0.1 (6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (6) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (6) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (6) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (6) if (EAP-Message) { (6) if (EAP-Message) -> TRUE (6) if (EAP-Message) { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = updated (6) } # policy filter_username = updated (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (6) suffix: Found realm "EXAMPLE.COM" (6) suffix: Adding Realm = "EXAMPLE.COM" (6) suffix: Authentication realm is LOCAL (6) [suffix] = ok (6) policy deny_no_realm { (6) if (User-Name && (User-Name !~ /@/)) { (6) if (User-Name && (User-Name !~ /@/)) -> FALSE (6) } # policy deny_no_realm = updated (6) update request { (6) EXPAND %{toupper:%{Realm}} (6) --> EXAMPLE.COM (6) Realm := EXAMPLE.COM (6) } # update request = noop (6) eap: Peer sent EAP Response (code 2) ID 19 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # if (EAP-Message) = ok (6) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Auth-Type eap { (6) eap: Removing EAP session with state 0xafa7dc71aab4c54b (6) eap: Previous EAP request found for state 0xafa7dc71aab4c54b, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (6) eap_peap: (TLS) EAP Got all data (126 bytes) (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (6) eap_peap: (TLS) PEAP - Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 20 length 57 (6) eap: EAP session adding &reply:State = 0xafa7dc71a9b3c54b (6) [eap] = handled (6) if (handled && (Response-Packet-Type == Access-Challenge)) { (6) EXPAND Response-Packet-Type (6) --> Access-Challenge (6) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (6) if (handled && (Response-Packet-Type == Access-Challenge)) { (6) attr_filter.access_challenge: EXPAND %{User-Name} (6) attr_filter.access_challenge: --> anonymous@example.com (6) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (6) [attr_filter.access_challenge.post-auth] = updated (6) [handled] = handled (6) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (6) } # Auth-Type eap = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) session-state: Saving cached attributes for server default (6) Framed-MTU = 1014 (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:58298 length 115 (6) EAP-Message = 0x011400391900140303000101160303002864f52ed12ea54c8db9ec40c1c930f12216b536521fe729a169e6512baba1fb9f4254162bc18808f0 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xafa7dc71a9b3c54bd50cde17df51e2b7 (6) Finished request Thread 2 waiting to be assigned a request Waking up in 0.3 seconds. Thread 5 got semaphore Thread 5 handling request 7, (2 handled so far) (7) Received Access-Request Id 7 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (7) User-Name = "anonymous@example.com" (7) NAS-IP-Address = 127.0.0.1 (7) Calling-Station-Id = "02-00-00-00-00-01" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Connect-Info = "CONNECT 11Mbps 802.11b" (7) Called-Station-Id = "11-22-33-44-55-66:eduroam" (7) EAP-Message = 0x021400061900 (7) State = 0xafa7dc71a9b3c54bd50cde17df51e2b7 (7) Message-Authenticator = 0xcb8cc4aaf40234fb76c6e2771c68a54d (7) session-state: Restoring attributes for server default (7) &session-state:Framed-MTU = 1014 (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy rewrite_called_station_id { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 11-22-33-44-55-66 (7) &Called-Station-Id := 11-22-33-44-55-66 (7) } # update request = noop (7) if ("%{8}") { (7) EXPAND %{8} (7) --> eduroam (7) if ("%{8}") -> TRUE (7) if ("%{8}") { (7) update request { (7) EXPAND %{8} (7) --> eduroam (7) &Called-Station-SSID := eduroam (7) EXPAND %{Called-Station-Id}:%{8} (7) --> 11-22-33-44-55-66:eduroam (7) &Called-Station-Id := 11-22-33-44-55-66:eduroam (7) } # update request = noop (7) } # if ("%{8}") = noop (7) [updated] = updated (7) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_called_station_id = updated (7) policy rewrite_calling_station_id { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 02-00-00-00-00-01 (7) &Calling-Station-Id := 02-00-00-00-00-01 (7) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (7) --> 02:00:00:00:00:01 (7) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (7) } # update request = noop (7) [updated] = updated (7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_calling_station_id = updated (7) if (Service-Type == Call-Check) { (7) if (Service-Type == Call-Check) -> FALSE (7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (7) EXPAND Packet-Src-IP-Address (7) --> 127.0.0.1 (7) EXPAND Packet-Src-IP-Address (7) --> 127.0.0.1 (7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (7) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (7) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (7) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (7) if (EAP-Message) { (7) if (EAP-Message) -> TRUE (7) if (EAP-Message) { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = updated (7) } # policy filter_username = updated (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (7) suffix: Found realm "EXAMPLE.COM" (7) suffix: Adding Realm = "EXAMPLE.COM" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) policy deny_no_realm { (7) if (User-Name && (User-Name !~ /@/)) { (7) if (User-Name && (User-Name !~ /@/)) -> FALSE (7) } # policy deny_no_realm = updated (7) update request { (7) EXPAND %{toupper:%{Realm}} (7) --> EXAMPLE.COM (7) Realm := EXAMPLE.COM (7) } # update request = noop (7) eap: Peer sent EAP Response (code 2) ID 20 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # if (EAP-Message) = ok (7) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Auth-Type eap { (7) eap: Removing EAP session with state 0xafa7dc71a9b3c54b (7) eap: Previous EAP request found for state 0xafa7dc71a9b3c54b, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 21 length 40 (7) eap: EAP session adding &reply:State = 0xafa7dc71a8b2c54b (7) [eap] = handled (7) if (handled && (Response-Packet-Type == Access-Challenge)) { (7) EXPAND Response-Packet-Type (7) --> Access-Challenge (7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (7) if (handled && (Response-Packet-Type == Access-Challenge)) { (7) attr_filter.access_challenge: EXPAND %{User-Name} (7) attr_filter.access_challenge: --> anonymous@example.com (7) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (7) [attr_filter.access_challenge.post-auth] = updated (7) [handled] = handled (7) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (7) } # Auth-Type eap = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) session-state: Saving cached attributes for server default (7) Framed-MTU = 1014 (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:58298 length 98 (7) EAP-Message = 0x011500281900170303001d64f52ed12ea54c8e39e6e9ae296be6f270041366136e149607ad91f48e (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xafa7dc71a8b2c54bd50cde17df51e2b7 (7) Finished request Thread 5 waiting to be assigned a request Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 8, (2 handled so far) (8) Received Access-Request Id 8 from 127.0.0.1:58298 to 127.0.0.1:1812 length 231 (8) User-Name = "anonymous@example.com" (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id = "02-00-00-00-00-01" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Connect-Info = "CONNECT 11Mbps 802.11b" (8) Called-Station-Id = "11-22-33-44-55-66:eduroam" (8) EAP-Message = 0x0215003b1900170303003075b785dd798fea13d1e6304c1b7160227a0e83e6dc155dc3cd1f3fe96cf86c7daeac8cef201b136415b1f64de9552925 (8) State = 0xafa7dc71a8b2c54bd50cde17df51e2b7 (8) Message-Authenticator = 0x91788ea1d6feeaa72a328302eccee0fc (8) session-state: Restoring attributes for server default (8) &session-state:Framed-MTU = 1014 (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy rewrite_called_station_id { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 11-22-33-44-55-66 (8) &Called-Station-Id := 11-22-33-44-55-66 (8) } # update request = noop (8) if ("%{8}") { (8) EXPAND %{8} (8) --> eduroam (8) if ("%{8}") -> TRUE (8) if ("%{8}") { (8) update request { (8) EXPAND %{8} (8) --> eduroam (8) &Called-Station-SSID := eduroam (8) EXPAND %{Called-Station-Id}:%{8} (8) --> 11-22-33-44-55-66:eduroam (8) &Called-Station-Id := 11-22-33-44-55-66:eduroam (8) } # update request = noop (8) } # if ("%{8}") = noop (8) [updated] = updated (8) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_called_station_id = updated (8) policy rewrite_calling_station_id { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 02-00-00-00-00-01 (8) &Calling-Station-Id := 02-00-00-00-00-01 (8) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (8) --> 02:00:00:00:00:01 (8) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (8) } # update request = noop (8) [updated] = updated (8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_calling_station_id = updated (8) if (Service-Type == Call-Check) { (8) if (Service-Type == Call-Check) -> FALSE (8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (8) EXPAND Packet-Src-IP-Address (8) --> 127.0.0.1 (8) EXPAND Packet-Src-IP-Address (8) --> 127.0.0.1 (8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (8) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (8) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (8) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (8) if (EAP-Message) { (8) if (EAP-Message) -> TRUE (8) if (EAP-Message) { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = updated (8) } # policy filter_username = updated (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (8) suffix: Found realm "EXAMPLE.COM" (8) suffix: Adding Realm = "EXAMPLE.COM" (8) suffix: Authentication realm is LOCAL (8) [suffix] = ok (8) policy deny_no_realm { (8) if (User-Name && (User-Name !~ /@/)) { (8) if (User-Name && (User-Name !~ /@/)) -> FALSE (8) } # policy deny_no_realm = updated (8) update request { (8) EXPAND %{toupper:%{Realm}} (8) --> EXAMPLE.COM (8) Realm := EXAMPLE.COM (8) } # update request = noop (8) eap: Peer sent EAP Response (code 2) ID 21 length 59 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # if (EAP-Message) = ok (8) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Auth-Type eap { (8) eap: Removing EAP session with state 0xafa7dc71a8b2c54b (8) eap: Previous EAP request found for state 0xafa7dc71a8b2c54b, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - user@example.com (8) eap_peap: Got inner identity 'user@example.com' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368 (8) eap_peap: Setting User-Name to user@example.com (8) eap_peap: Sending tunneled request to proxy-inner-tunnel (8) eap_peap: EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "user@example.com" (8) eap_peap: NAS-IP-Address = 127.0.0.1 (8) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (8) eap_peap: Framed-MTU = 1400 (8) eap_peap: NAS-Port-Type = Wireless-802.11 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (8) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam" (8) Virtual server proxy-inner-tunnel received request (8) EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "user@example.com" (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id := "02-00-00-00-00-01" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Connect-Info = "CONNECT 11Mbps 802.11b" (8) Called-Station-Id := "11-22-33-44-55-66:eduroam" (8) server proxy-inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (8) authorize { (8) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) { (8) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE (8) update outer.control { (8) EXPAND %{User-Name} (8) --> user@example.com (8) locInner-User-Name := user@example.com (8) } # update outer.control = noop (8) if (!NAS-Port-Type){ (8) if (!NAS-Port-Type) -> FALSE (8) update control { (8) &Proxy-To-Realm := REALM-NPS-DEV (8) } # update control = noop (8) } # authorize = noop (8) } # server proxy-inner-tunnel (8) Virtual server sending reply (8) eap_peap: Got tunneled reply code 0 (8) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (8) eap: WARNING: Tunneled session will be proxied. Not doing EAP (8) [eap] = handled (8) if (handled && (Response-Packet-Type == Access-Challenge)) { (8) EXPAND Response-Packet-Type (8) --> (8) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (8) } # Auth-Type eap = handled (8) Starting proxy to home server 2.2.2.2 port 1812 (8) server default { (8) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (8) pre-proxy { (8) attr_filter.pre-proxy: EXPAND %{Realm} (8) attr_filter.pre-proxy: --> EXAMPLE.COM (8) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (8) [attr_filter.pre-proxy] = updated (8) } # pre-proxy = updated (8) } (8) Proxying request to home server 2.2.2.2 port 1812 timeout 20.000000 (8) Sent Access-Request Id 8 from 0.0.0.0:52965 to 2.2.2.2:1812 length 165 (8) Operator-Name := "1EXAMPLE.COM" (8) EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368 (8) User-Name = "user@example.com" (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id := "02-00-00-00-00-01" (8) NAS-Port-Type = Wireless-802.11 (8) Called-Station-Id := "11-22-33-44-55-66:eduroam" (8) Message-Authenticator = 0x (8) Proxy-State = 0x38 Thread 1 waiting to be assigned a request (8) Marking home server 2.2.2.2 port 1812 alive Waking up in 0.2 seconds. Thread 3 got semaphore Thread 3 handling request 8, (2 handled so far) (8) Received Access-Challenge Id 8 from 2.2.2.2:1812 to 1.1.1.1:52965 length 126 (8) Message-Authenticator = 0x66483cd50ef9f92fccdcd294bb7d2c04 (8) Proxy-State = 0x38 (8) Session-Timeout = 60 (8) EAP-Message = 0x011600271a0116002210eb9cf2395a8053f7a7da8f5303e3e63b4141492d4e50532d4544555632 (8) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (8) Clearing existing &reply: attributes (8) server default { (8) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (8) post-proxy { (8) attr_filter.post-proxy: EXPAND %{Realm} (8) attr_filter.post-proxy: --> EXAMPLE.COM (8) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102 (8) [attr_filter.post-proxy] = updated (8) eap: Doing post-proxy callback (8) eap: Passing reply from proxy back into the tunnel (8) eap: Got tunneled reply RADIUS code 11 (8) eap: Tunnel-Type := VLAN (8) eap: Tunnel-Medium-Type := IEEE-802 (8) eap: Message-Authenticator = 0x66483cd50ef9f92fccdcd294bb7d2c04 (8) eap: Proxy-State = 0x38 (8) eap: EAP-Message = 0x011600271a0116002210eb9cf2395a8053f7a7da8f5303e3e63b4141492d4e50532d4544555632 (8) eap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (8) eap: Got tunneled Access-Challenge (8) eap: Reply was handled (8) eap: Sending EAP Request (code 1) ID 22 length 70 (8) eap: EAP session adding &reply:State = 0xafa7dc71a7b1c54b (8) [eap] = ok (8) update reply { (8) EXPAND %{control:locInner-User-Name} (8) --> user@example.com (8) &User-Name := user@example.com (8) } # update reply = noop (8) } # post-proxy = updated (8) } (8) session-state: Saving cached attributes for server default (8) Framed-MTU = 1014 (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:58298 length 153 (8) EAP-Message = 0x011600461900170303003b64f52ed12ea54c8f18512005c0151ef6bdf23f5a7ad4df27fbbbad944ae3352f168c363e09cab960ef0f81ff81dfdebc0eaac34b350227b3647f66 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xafa7dc71a7b1c54bd50cde17df51e2b7 (8) User-Name := "user@example.com" (8) Finished request Thread 3 waiting to be assigned a request Waking up in 0.2 seconds. Thread 4 got semaphore Thread 4 handling request 9, (3 handled so far) (9) Received Access-Request Id 9 from 127.0.0.1:58298 to 127.0.0.1:1812 length 285 (9) User-Name = "anonymous@example.com" (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id = "02-00-00-00-00-01" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) Called-Station-Id = "11-22-33-44-55-66:eduroam" (9) EAP-Message = 0x021600711900170303006675b785dd798fea14870e20dbbfa5338af5df058a43d9647480c865545aeabbd722b49d8021d29eab61642104c445a4eb8c06df995a802a2967ad27883f2de941c3fa2b208626eb79a87e2fb828ae327790dedf08f415bf5d51851abdb153ec11db68f1d29b52 (9) State = 0xafa7dc71a7b1c54bd50cde17df51e2b7 (9) Message-Authenticator = 0x7056f3072ea11a647ea29135b157bb20 (9) session-state: No cached attributes for server default (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy rewrite_called_station_id { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 11-22-33-44-55-66 (9) &Called-Station-Id := 11-22-33-44-55-66 (9) } # update request = noop (9) if ("%{8}") { (9) EXPAND %{8} (9) --> eduroam (9) if ("%{8}") -> TRUE (9) if ("%{8}") { (9) update request { (9) EXPAND %{8} (9) --> eduroam (9) &Called-Station-SSID := eduroam (9) EXPAND %{Called-Station-Id}:%{8} (9) --> 11-22-33-44-55-66:eduroam (9) &Called-Station-Id := 11-22-33-44-55-66:eduroam (9) } # update request = noop (9) } # if ("%{8}") = noop (9) [updated] = updated (9) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_called_station_id = updated (9) policy rewrite_calling_station_id { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 02-00-00-00-00-01 (9) &Calling-Station-Id := 02-00-00-00-00-01 (9) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (9) --> 02:00:00:00:00:01 (9) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (9) } # update request = noop (9) [updated] = updated (9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_calling_station_id = updated (9) if (Service-Type == Call-Check) { (9) if (Service-Type == Call-Check) -> FALSE (9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (9) EXPAND Packet-Src-IP-Address (9) --> 127.0.0.1 (9) EXPAND Packet-Src-IP-Address (9) --> 127.0.0.1 (9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (9) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (9) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (9) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (9) if (EAP-Message) { (9) if (EAP-Message) -> TRUE (9) if (EAP-Message) { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = updated (9) } # policy filter_username = updated (9) suffix: Checking for suffix after "@" (9) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (9) suffix: Found realm "EXAMPLE.COM" (9) suffix: Adding Realm = "EXAMPLE.COM" (9) suffix: Authentication realm is LOCAL (9) [suffix] = ok (9) policy deny_no_realm { (9) if (User-Name && (User-Name !~ /@/)) { (9) if (User-Name && (User-Name !~ /@/)) -> FALSE (9) } # policy deny_no_realm = updated (9) update request { (9) EXPAND %{toupper:%{Realm}} (9) --> EXAMPLE.COM (9) Realm := EXAMPLE.COM (9) } # update request = noop (9) eap: Peer sent EAP Response (code 2) ID 22 length 113 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # if (EAP-Message) = ok (9) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Auth-Type eap { (9) eap: Removing EAP session with state 0xafa7dc71a7b1c54b (9) eap: Previous EAP request found for state 0xafa7dc71a7b1c54b, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: (TLS) EAP Done initial handshake (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368 (9) eap_peap: Setting User-Name to user@example.com (9) eap_peap: Sending tunneled request to proxy-inner-tunnel (9) eap_peap: EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "user@example.com" (9) eap_peap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) eap_peap: NAS-IP-Address = 127.0.0.1 (9) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (9) eap_peap: Framed-MTU = 1400 (9) eap_peap: NAS-Port-Type = Wireless-802.11 (9) eap_peap: Service-Type = Framed-User (9) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (9) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam" (9) Virtual server proxy-inner-tunnel received request (9) EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "user@example.com" (9) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id := "02-00-00-00-00-01" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) Called-Station-Id := "11-22-33-44-55-66:eduroam" (9) server proxy-inner-tunnel { (9) session-state: No cached attributes for server proxy-inner-tunnel (9) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (9) authorize { (9) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) { (9) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE (9) update outer.control { (9) EXPAND %{User-Name} (9) --> user@example.com (9) locInner-User-Name := user@example.com (9) } # update outer.control = noop (9) if (!NAS-Port-Type){ (9) if (!NAS-Port-Type) -> FALSE (9) update control { (9) &Proxy-To-Realm := REALM-NPS-DEV (9) } # update control = noop (9) } # authorize = noop (9) } # server proxy-inner-tunnel (9) Virtual server sending reply (9) eap_peap: Got tunneled reply code 0 (9) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (9) eap: WARNING: Tunneled session will be proxied. Not doing EAP (9) [eap] = handled (9) if (handled && (Response-Packet-Type == Access-Challenge)) { (9) EXPAND Response-Packet-Type (9) --> (9) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (9) } # Auth-Type eap = handled (9) Starting proxy to home server 2.2.2.2 port 1812 (9) server default { (9) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (9) pre-proxy { (9) attr_filter.pre-proxy: EXPAND %{Realm} (9) attr_filter.pre-proxy: --> EXAMPLE.COM (9) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (9) [attr_filter.pre-proxy] = updated (9) } # pre-proxy = updated (9) } (9) Proxying request to home server 2.2.2.2 port 1812 timeout 20.000000 (9) Sent Access-Request Id 9 from 0.0.0.0:52965 to 2.2.2.2:1812 length 257 (9) Operator-Name := "1EXAMPLE.COM" (9) EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368 (9) User-Name = "user@example.com" (9) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id := "02-00-00-00-00-01" (9) NAS-Port-Type = Wireless-802.11 (9) Called-Station-Id := "11-22-33-44-55-66:eduroam" (9) Message-Authenticator = 0x (9) Proxy-State = 0x39 Thread 4 waiting to be assigned a request Waking up in 0.2 seconds. Thread 2 got semaphore Thread 2 handling request 9, (3 handled so far) (9) Received Access-Challenge Id 9 from 2.2.2.2:1812 to 1.1.1.1:52965 length 138 (9) Message-Authenticator = 0xc42d2656dd05f7f1f02bef15d5e8e38f (9) Proxy-State = 0x39 (9) Session-Timeout = 60 (9) EAP-Message = 0x011700331a0316002e533d33444131374638464334373842394132304537414644353430364246394537424135454143454639 (9) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) Clearing existing &reply: attributes (9) server default { (9) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (9) post-proxy { (9) attr_filter.post-proxy: EXPAND %{Realm} (9) attr_filter.post-proxy: --> EXAMPLE.COM (9) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102 (9) [attr_filter.post-proxy] = updated (9) eap: Doing post-proxy callback (9) eap: Passing reply from proxy back into the tunnel (9) eap: Got tunneled reply RADIUS code 11 (9) eap: Tunnel-Type := VLAN (9) eap: Tunnel-Medium-Type := IEEE-802 (9) eap: Message-Authenticator = 0xc42d2656dd05f7f1f02bef15d5e8e38f (9) eap: Proxy-State = 0x39 (9) eap: EAP-Message = 0x011700331a0316002e533d33444131374638464334373842394132304537414644353430364246394537424135454143454639 (9) eap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) eap: Got tunneled Access-Challenge (9) eap: Reply was handled (9) eap: Sending EAP Request (code 1) ID 23 length 82 (9) eap: EAP session adding &reply:State = 0xafa7dc71a6b0c54b (9) [eap] = ok (9) update reply { (9) EXPAND %{control:locInner-User-Name} (9) --> user@example.com (9) &User-Name := user@example.com (9) } # update reply = noop (9) } # post-proxy = updated (9) } (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Sent Access-Challenge Id 9 from 127.0.0.1:1812 to 127.0.0.1:58298 length 165 (9) EAP-Message = 0x011700521900170303004764f52ed12ea54c902b90dd600763d13a74ca5367c8fc00299e6e7c32c374e6250ed30140f7f089b51de255471b31f6a804cce004a5383471438d6333d4b042429f782af1c6c4e1 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xafa7dc71a6b0c54bd50cde17df51e2b7 (9) User-Name := "user@example.com" (9) Finished request Thread 2 waiting to be assigned a request Waking up in 0.2 seconds. Thread 5 got semaphore Thread 5 handling request 10, (3 handled so far) (10) Received Access-Request Id 10 from 127.0.0.1:58298 to 127.0.0.1:1812 length 209 (10) User-Name = "anonymous@example.com" (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id = "02-00-00-00-00-01" (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Connect-Info = "CONNECT 11Mbps 802.11b" (10) Called-Station-Id = "11-22-33-44-55-66:eduroam" (10) EAP-Message = 0x021700251900170303001a75b785dd798fea153b66975884eb245f9c132850db6c50233090 (10) State = 0xafa7dc71a6b0c54bd50cde17df51e2b7 (10) Message-Authenticator = 0x8a9c6f10bc67225977d457aab3be0c04 (10) session-state: No cached attributes for server default (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) policy rewrite_called_station_id { (10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (10) update request { (10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (10) --> 11-22-33-44-55-66 (10) &Called-Station-Id := 11-22-33-44-55-66 (10) } # update request = noop (10) if ("%{8}") { (10) EXPAND %{8} (10) --> eduroam (10) if ("%{8}") -> TRUE (10) if ("%{8}") { (10) update request { (10) EXPAND %{8} (10) --> eduroam (10) &Called-Station-SSID := eduroam (10) EXPAND %{Called-Station-Id}:%{8} (10) --> 11-22-33-44-55-66:eduroam (10) &Called-Station-Id := 11-22-33-44-55-66:eduroam (10) } # update request = noop (10) } # if ("%{8}") = noop (10) [updated] = updated (10) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (10) ... skipping else: Preceding "if" was taken (10) } # policy rewrite_called_station_id = updated (10) policy rewrite_calling_station_id { (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (10) update request { (10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (10) --> 02-00-00-00-00-01 (10) &Calling-Station-Id := 02-00-00-00-00-01 (10) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (10) --> 02:00:00:00:00:01 (10) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (10) } # update request = noop (10) [updated] = updated (10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (10) ... skipping else: Preceding "if" was taken (10) } # policy rewrite_calling_station_id = updated (10) if (Service-Type == Call-Check) { (10) if (Service-Type == Call-Check) -> FALSE (10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (10) EXPAND Packet-Src-IP-Address (10) --> 127.0.0.1 (10) EXPAND Packet-Src-IP-Address (10) --> 127.0.0.1 (10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (10) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (10) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (10) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (10) if (EAP-Message) { (10) if (EAP-Message) -> TRUE (10) if (EAP-Message) { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = updated (10) } # policy filter_username = updated (10) suffix: Checking for suffix after "@" (10) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (10) suffix: Found realm "EXAMPLE.COM" (10) suffix: Adding Realm = "EXAMPLE.COM" (10) suffix: Authentication realm is LOCAL (10) [suffix] = ok (10) policy deny_no_realm { (10) if (User-Name && (User-Name !~ /@/)) { (10) if (User-Name && (User-Name !~ /@/)) -> FALSE (10) } # policy deny_no_realm = updated (10) update request { (10) EXPAND %{toupper:%{Realm}} (10) --> EXAMPLE.COM (10) Realm := EXAMPLE.COM (10) } # update request = noop (10) eap: Peer sent EAP Response (code 2) ID 23 length 37 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # if (EAP-Message) = ok (10) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Auth-Type eap { (10) eap: Removing EAP session with state 0xafa7dc71a6b0c54b (10) eap: Previous EAP request found for state 0xafa7dc71a6b0c54b, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: (TLS) EAP Done initial handshake (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state phase2 (10) eap_peap: EAP method MSCHAPv2 (26) (10) eap_peap: Got tunneled request (10) eap_peap: EAP-Message = 0x021700061a03 (10) eap_peap: Setting User-Name to user@example.com (10) eap_peap: Sending tunneled request to proxy-inner-tunnel (10) eap_peap: EAP-Message = 0x021700061a03 (10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (10) eap_peap: User-Name = "user@example.com" (10) eap_peap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (10) eap_peap: NAS-IP-Address = 127.0.0.1 (10) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (10) eap_peap: Framed-MTU = 1400 (10) eap_peap: NAS-Port-Type = Wireless-802.11 (10) eap_peap: Service-Type = Framed-User (10) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (10) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam" (10) Virtual server proxy-inner-tunnel received request (10) EAP-Message = 0x021700061a03 (10) FreeRADIUS-Proxied-To = 127.0.0.1 (10) User-Name = "user@example.com" (10) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id := "02-00-00-00-00-01" (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Connect-Info = "CONNECT 11Mbps 802.11b" (10) Called-Station-Id := "11-22-33-44-55-66:eduroam" (10) server proxy-inner-tunnel { (10) session-state: No cached attributes for server proxy-inner-tunnel (10) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (10) authorize { (10) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) { (10) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE (10) update outer.control { (10) EXPAND %{User-Name} (10) --> user@example.com (10) locInner-User-Name := user@example.com (10) } # update outer.control = noop (10) if (!NAS-Port-Type){ (10) if (!NAS-Port-Type) -> FALSE (10) update control { (10) &Proxy-To-Realm := REALM-NPS-DEV (10) } # update control = noop (10) } # authorize = noop (10) } # server proxy-inner-tunnel (10) Virtual server sending reply (10) eap_peap: Got tunneled reply code 0 (10) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (10) eap: WARNING: Tunneled session will be proxied. Not doing EAP (10) [eap] = handled (10) if (handled && (Response-Packet-Type == Access-Challenge)) { (10) EXPAND Response-Packet-Type (10) --> (10) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (10) } # Auth-Type eap = handled (10) Starting proxy to home server 2.2.2.2 port 1812 (10) server default { (10) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (10) pre-proxy { (10) attr_filter.pre-proxy: EXPAND %{Realm} (10) attr_filter.pre-proxy: --> EXAMPLE.COM (10) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (10) [attr_filter.pre-proxy] = updated (10) } # pre-proxy = updated (10) } (10) Proxying request to home server 2.2.2.2 port 1812 timeout 20.000000 (10) Sent Access-Request Id 10 from 0.0.0.0:52965 to 2.2.2.2:1812 length 182 (10) Operator-Name := "1EXAMPLE.COM" (10) EAP-Message = 0x021700061a03 (10) User-Name = "user@example.com" (10) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id := "02-00-00-00-00-01" (10) NAS-Port-Type = Wireless-802.11 (10) Called-Station-Id := "11-22-33-44-55-66:eduroam" (10) Message-Authenticator = 0x (10) Proxy-State = 0x3130 Thread 5 waiting to be assigned a request Waking up in 0.2 seconds. Thread 1 got semaphore Thread 1 handling request 10, (3 handled so far) (10) Received Access-Accept Id 10 from 2.2.2.2:1812 to 1.1.1.1:52965 length 288 (10) Message-Authenticator = 0x3b3904ca75e13b85992ee5aa89e1040f (10) Proxy-State = 0x3130 (10) Class = 0x7374616666 (10) Filter-Id = "staff" (10) Framed-Protocol = PPP (10) Service-Type = Framed-User (10) Tunnel-Medium-Type:0 = IEEE-802 (10) Tunnel-Private-Group-Id:0 = "1874" (10) Tunnel-Type:0 = VLAN (10) EAP-Message = 0x03170004 (10) Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3 (10) MS-CHAP-Domain = "\001CAMPUS" (10) MS-MPPE-Send-Key = 0xe41353497c2ce780e247ce0f7fec7fc2 (10) MS-MPPE-Recv-Key = 0x8f80fbfd47be7ca1597c79b8734fca7d (10) MS-CHAP2-Success = 0x01533d33444131374638464334373842394132304537414644353430364246394537424135454143454639 (10) Clearing existing &reply: attributes (10) server default { (10) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (10) post-proxy { (10) attr_filter.post-proxy: EXPAND %{Realm} (10) attr_filter.post-proxy: --> EXAMPLE.COM (10) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102 (10) [attr_filter.post-proxy] = updated (10) eap: Doing post-proxy callback (10) eap: Passing reply from proxy back into the tunnel (10) eap: Got tunneled reply RADIUS code 2 (10) eap: Tunnel-Type := VLAN (10) eap: Tunnel-Medium-Type := IEEE-802 (10) eap: Message-Authenticator = 0x3b3904ca75e13b85992ee5aa89e1040f (10) eap: Proxy-State = 0x3130 (10) eap: Class = 0x7374616666 (10) eap: Filter-Id = "staff" (10) eap: Tunnel-Private-Group-Id:0 = "1874" (10) eap: EAP-Message = 0x03170004 (10) eap: Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3 (10) eap: MS-MPPE-Send-Key = 0xe41353497c2ce780e247ce0f7fec7fc2 (10) eap: MS-MPPE-Recv-Key = 0x8f80fbfd47be7ca1597c79b8734fca7d (10) eap: Tunneled authentication was successful (10) eap: SUCCESS (10) eap: Saving tunneled attributes for later (10) eap: Reply was handled (10) eap: Sending EAP Request (code 1) ID 24 length 46 (10) eap: EAP session adding &reply:State = 0xafa7dc71a5bfc54b (10) [eap] = ok (10) update reply { (10) EXPAND %{control:locInner-User-Name} (10) --> user@example.com (10) &User-Name := user@example.com (10) } # update reply = noop (10) } # post-proxy = updated (10) } (10) Using Post-Auth-Type Challenge (10) Post-Auth-Type sub-section not found. Ignoring. (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Sent Access-Challenge Id 10 from 127.0.0.1:1812 to 127.0.0.1:58298 length 129 (10) EAP-Message = 0x0118002e1900170303002364f52ed12ea54c9150459e4e53ee9a1964caff39307afe7fd675169c4441eb576e296d (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xafa7dc71a5bfc54bd50cde17df51e2b7 (10) User-Name := "user@example.com" (10) Finished request Thread 1 waiting to be assigned a request Waking up in 0.2 seconds. Thread 3 got semaphore Thread 3 handling request 11, (3 handled so far) (11) Received Access-Request Id 11 from 127.0.0.1:58298 to 127.0.0.1:1812 length 218 (11) User-Name = "anonymous@example.com" (11) NAS-IP-Address = 127.0.0.1 (11) Calling-Station-Id = "02-00-00-00-00-01" (11) Framed-MTU = 1400 (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) Connect-Info = "CONNECT 11Mbps 802.11b" (11) Called-Station-Id = "11-22-33-44-55-66:eduroam" (11) EAP-Message = 0x0218002e1900170303002375b785dd798fea1648f80b27505bfdcc3aee84a9d6f597fb136533ecc2664fea510e2d (11) State = 0xafa7dc71a5bfc54bd50cde17df51e2b7 (11) Message-Authenticator = 0xeeb433c0442a232b09f02b69f261123b (11) session-state: No cached attributes for server default (11) # Executing section authorize from file /etc/freeradius/sites-enabled/default (11) authorize { (11) policy rewrite_called_station_id { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 11-22-33-44-55-66 (11) &Called-Station-Id := 11-22-33-44-55-66 (11) } # update request = noop (11) if ("%{8}") { (11) EXPAND %{8} (11) --> eduroam (11) if ("%{8}") -> TRUE (11) if ("%{8}") { (11) update request { (11) EXPAND %{8} (11) --> eduroam (11) &Called-Station-SSID := eduroam (11) EXPAND %{Called-Station-Id}:%{8} (11) --> 11-22-33-44-55-66:eduroam (11) &Called-Station-Id := 11-22-33-44-55-66:eduroam (11) } # update request = noop (11) } # if ("%{8}") = noop (11) [updated] = updated (11) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_called_station_id = updated (11) policy rewrite_calling_station_id { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 02-00-00-00-00-01 (11) &Calling-Station-Id := 02-00-00-00-00-01 (11) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (11) --> 02:00:00:00:00:01 (11) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (11) } # update request = noop (11) [updated] = updated (11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_calling_station_id = updated (11) if (Service-Type == Call-Check) { (11) if (Service-Type == Call-Check) -> FALSE (11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (11) EXPAND Packet-Src-IP-Address (11) --> 127.0.0.1 (11) EXPAND Packet-Src-IP-Address (11) --> 127.0.0.1 (11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (11) if (EAP-Message) { (11) if (EAP-Message) -> TRUE (11) if (EAP-Message) { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = updated (11) } # policy filter_username = updated (11) suffix: Checking for suffix after "@" (11) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (11) suffix: Found realm "EXAMPLE.COM" (11) suffix: Adding Realm = "EXAMPLE.COM" (11) suffix: Authentication realm is LOCAL (11) [suffix] = ok (11) policy deny_no_realm { (11) if (User-Name && (User-Name !~ /@/)) { (11) if (User-Name && (User-Name !~ /@/)) -> FALSE (11) } # policy deny_no_realm = updated (11) update request { (11) EXPAND %{toupper:%{Realm}} (11) --> EXAMPLE.COM (11) Realm := EXAMPLE.COM (11) } # update request = noop (11) eap: Peer sent EAP Response (code 2) ID 24 length 46 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # if (EAP-Message) = ok (11) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (11) } # authorize = updated (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/sites-enabled/default (11) Auth-Type eap { (11) eap: Removing EAP session with state 0xafa7dc71a5bfc54b (11) eap: Previous EAP request found for state 0xafa7dc71a5bfc54b, released from the list (11) eap: Peer sent packet with method EAP PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: (TLS) EAP Done initial handshake (11) eap_peap: Session established. Decoding tunneled attributes (11) eap_peap: PEAP state send tlv success (11) eap_peap: Received EAP-TLV response (11) eap_peap: Success (11) eap_peap: Using saved attributes from the original Access-Accept (11) eap_peap: Tunnel-Type := VLAN (11) eap_peap: Tunnel-Medium-Type := IEEE-802 (11) eap_peap: Class = 0x7374616666 (11) eap_peap: Filter-Id = "staff" (11) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (11) eap_peap: Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3 (11) eap: Sending EAP Success (code 3) ID 24 length 4 (11) eap: Freeing handler (11) [eap] = ok (11) if (handled && (Response-Packet-Type == Access-Challenge)) { (11) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (11) } # Auth-Type eap = ok (11) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (11) post-auth { (11) update control { (11) &Tmp-String-0 := "default > post-auth{}" (11) EXPAND %{control:locInner-User-Name} (11) --> (11) &Tmp-String-1 := (11) } # update control = noop (11) update { (11) No attributes updated for RHS &session-state (11) } # update = noop (11) if (Service-Type == Call-Check) { (11) if (Service-Type == Call-Check) -> FALSE (11) else { (11) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (11) 802.1x_auth_log: --> Sun Nov 9 10:57:40 2025 : AuthZ: (11) Access-Accept: [anonymous@example.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=02-00-00-00-00-01 Called-Station-Id=11-22-33-44-55-66:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client localhost port 0 operator-name Unknown) (11) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log (11) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log (11) [802.1x_auth_log] = ok (11) } # else = ok (11) policy remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) { (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else { (11) [noop] = noop (11) } # else = noop (11) } # policy remove_reply_message_if_eap = noop (11) } # post-auth = ok (11) Login OK: [anonymous@example.com] (from client localhost port 0 cli 02-00-00-00-00-01) (11) Sent Access-Accept Id 11 from 127.0.0.1:1812 to 127.0.0.1:58298 length 258 (11) Tunnel-Type := VLAN (11) Tunnel-Medium-Type := IEEE-802 (11) Class = 0x7374616666 (11) Filter-Id = "staff" (11) Tunnel-Private-Group-Id:0 = "1874" (11) Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3 (11) MS-MPPE-Recv-Key = 0x9c49947d9239922ada70a14065fecc71f6487bda63c2f67f716bbe8a8dc2f9b3 (11) MS-MPPE-Send-Key = 0x9d0edd62febaf77bed0007c64bb759a21903395c4ecd9524717aeb8cfd3cd9bd (11) EAP-Message = 0x03180004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) User-Name = "anonymous@example.com" (11) Finished request