Is it possible? I tried in users file: # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # DEFAULT Group == "Domain Computers", Auth-Type := Reject Reply-Message = "Autenticacao de maquinas desabilitada." DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject Reply-Message = "Autenticacao de contas de servico desabilitada." Domain Computers doesnt work. TodasContasEspeciais Works fine. This entry here works fine too: DEFAULT Group == "domain users", Simultaneous-Use := 2 Idle-Timeout := 300, Fall-Through = Yes Logs, if needed. (Sorry for another post so soon... I solved a lot of problems but some...) (83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296 (83533) User-Name = "host/n65144.mpdft.gov.br" (83533) NAS-IP-Address = 10.34.177.220 (83533) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83533) NAS-Port-Id = "00000001" (83533) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83533) NAS-Port-Type = Wireless-802.11 (83533) Event-Timestamp = "Jun 23 2020 13:47:23 -03" (83533) Service-Type = Framed-User (83533) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83533) Connect-Info = "CONNECT 0Mbps 802.11b" (83533) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83533) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83533) WLAN-Pairwise-Cipher = 1027076 (83533) WLAN-Group-Cipher = 1027076 (83533) WLAN-AKM-Suite = 1027073 (83533) Framed-MTU = 1400 (83533) EAP-Message = 0x02bf001d01686f73742f6e36353134342e6d706466742e676f762e6272 (83533) Message-Authenticator = 0x7c8882b39ec98c99e1110bdf525b977f (83533) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83533) authorize { (83533) policy filter_username { (83533) if (&User-Name) { (83533) if (&User-Name) -> TRUE (83533) if (&User-Name) { (83533) if (&User-Name != "%{tolower:%{User-Name}}") { (83533) EXPAND %{tolower:%{User-Name}} (83533) --> host/n65144.mpdft.gov.br (83533) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83533) if (&User-Name =~ / /) { (83533) if (&User-Name =~ / /) -> FALSE (83533) if (&User-Name =~ /@[^@]*@/ ) { (83533) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83533) if (&User-Name =~ /\.\./ ) { (83533) if (&User-Name =~ /\.\./ ) -> FALSE (83533) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83533) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83533) if (&User-Name =~ /\.$/) { (83533) if (&User-Name =~ /\.$/) -> FALSE (83533) if (&User-Name =~ /@\./) { (83533) if (&User-Name =~ /@\./) -> FALSE (83533) } # if (&User-Name) = notfound (83533) } # policy filter_username = notfound (83533) [preprocess] = ok (83533) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83533) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83533) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83533) auth_log: EXPAND %t (83533) auth_log: --> Tue Jun 23 13:47:25 2020 (83533) [auth_log] = ok (83533) [chap] = noop (83533) [mschap] = noop (83533) [digest] = noop (83533) suffix: Checking for suffix after "@" (83533) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83533) suffix: No such realm "NULL" (83533) [suffix] = noop (83533) eap: Peer sent EAP Response (code 2) ID 191 length 29 (83533) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (83533) [eap] = ok (83533) } # authorize = ok (83533) Found Auth-Type = eap (83533) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83533) authenticate { (83533) eap: Peer sent packet with method EAP Identity (1) (83533) eap: Calling submodule eap_md5 to process data (83533) eap_md5: Issuing MD5 Challenge (83533) eap: Sending EAP Request (code 1) ID 192 length 22 (83533) eap: EAP session adding &reply:State = 0x592274a559e270cf (83533) [eap] = handled (83533) } # authenticate = handled (83533) Using Post-Auth-Type Challenge (83533) Post-Auth-Type sub-section not found. Ignoring. (83533) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83533) Sent Access-Challenge Id 116 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83533) EAP-Message = 0x01c00016041005768a2deba77dd47f9bb481032d785f (83533) Message-Authenticator = 0x00000000000000000000000000000000 (83533) State = 0x592274a559e270cf5d11088ba56bbac4 (83533) Finished request (83534) Received Access-Request Id 117 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291 (83534) User-Name = "host/n65144.mpdft.gov.br" (83534) NAS-IP-Address = 10.34.177.220 (83534) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83534) NAS-Port-Id = "00000001" (83534) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83534) NAS-Port-Type = Wireless-802.11 (83534) Event-Timestamp = "Jun 23 2020 13:47:23 -03" (83534) Service-Type = Framed-User (83534) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83534) Connect-Info = "CONNECT 0Mbps 802.11b" (83534) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83534) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83534) WLAN-Pairwise-Cipher = 1027076 (83534) WLAN-Group-Cipher = 1027076 (83534) WLAN-AKM-Suite = 1027073 (83534) Framed-MTU = 1400 (83534) EAP-Message = 0x02c000060319 (83534) State = 0x592274a559e270cf5d11088ba56bbac4 (83534) Message-Authenticator = 0x255275434bb38a137ce44e1cdbbd154d (83534) session-state: No cached attributes (83534) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83534) authorize { (83534) policy filter_username { (83534) if (&User-Name) { (83534) if (&User-Name) -> TRUE (83534) if (&User-Name) { (83534) if (&User-Name != "%{tolower:%{User-Name}}") { (83534) EXPAND %{tolower:%{User-Name}} (83534) --> host/n65144.mpdft.gov.br (83534) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83534) if (&User-Name =~ / /) { (83534) if (&User-Name =~ / /) -> FALSE (83534) if (&User-Name =~ /@[^@]*@/ ) { (83534) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83534) if (&User-Name =~ /\.\./ ) { (83534) if (&User-Name =~ /\.\./ ) -> FALSE (83534) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83534) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83534) if (&User-Name =~ /\.$/) { (83534) if (&User-Name =~ /\.$/) -> FALSE (83534) if (&User-Name =~ /@\./) { (83534) if (&User-Name =~ /@\./) -> FALSE (83534) } # if (&User-Name) = notfound (83534) } # policy filter_username = notfound (83534) [preprocess] = ok (83534) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83534) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83534) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83534) auth_log: EXPAND %t (83534) auth_log: --> Tue Jun 23 13:47:25 2020 (83534) [auth_log] = ok (83534) [chap] = noop (83534) [mschap] = noop (83534) [digest] = noop (83534) suffix: Checking for suffix after "@" (83534) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83534) suffix: No such realm "NULL" (83534) [suffix] = noop (83534) eap: Peer sent EAP Response (code 2) ID 192 length 6 (83534) eap: No EAP Start, assuming it's an on-going EAP conversation (83534) [eap] = updated (83534) files: Failed resolving UID: No error (83534) files: Failed resolving UID: No error (83534) files: Failed resolving UID: No error (83534) files: Failed resolving UID: No error (83534) files: Failed resolving UID: No error (83534) [files] = noop (83534) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (83534) sql: --> host/n65144.mpdft.gov.br (83534) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br' (83534) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (83534) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id (83534) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id (83534) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (83534) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority (83534) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority (83534) sql: User not found in any groups (83534) [sql] = notfound (83534) [expiration] = noop (83534) [logintime] = noop (83534) if (ok) { (83534) if (ok) -> FALSE (83534) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (83534) pap: WARNING: Authentication will fail unless a "known good" password is available (83534) [pap] = noop (83534) } # authorize = updated (83534) Found Auth-Type = eap (83534) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83534) authenticate { (83534) eap: Expiring EAP session with state 0x9017180393030136 (83534) eap: Finished EAP session with state 0x592274a559e270cf (83534) eap: Previous EAP request found for state 0x592274a559e270cf, released from the list (83534) eap: Peer sent packet with method EAP NAK (3) (83534) eap: Found mutually acceptable type PEAP (25) (83534) eap: Calling submodule eap_peap to process data (83534) eap_peap: Initiating new EAP-TLS session (83534) eap_peap: [eaptls start] = request (83534) eap: Sending EAP Request (code 1) ID 193 length 6 (83534) eap: EAP session adding &reply:State = 0x592274a558e36dcf (83534) [eap] = handled (83534) } # authenticate = handled (83534) Using Post-Auth-Type Challenge (83534) Post-Auth-Type sub-section not found. Ignoring. (83534) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83534) Sent Access-Challenge Id 117 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83534) EAP-Message = 0x01c100061920 (83534) Message-Authenticator = 0x00000000000000000000000000000000 (83534) State = 0x592274a558e36dcf5d11088ba56bbac4 (83534) Finished request (83535) Received Access-Request Id 118 from 10.34.177.220:37268 to 10.34.242.3:1812 length 451 (83535) User-Name = "host/n65144.mpdft.gov.br" (83535) NAS-IP-Address = 10.34.177.220 (83535) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83535) NAS-Port-Id = "00000001" (83535) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83535) NAS-Port-Type = Wireless-802.11 (83535) Event-Timestamp = "Jun 23 2020 13:47:23 -03" (83535) Service-Type = Framed-User (83535) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83535) Connect-Info = "CONNECT 0Mbps 802.11b" (83535) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83535) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83535) WLAN-Pairwise-Cipher = 1027076 (83535) WLAN-Group-Cipher = 1027076 (83535) WLAN-AKM-Suite = 1027073 (83535) Framed-MTU = 1400 (83535) EAP-Message = 0x02c100a619800000009c16030300970100009303035ef232201f924dbda3d2ec6cfae7c1dd5d52c00d55fa1bc32d9736d6302f8c6c00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d (83535) State = 0x592274a558e36dcf5d11088ba56bbac4 (83535) Message-Authenticator = 0xe12affe4dba2b169cdc68ff635c36fb5 (83535) session-state: No cached attributes (83535) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83535) authorize { (83535) policy filter_username { (83535) if (&User-Name) { (83535) if (&User-Name) -> TRUE (83535) if (&User-Name) { (83535) if (&User-Name != "%{tolower:%{User-Name}}") { (83535) EXPAND %{tolower:%{User-Name}} (83535) --> host/n65144.mpdft.gov.br (83535) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83535) if (&User-Name =~ / /) { (83535) if (&User-Name =~ / /) -> FALSE (83535) if (&User-Name =~ /@[^@]*@/ ) { (83535) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83535) if (&User-Name =~ /\.\./ ) { (83535) if (&User-Name =~ /\.\./ ) -> FALSE (83535) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83535) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83535) if (&User-Name =~ /\.$/) { (83535) if (&User-Name =~ /\.$/) -> FALSE (83535) if (&User-Name =~ /@\./) { (83535) if (&User-Name =~ /@\./) -> FALSE (83535) } # if (&User-Name) = notfound (83535) } # policy filter_username = notfound (83535) [preprocess] = ok (83535) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83535) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83535) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83535) auth_log: EXPAND %t (83535) auth_log: --> Tue Jun 23 13:47:25 2020 (83535) [auth_log] = ok (83535) [chap] = noop (83535) [mschap] = noop (83535) [digest] = noop (83535) suffix: Checking for suffix after "@" (83535) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83535) suffix: No such realm "NULL" (83535) [suffix] = noop (83535) eap: Peer sent EAP Response (code 2) ID 193 length 166 (83535) eap: Continuing tunnel setup (83535) [eap] = ok (83535) } # authorize = ok (83535) Found Auth-Type = eap (83535) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83535) authenticate { (83535) eap: Expiring EAP session with state 0x9017180393030136 (83535) eap: Finished EAP session with state 0x592274a558e36dcf (83535) eap: Previous EAP request found for state 0x592274a558e36dcf, released from the list (83535) eap: Peer sent packet with method EAP PEAP (25) (83535) eap: Calling submodule eap_peap to process data (83535) eap_peap: Continuing EAP-TLS (83535) eap_peap: Peer indicated complete TLS record size will be 156 bytes (83535) eap_peap: Got complete TLS record (156 bytes) (83535) eap_peap: [eaptls verify] = length included (83535) eap_peap: (other): before SSL initialization (83535) eap_peap: TLS_accept: before SSL initialization (83535) eap_peap: TLS_accept: before SSL initialization (83535) eap_peap: <<< recv TLS 1.2 [length 0097] (83535) eap_peap: TLS_accept: SSLv3/TLS read client hello (83535) eap_peap: >>> send TLS 1.2 [length 003d] (83535) eap_peap: TLS_accept: SSLv3/TLS write server hello (83535) eap_peap: >>> send TLS 1.2 [length 0309] (83535) eap_peap: TLS_accept: SSLv3/TLS write certificate (83535) eap_peap: >>> send TLS 1.2 [length 014d] (83535) eap_peap: TLS_accept: SSLv3/TLS write key exchange (83535) eap_peap: >>> send TLS 1.2 [length 0004] (83535) eap_peap: TLS_accept: SSLv3/TLS write server done (83535) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (83535) eap_peap: In SSL Handshake Phase (83535) eap_peap: In SSL Accept mode (83535) eap_peap: [eaptls process] = handled (83535) eap: Sending EAP Request (code 1) ID 194 length 1004 (83535) eap: EAP session adding &reply:State = 0x592274a55be06dcf (83535) [eap] = handled (83535) } # authenticate = handled (83535) Using Post-Auth-Type Challenge (83535) Post-Auth-Type sub-section not found. Ignoring. (83535) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83535) Sent Access-Challenge Id 118 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83535) EAP-Message = 0x01c203ec19c0000004ab160303003d0200003903039308bda32e5a82ed478ea55a2e3b34d753ba6e340f36dcfffba42072b5d3038700c030000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609 (83535) Message-Authenticator = 0x00000000000000000000000000000000 (83535) State = 0x592274a55be06dcf5d11088ba56bbac4 (83535) Finished request (83536) Received Access-Request Id 119 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291 (83536) User-Name = "host/n65144.mpdft.gov.br" (83536) NAS-IP-Address = 10.34.177.220 (83536) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83536) NAS-Port-Id = "00000001" (83536) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83536) NAS-Port-Type = Wireless-802.11 (83536) Event-Timestamp = "Jun 23 2020 13:47:23 -03" (83536) Service-Type = Framed-User (83536) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83536) Connect-Info = "CONNECT 0Mbps 802.11b" (83536) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83536) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83536) WLAN-Pairwise-Cipher = 1027076 (83536) WLAN-Group-Cipher = 1027076 (83536) WLAN-AKM-Suite = 1027073 (83536) Framed-MTU = 1400 (83536) EAP-Message = 0x02c200061900 (83536) State = 0x592274a55be06dcf5d11088ba56bbac4 (83536) Message-Authenticator = 0x75aeeb98b14c048409007526e8333933 (83536) session-state: No cached attributes (83536) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83536) authorize { (83536) policy filter_username { (83536) if (&User-Name) { (83536) if (&User-Name) -> TRUE (83536) if (&User-Name) { (83536) if (&User-Name != "%{tolower:%{User-Name}}") { (83536) EXPAND %{tolower:%{User-Name}} (83536) --> host/n65144.mpdft.gov.br (83536) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83536) if (&User-Name =~ / /) { (83536) if (&User-Name =~ / /) -> FALSE (83536) if (&User-Name =~ /@[^@]*@/ ) { (83536) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83536) if (&User-Name =~ /\.\./ ) { (83536) if (&User-Name =~ /\.\./ ) -> FALSE (83536) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83536) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83536) if (&User-Name =~ /\.$/) { (83536) if (&User-Name =~ /\.$/) -> FALSE (83536) if (&User-Name =~ /@\./) { (83536) if (&User-Name =~ /@\./) -> FALSE (83536) } # if (&User-Name) = notfound (83536) } # policy filter_username = notfound (83536) [preprocess] = ok (83536) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83536) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83536) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83536) auth_log: EXPAND %t (83536) auth_log: --> Tue Jun 23 13:47:25 2020 (83536) [auth_log] = ok (83536) [chap] = noop (83536) [mschap] = noop (83536) [digest] = noop (83536) suffix: Checking for suffix after "@" (83536) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83536) suffix: No such realm "NULL" (83536) [suffix] = noop (83536) eap: Peer sent EAP Response (code 2) ID 194 length 6 (83536) eap: Continuing tunnel setup (83536) [eap] = ok (83536) } # authorize = ok (83536) Found Auth-Type = eap (83536) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83536) authenticate { (83536) eap: Expiring EAP session with state 0x9017180393030136 (83536) eap: Finished EAP session with state 0x592274a55be06dcf (83536) eap: Previous EAP request found for state 0x592274a55be06dcf, released from the list (83536) eap: Peer sent packet with method EAP PEAP (25) (83536) eap: Calling submodule eap_peap to process data (83536) eap_peap: Continuing EAP-TLS (83536) eap_peap: Peer ACKed our handshake fragment (83536) eap_peap: [eaptls verify] = request (83536) eap_peap: [eaptls process] = handled (83536) eap: Sending EAP Request (code 1) ID 195 length 207 (83536) eap: EAP session adding &reply:State = 0x592274a55ae16dcf (83536) [eap] = handled (83536) } # authenticate = handled (83536) Using Post-Auth-Type Challenge (83536) Post-Auth-Type sub-section not found. Ignoring. (83536) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83536) Sent Access-Challenge Id 119 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83536) EAP-Message = 0x01c300cf19003adad27975fdfa785ffac44ee108d8838b13e1123beab2b8798afd3e35cd995637b894ae0e18112d45144eba479ff30dc4e993ff3f295c8c064c8d46e7e064f5730fc35330cdfec07f886298dba50e9d2d2aaa6aac6198571a6155afbbdc35ebcd32d90dc658f48e3a273e031294d34abf (83536) Message-Authenticator = 0x00000000000000000000000000000000 (83536) State = 0x592274a55ae16dcf5d11088ba56bbac4 (83536) Finished request (83537) Received Access-Request Id 120 from 10.34.177.220:37268 to 10.34.242.3:1812 length 421 (83537) User-Name = "host/n65144.mpdft.gov.br" (83537) NAS-IP-Address = 10.34.177.220 (83537) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83537) NAS-Port-Id = "00000001" (83537) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83537) NAS-Port-Type = Wireless-802.11 (83537) Event-Timestamp = "Jun 23 2020 13:47:23 -03" (83537) Service-Type = Framed-User (83537) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83537) Connect-Info = "CONNECT 0Mbps 802.11b" (83537) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83537) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83537) WLAN-Pairwise-Cipher = 1027076 (83537) WLAN-Group-Cipher = 1027076 (83537) WLAN-AKM-Suite = 1027073 (83537) Framed-MTU = 1400 (83537) EAP-Message = 0x02c3008819800000007e1603030046100000424104ca73327a1aa86d548f1bab867288bf53e4bb907e877b520127d42986a20dc91111d47d38caadab01d14914ea7fecb7f982b3ad50f1706ca7ac7508604badfa501403030001011603030028000000000000000074fe6c972b1cbfe176c9161a99d6ee (83537) State = 0x592274a55ae16dcf5d11088ba56bbac4 (83537) Message-Authenticator = 0x13188abc81665fe76a84d5ae53be2694 (83537) session-state: No cached attributes (83537) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83537) authorize { (83537) policy filter_username { (83537) if (&User-Name) { (83537) if (&User-Name) -> TRUE (83537) if (&User-Name) { (83537) if (&User-Name != "%{tolower:%{User-Name}}") { (83537) EXPAND %{tolower:%{User-Name}} (83537) --> host/n65144.mpdft.gov.br (83537) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83537) if (&User-Name =~ / /) { (83537) if (&User-Name =~ / /) -> FALSE (83537) if (&User-Name =~ /@[^@]*@/ ) { (83537) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83537) if (&User-Name =~ /\.\./ ) { (83537) if (&User-Name =~ /\.\./ ) -> FALSE (83537) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83537) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83537) if (&User-Name =~ /\.$/) { (83537) if (&User-Name =~ /\.$/) -> FALSE (83537) if (&User-Name =~ /@\./) { (83537) if (&User-Name =~ /@\./) -> FALSE (83537) } # if (&User-Name) = notfound (83537) } # policy filter_username = notfound (83537) [preprocess] = ok (83537) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83537) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83537) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83537) auth_log: EXPAND %t (83537) auth_log: --> Tue Jun 23 13:47:25 2020 (83537) [auth_log] = ok (83537) [chap] = noop (83537) [mschap] = noop (83537) [digest] = noop (83537) suffix: Checking for suffix after "@" (83537) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83537) suffix: No such realm "NULL" (83537) [suffix] = noop (83537) eap: Peer sent EAP Response (code 2) ID 195 length 136 (83537) eap: Continuing tunnel setup (83537) [eap] = ok (83537) } # authorize = ok (83537) Found Auth-Type = eap (83537) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83537) authenticate { (83537) eap: Expiring EAP session with state 0x9017180393030136 (83537) eap: Finished EAP session with state 0x592274a55ae16dcf (83537) eap: Previous EAP request found for state 0x592274a55ae16dcf, released from the list (83537) eap: Peer sent packet with method EAP PEAP (25) (83537) eap: Calling submodule eap_peap to process data (83537) eap_peap: Continuing EAP-TLS (83537) eap_peap: Peer indicated complete TLS record size will be 126 bytes (83537) eap_peap: Got complete TLS record (126 bytes) (83537) eap_peap: [eaptls verify] = length included (83537) eap_peap: TLS_accept: SSLv3/TLS write server done (83537) eap_peap: <<< recv TLS 1.2 [length 0046] (83537) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (83537) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (83537) eap_peap: <<< recv TLS 1.2 [length 0010] (83537) eap_peap: TLS_accept: SSLv3/TLS read finished (83537) eap_peap: >>> send TLS 1.2 [length 0001] (83537) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (83537) eap_peap: >>> send TLS 1.2 [length 0010] (83537) eap_peap: TLS_accept: SSLv3/TLS write finished (83537) eap_peap: (other): SSL negotiation finished successfully (83537) eap_peap: SSL Connection Established (83537) eap_peap: [eaptls process] = handled (83537) eap: Sending EAP Request (code 1) ID 196 length 57 (83537) eap: EAP session adding &reply:State = 0x592274a55de66dcf (83537) [eap] = handled (83537) } # authenticate = handled (83537) Using Post-Auth-Type Challenge (83537) Post-Auth-Type sub-section not found. Ignoring. (83537) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83537) Sent Access-Challenge Id 120 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83537) EAP-Message = 0x01c4003919001403030001011603030028fb13cb712244c06c9b03a1b435796e337e52fd31841ccd87539254fce0bde1743fdf2c63be546af0 (83537) Message-Authenticator = 0x00000000000000000000000000000000 (83537) State = 0x592274a55de66dcf5d11088ba56bbac4 (83537) Finished request (83538) Received Access-Request Id 121 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291 (83538) User-Name = "host/n65144.mpdft.gov.br" (83538) NAS-IP-Address = 10.34.177.220 (83538) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83538) NAS-Port-Id = "00000001" (83538) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83538) NAS-Port-Type = Wireless-802.11 (83538) Event-Timestamp = "Jun 23 2020 13:47:24 -03" (83538) Service-Type = Framed-User (83538) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83538) Connect-Info = "CONNECT 0Mbps 802.11b" (83538) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83538) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83538) WLAN-Pairwise-Cipher = 1027076 (83538) WLAN-Group-Cipher = 1027076 (83538) WLAN-AKM-Suite = 1027073 (83538) Framed-MTU = 1400 (83538) EAP-Message = 0x02c400061900 (83538) State = 0x592274a55de66dcf5d11088ba56bbac4 (83538) Message-Authenticator = 0x039c283f11ffbfe1b00e0453467c8cea (83538) session-state: No cached attributes (83538) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83538) authorize { (83538) policy filter_username { (83538) if (&User-Name) { (83538) if (&User-Name) -> TRUE (83538) if (&User-Name) { (83538) if (&User-Name != "%{tolower:%{User-Name}}") { (83538) EXPAND %{tolower:%{User-Name}} (83538) --> host/n65144.mpdft.gov.br (83538) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83538) if (&User-Name =~ / /) { (83538) if (&User-Name =~ / /) -> FALSE (83538) if (&User-Name =~ /@[^@]*@/ ) { (83538) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83538) if (&User-Name =~ /\.\./ ) { (83538) if (&User-Name =~ /\.\./ ) -> FALSE (83538) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83538) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83538) if (&User-Name =~ /\.$/) { (83538) if (&User-Name =~ /\.$/) -> FALSE (83538) if (&User-Name =~ /@\./) { (83538) if (&User-Name =~ /@\./) -> FALSE (83538) } # if (&User-Name) = notfound (83538) } # policy filter_username = notfound (83538) [preprocess] = ok (83538) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83538) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83538) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83538) auth_log: EXPAND %t (83538) auth_log: --> Tue Jun 23 13:47:25 2020 (83538) [auth_log] = ok (83538) [chap] = noop (83538) [mschap] = noop (83538) [digest] = noop (83538) suffix: Checking for suffix after "@" (83538) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83538) suffix: No such realm "NULL" (83538) [suffix] = noop (83538) eap: Peer sent EAP Response (code 2) ID 196 length 6 (83538) eap: Continuing tunnel setup (83538) [eap] = ok (83538) } # authorize = ok (83538) Found Auth-Type = eap (83538) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83538) authenticate { (83538) eap: Expiring EAP session with state 0x9017180393030136 (83538) eap: Finished EAP session with state 0x592274a55de66dcf (83538) eap: Previous EAP request found for state 0x592274a55de66dcf, released from the list (83538) eap: Peer sent packet with method EAP PEAP (25) (83538) eap: Calling submodule eap_peap to process data (83538) eap_peap: Continuing EAP-TLS (83538) eap_peap: Peer ACKed our handshake fragment. handshake is finished (83538) eap_peap: [eaptls verify] = success (83538) eap_peap: [eaptls process] = success (83538) eap_peap: Session established. Decoding tunneled attributes (83538) eap_peap: PEAP state TUNNEL ESTABLISHED (83538) eap: Sending EAP Request (code 1) ID 197 length 40 (83538) eap: EAP session adding &reply:State = 0x592274a55ce76dcf (83538) [eap] = handled (83538) } # authenticate = handled (83538) Using Post-Auth-Type Challenge (83538) Post-Auth-Type sub-section not found. Ignoring. (83538) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83538) Sent Access-Challenge Id 121 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83538) EAP-Message = 0x01c500281900170303001dfb13cb712244c06dd3b3319eda935797571c500deb4e259f6c76c7fd82 (83538) Message-Authenticator = 0x00000000000000000000000000000000 (83538) State = 0x592274a55ce76dcf5d11088ba56bbac4 (83538) Finished request (83539) Received Access-Request Id 122 from 10.34.177.220:37268 to 10.34.242.3:1812 length 345 (83539) User-Name = "host/n65144.mpdft.gov.br" (83539) NAS-IP-Address = 10.34.177.220 (83539) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83539) NAS-Port-Id = "00000001" (83539) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83539) NAS-Port-Type = Wireless-802.11 (83539) Event-Timestamp = "Jun 23 2020 13:47:24 -03" (83539) Service-Type = Framed-User (83539) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83539) Connect-Info = "CONNECT 0Mbps 802.11b" (83539) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83539) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83539) WLAN-Pairwise-Cipher = 1027076 (83539) WLAN-Group-Cipher = 1027076 (83539) WLAN-AKM-Suite = 1027073 (83539) Framed-MTU = 1400 (83539) EAP-Message = 0x02c5003c1900170303003100000000000000019e684626cfe0b3f0d0437b3374b0ca4957085fe2da28a7496a052aa8648f75adddf043780ba025962c (83539) State = 0x592274a55ce76dcf5d11088ba56bbac4 (83539) Message-Authenticator = 0xd669040d031f113bf06fc26177e7970f (83539) session-state: No cached attributes (83539) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83539) authorize { (83539) policy filter_username { (83539) if (&User-Name) { (83539) if (&User-Name) -> TRUE (83539) if (&User-Name) { (83539) if (&User-Name != "%{tolower:%{User-Name}}") { (83539) EXPAND %{tolower:%{User-Name}} (83539) --> host/n65144.mpdft.gov.br (83539) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83539) if (&User-Name =~ / /) { (83539) if (&User-Name =~ / /) -> FALSE (83539) if (&User-Name =~ /@[^@]*@/ ) { (83539) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83539) if (&User-Name =~ /\.\./ ) { (83539) if (&User-Name =~ /\.\./ ) -> FALSE (83539) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83539) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83539) if (&User-Name =~ /\.$/) { (83539) if (&User-Name =~ /\.$/) -> FALSE (83539) if (&User-Name =~ /@\./) { (83539) if (&User-Name =~ /@\./) -> FALSE (83539) } # if (&User-Name) = notfound (83539) } # policy filter_username = notfound (83539) [preprocess] = ok (83539) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83539) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83539) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83539) auth_log: EXPAND %t (83539) auth_log: --> Tue Jun 23 13:47:25 2020 (83539) [auth_log] = ok (83539) [chap] = noop (83539) [mschap] = noop (83539) [digest] = noop (83539) suffix: Checking for suffix after "@" (83539) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83539) suffix: No such realm "NULL" (83539) [suffix] = noop (83539) eap: Peer sent EAP Response (code 2) ID 197 length 60 (83539) eap: Continuing tunnel setup (83539) [eap] = ok (83539) } # authorize = ok (83539) Found Auth-Type = eap (83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83539) authenticate { (83539) eap: Expiring EAP session with state 0x9017180393030136 (83539) eap: Finished EAP session with state 0x592274a55ce76dcf (83539) eap: Previous EAP request found for state 0x592274a55ce76dcf, released from the list (83539) eap: Peer sent packet with method EAP PEAP (25) (83539) eap: Calling submodule eap_peap to process data (83539) eap_peap: Continuing EAP-TLS (83539) eap_peap: [eaptls verify] = ok (83539) eap_peap: Done initial handshake (83539) eap_peap: [eaptls process] = ok (83539) eap_peap: Session established. Decoding tunneled attributes (83539) eap_peap: PEAP state WAITING FOR INNER IDENTITY (83539) eap_peap: Identity - host/n65144.mpdft.gov.br (83539) eap_peap: Got inner identity 'host/n65144.mpdft.gov.br' (83539) eap_peap: Setting default EAP type for tunneled EAP session (83539) eap_peap: Got tunneled request (83539) eap_peap: EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272 (83539) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br (83539) eap_peap: Sending tunneled request to inner-tunnel (83539) eap_peap: EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272 (83539) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (83539) eap_peap: User-Name = "host/n65144.mpdft.gov.br" (83539) Virtual server inner-tunnel received request (83539) EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272 (83539) FreeRADIUS-Proxied-To = 127.0.0.1 (83539) User-Name = "host/n65144.mpdft.gov.br" (83539) WARNING: Outer and inner identities are the same. User privacy is compromised. (83539) server inner-tunnel { (83539) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (83539) authorize { (83539) policy filter_username { (83539) if (&User-Name) { (83539) if (&User-Name) -> TRUE (83539) if (&User-Name) { (83539) if (&User-Name != "%{tolower:%{User-Name}}") { (83539) EXPAND %{tolower:%{User-Name}} (83539) --> host/n65144.mpdft.gov.br (83539) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83539) if (&User-Name =~ / /) { (83539) if (&User-Name =~ / /) -> FALSE (83539) if (&User-Name =~ /@[^@]*@/ ) { (83539) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83539) if (&User-Name =~ /\.\./ ) { (83539) if (&User-Name =~ /\.\./ ) -> FALSE (83539) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83539) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83539) if (&User-Name =~ /\.$/) { (83539) if (&User-Name =~ /\.$/) -> FALSE (83539) if (&User-Name =~ /@\./) { (83539) if (&User-Name =~ /@\./) -> FALSE (83539) } # if (&User-Name) = notfound (83539) } # policy filter_username = notfound (83539) [chap] = noop (83539) [mschap] = noop (83539) suffix: Checking for suffix after "@" (83539) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83539) suffix: No such realm "NULL" (83539) [suffix] = noop (83539) update control { (83539) &Proxy-To-Realm := LOCAL (83539) } # update control = noop (83539) eap: Peer sent EAP Response (code 2) ID 197 length 29 (83539) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (83539) [eap] = ok (83539) } # authorize = ok (83539) Found Auth-Type = eap (83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (83539) authenticate { (83539) eap: Peer sent packet with method EAP Identity (1) (83539) eap: Calling submodule eap_mschapv2 to process data (83539) eap_mschapv2: Issuing Challenge (83539) eap: Sending EAP Request (code 1) ID 198 length 43 (83539) eap: EAP session adding &reply:State = 0x3abf883e3a79928a (83539) [eap] = handled (83539) } # authenticate = handled (83539) } # server inner-tunnel (83539) Virtual server sending reply (83539) EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132 (83539) Message-Authenticator = 0x00000000000000000000000000000000 (83539) State = 0x3abf883e3a79928a4508626b4c893c09 (83539) eap_peap: Got tunneled reply code 11 (83539) eap_peap: EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132 (83539) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (83539) eap_peap: State = 0x3abf883e3a79928a4508626b4c893c09 (83539) eap_peap: Got tunneled reply RADIUS code 11 (83539) eap_peap: EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132 (83539) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (83539) eap_peap: State = 0x3abf883e3a79928a4508626b4c893c09 (83539) eap_peap: Got tunneled Access-Challenge (83539) eap: Sending EAP Request (code 1) ID 198 length 74 (83539) eap: EAP session adding &reply:State = 0x592274a55fe46dcf (83539) [eap] = handled (83539) } # authenticate = handled (83539) Using Post-Auth-Type Challenge (83539) Post-Auth-Type sub-section not found. Ignoring. (83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83539) Sent Access-Challenge Id 122 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83539) EAP-Message = 0x01c6004a1900170303003ffb13cb712244c06e54a5366995c39bdc1107aafc963bcbefefa5912d6b2b1ae5eb5108197757709c9aae011a2ddbf372662fc09dd88087fb1e9bb0f2978db4 (83539) Message-Authenticator = 0x00000000000000000000000000000000 (83539) State = 0x592274a55fe46dcf5d11088ba56bbac4 (83539) Finished request (83540) Received Access-Request Id 123 from 10.34.177.220:37268 to 10.34.242.3:1812 length 399 (83540) User-Name = "host/n65144.mpdft.gov.br" (83540) NAS-IP-Address = 10.34.177.220 (83540) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83540) NAS-Port-Id = "00000001" (83540) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83540) NAS-Port-Type = Wireless-802.11 (83540) Event-Timestamp = "Jun 23 2020 13:47:24 -03" (83540) Service-Type = Framed-User (83540) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83540) Connect-Info = "CONNECT 0Mbps 802.11b" (83540) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83540) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83540) WLAN-Pairwise-Cipher = 1027076 (83540) WLAN-Group-Cipher = 1027076 (83540) WLAN-AKM-Suite = 1027073 (83540) Framed-MTU = 1400 (83540) EAP-Message = 0x02c600721900170303006700000000000000021552c7414a6fe33963587194385413497356adaccb7d04280027aee00ff540e05eed36464f01c0e63d44edf60788f9e825b052378b1c052d4cd743622358e5780eade74a4113b0ac7efc5a15f9a5af8688350db96638d52ca7c4b4b1645a0a (83540) State = 0x592274a55fe46dcf5d11088ba56bbac4 (83540) Message-Authenticator = 0x66ccd547f1f593cdda006e7b27c1d398 (83540) session-state: No cached attributes (83540) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83540) authorize { (83540) policy filter_username { (83540) if (&User-Name) { (83540) if (&User-Name) -> TRUE (83540) if (&User-Name) { (83540) if (&User-Name != "%{tolower:%{User-Name}}") { (83540) EXPAND %{tolower:%{User-Name}} (83540) --> host/n65144.mpdft.gov.br (83540) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83540) if (&User-Name =~ / /) { (83540) if (&User-Name =~ / /) -> FALSE (83540) if (&User-Name =~ /@[^@]*@/ ) { (83540) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83540) if (&User-Name =~ /\.\./ ) { (83540) if (&User-Name =~ /\.\./ ) -> FALSE (83540) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83540) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83540) if (&User-Name =~ /\.$/) { (83540) if (&User-Name =~ /\.$/) -> FALSE (83540) if (&User-Name =~ /@\./) { (83540) if (&User-Name =~ /@\./) -> FALSE (83540) } # if (&User-Name) = notfound (83540) } # policy filter_username = notfound (83540) [preprocess] = ok (83540) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83540) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83540) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83540) auth_log: EXPAND %t (83540) auth_log: --> Tue Jun 23 13:47:25 2020 (83540) [auth_log] = ok (83540) [chap] = noop (83540) [mschap] = noop (83540) [digest] = noop (83540) suffix: Checking for suffix after "@" (83540) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83540) suffix: No such realm "NULL" (83540) [suffix] = noop (83540) eap: Peer sent EAP Response (code 2) ID 198 length 114 (83540) eap: Continuing tunnel setup (83540) [eap] = ok (83540) } # authorize = ok (83540) Found Auth-Type = eap (83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83540) authenticate { (83540) eap: Expiring EAP session with state 0x9017180393030136 (83540) eap: Finished EAP session with state 0x592274a55fe46dcf (83540) eap: Previous EAP request found for state 0x592274a55fe46dcf, released from the list (83540) eap: Peer sent packet with method EAP PEAP (25) (83540) eap: Calling submodule eap_peap to process data (83540) eap_peap: Continuing EAP-TLS (83540) eap_peap: [eaptls verify] = ok (83540) eap_peap: Done initial handshake (83540) eap_peap: [eaptls process] = ok (83540) eap_peap: Session established. Decoding tunneled attributes (83540) eap_peap: PEAP state phase2 (83540) eap_peap: EAP method MSCHAPv2 (26) (83540) eap_peap: Got tunneled request (83540) eap_peap: EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272 (83540) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br (83540) eap_peap: Sending tunneled request to inner-tunnel (83540) eap_peap: EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272 (83540) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (83540) eap_peap: User-Name = "host/n65144.mpdft.gov.br" (83540) eap_peap: State = 0x3abf883e3a79928a4508626b4c893c09 (83540) Virtual server inner-tunnel received request (83540) EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272 (83540) FreeRADIUS-Proxied-To = 127.0.0.1 (83540) User-Name = "host/n65144.mpdft.gov.br" (83540) State = 0x3abf883e3a79928a4508626b4c893c09 (83540) WARNING: Outer and inner identities are the same. User privacy is compromised. (83540) server inner-tunnel { (83540) session-state: No cached attributes (83540) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (83540) authorize { (83540) policy filter_username { (83540) if (&User-Name) { (83540) if (&User-Name) -> TRUE (83540) if (&User-Name) { (83540) if (&User-Name != "%{tolower:%{User-Name}}") { (83540) EXPAND %{tolower:%{User-Name}} (83540) --> host/n65144.mpdft.gov.br (83540) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83540) if (&User-Name =~ / /) { (83540) if (&User-Name =~ / /) -> FALSE (83540) if (&User-Name =~ /@[^@]*@/ ) { (83540) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83540) if (&User-Name =~ /\.\./ ) { (83540) if (&User-Name =~ /\.\./ ) -> FALSE (83540) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83540) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83540) if (&User-Name =~ /\.$/) { (83540) if (&User-Name =~ /\.$/) -> FALSE (83540) if (&User-Name =~ /@\./) { (83540) if (&User-Name =~ /@\./) -> FALSE (83540) } # if (&User-Name) = notfound (83540) } # policy filter_username = notfound (83540) [chap] = noop (83540) [mschap] = noop (83540) suffix: Checking for suffix after "@" (83540) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83540) suffix: No such realm "NULL" (83540) [suffix] = noop (83540) update control { (83540) &Proxy-To-Realm := LOCAL (83540) } # update control = noop (83540) eap: Peer sent EAP Response (code 2) ID 198 length 83 (83540) eap: No EAP Start, assuming it's an on-going EAP conversation (83540) [eap] = updated (83540) files: Failed resolving UID: No error (83540) files: Failed resolving UID: No error (83540) files: Failed resolving UID: No error (83540) files: Failed resolving UID: No error (83540) files: Failed resolving UID: No error (83540) [files] = noop (83540) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (83540) sql: --> host/n65144.mpdft.gov.br (83540) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br' (83540) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (83540) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id (83540) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id (83540) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (83540) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority (83540) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority (83540) sql: User not found in any groups (83540) [sql] = notfound (83540) [expiration] = noop (83540) [logintime] = noop (83540) [pap] = noop (83540) } # authorize = updated (83540) Found Auth-Type = eap (83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (83540) authenticate { (83540) eap: Expiring EAP session with state 0x9017180393030136 (83540) eap: Finished EAP session with state 0x3abf883e3a79928a (83540) eap: Previous EAP request found for state 0x3abf883e3a79928a, released from the list (83540) eap: Peer sent packet with method EAP MSCHAPv2 (26) (83540) eap: Calling submodule eap_mschapv2 to process data (83540) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (83540) eap_mschapv2: authenticate { (83540) mschap: Creating challenge hash with username: host/n65144.mpdft.gov.br (83540) mschap: Client is using MS-CHAPv2 (83540) mschap: EXPAND %{mschap:User-Name} (83540) mschap: --> n65144$ (83540) mschap: EXPAND %{mschap:NT-Domain} (83540) mschap: --> mpdft (83540) mschap: sending authentication request user='n65144$' domain='mpdft' (83540) mschap: Authenticated successfully (83540) mschap: Adding MS-CHAPv2 MPPE keys (83540) [mschap] = ok (83540) } # authenticate = ok (83540) MSCHAP Success (83540) eap: Sending EAP Request (code 1) ID 199 length 51 (83540) eap: EAP session adding &reply:State = 0x3abf883e3b78928a (83540) [eap] = handled (83540) } # authenticate = handled (83540) } # server inner-tunnel (83540) Virtual server sending reply (83540) EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541 (83540) Message-Authenticator = 0x00000000000000000000000000000000 (83540) State = 0x3abf883e3b78928a4508626b4c893c09 (83540) eap_peap: Got tunneled reply code 11 (83540) eap_peap: EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541 (83540) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (83540) eap_peap: State = 0x3abf883e3b78928a4508626b4c893c09 (83540) eap_peap: Got tunneled reply RADIUS code 11 (83540) eap_peap: EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541 (83540) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (83540) eap_peap: State = 0x3abf883e3b78928a4508626b4c893c09 (83540) eap_peap: Got tunneled Access-Challenge (83540) eap: Sending EAP Request (code 1) ID 199 length 82 (83540) eap: EAP session adding &reply:State = 0x592274a55ee56dcf (83540) [eap] = handled (83540) } # authenticate = handled (83540) Using Post-Auth-Type Challenge (83540) Post-Auth-Type sub-section not found. Ignoring. (83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83540) Sent Access-Challenge Id 123 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83540) EAP-Message = 0x01c7005219001703030047fb13cb712244c06fb9349c1a922348d032aa6f4c23c7d2f5143a72f99f00383819d97b9eb2ede7a3a9837f7deac267f4c81c6172bb7f9a4aae783a922eb875456f78c2ade1a752 (83540) Message-Authenticator = 0x00000000000000000000000000000000 (83540) State = 0x592274a55ee56dcf5d11088ba56bbac4 (83540) Finished request (83541) Received Access-Request Id 124 from 10.34.177.220:37268 to 10.34.242.3:1812 length 322 (83541) User-Name = "host/n65144.mpdft.gov.br" (83541) NAS-IP-Address = 10.34.177.220 (83541) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83541) NAS-Port-Id = "00000001" (83541) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83541) NAS-Port-Type = Wireless-802.11 (83541) Event-Timestamp = "Jun 23 2020 13:47:24 -03" (83541) Service-Type = Framed-User (83541) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83541) Connect-Info = "CONNECT 0Mbps 802.11b" (83541) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83541) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83541) WLAN-Pairwise-Cipher = 1027076 (83541) WLAN-Group-Cipher = 1027076 (83541) WLAN-AKM-Suite = 1027073 (83541) Framed-MTU = 1400 (83541) EAP-Message = 0x02c700251900170303001a0000000000000003331ad865b28d977d1e131e3443c76ac7ba97 (83541) State = 0x592274a55ee56dcf5d11088ba56bbac4 (83541) Message-Authenticator = 0x57e05acff1a9e398d34e97b0934830a6 (83541) session-state: No cached attributes (83541) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83541) authorize { (83541) policy filter_username { (83541) if (&User-Name) { (83541) if (&User-Name) -> TRUE (83541) if (&User-Name) { (83541) if (&User-Name != "%{tolower:%{User-Name}}") { (83541) EXPAND %{tolower:%{User-Name}} (83541) --> host/n65144.mpdft.gov.br (83541) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83541) if (&User-Name =~ / /) { (83541) if (&User-Name =~ / /) -> FALSE (83541) if (&User-Name =~ /@[^@]*@/ ) { (83541) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83541) if (&User-Name =~ /\.\./ ) { (83541) if (&User-Name =~ /\.\./ ) -> FALSE (83541) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83541) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83541) if (&User-Name =~ /\.$/) { (83541) if (&User-Name =~ /\.$/) -> FALSE (83541) if (&User-Name =~ /@\./) { (83541) if (&User-Name =~ /@\./) -> FALSE (83541) } # if (&User-Name) = notfound (83541) } # policy filter_username = notfound (83541) [preprocess] = ok (83541) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83541) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83541) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83541) auth_log: EXPAND %t (83541) auth_log: --> Tue Jun 23 13:47:25 2020 (83541) [auth_log] = ok (83541) [chap] = noop (83541) [mschap] = noop (83541) [digest] = noop (83541) suffix: Checking for suffix after "@" (83541) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83541) suffix: No such realm "NULL" (83541) [suffix] = noop (83541) eap: Peer sent EAP Response (code 2) ID 199 length 37 (83541) eap: Continuing tunnel setup (83541) [eap] = ok (83541) } # authorize = ok (83541) Found Auth-Type = eap (83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83541) authenticate { (83541) eap: Expiring EAP session with state 0x9017180393030136 (83541) eap: Finished EAP session with state 0x592274a55ee56dcf (83541) eap: Previous EAP request found for state 0x592274a55ee56dcf, released from the list (83541) eap: Peer sent packet with method EAP PEAP (25) (83541) eap: Calling submodule eap_peap to process data (83541) eap_peap: Continuing EAP-TLS (83541) eap_peap: [eaptls verify] = ok (83541) eap_peap: Done initial handshake (83541) eap_peap: [eaptls process] = ok (83541) eap_peap: Session established. Decoding tunneled attributes (83541) eap_peap: PEAP state phase2 (83541) eap_peap: EAP method MSCHAPv2 (26) (83541) eap_peap: Got tunneled request (83541) eap_peap: EAP-Message = 0x02c700061a03 (83541) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br (83541) eap_peap: Sending tunneled request to inner-tunnel (83541) eap_peap: EAP-Message = 0x02c700061a03 (83541) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (83541) eap_peap: User-Name = "host/n65144.mpdft.gov.br" (83541) eap_peap: State = 0x3abf883e3b78928a4508626b4c893c09 (83541) Virtual server inner-tunnel received request (83541) EAP-Message = 0x02c700061a03 (83541) FreeRADIUS-Proxied-To = 127.0.0.1 (83541) User-Name = "host/n65144.mpdft.gov.br" (83541) State = 0x3abf883e3b78928a4508626b4c893c09 (83541) WARNING: Outer and inner identities are the same. User privacy is compromised. (83541) server inner-tunnel { (83541) session-state: No cached attributes (83541) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (83541) authorize { (83541) policy filter_username { (83541) if (&User-Name) { (83541) if (&User-Name) -> TRUE (83541) if (&User-Name) { (83541) if (&User-Name != "%{tolower:%{User-Name}}") { (83541) EXPAND %{tolower:%{User-Name}} (83541) --> host/n65144.mpdft.gov.br (83541) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83541) if (&User-Name =~ / /) { (83541) if (&User-Name =~ / /) -> FALSE (83541) if (&User-Name =~ /@[^@]*@/ ) { (83541) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83541) if (&User-Name =~ /\.\./ ) { (83541) if (&User-Name =~ /\.\./ ) -> FALSE (83541) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83541) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83541) if (&User-Name =~ /\.$/) { (83541) if (&User-Name =~ /\.$/) -> FALSE (83541) if (&User-Name =~ /@\./) { (83541) if (&User-Name =~ /@\./) -> FALSE (83541) } # if (&User-Name) = notfound (83541) } # policy filter_username = notfound (83541) [chap] = noop (83541) [mschap] = noop (83541) suffix: Checking for suffix after "@" (83541) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83541) suffix: No such realm "NULL" (83541) [suffix] = noop (83541) update control { (83541) &Proxy-To-Realm := LOCAL (83541) } # update control = noop (83541) eap: Peer sent EAP Response (code 2) ID 199 length 6 (83541) eap: No EAP Start, assuming it's an on-going EAP conversation (83541) [eap] = updated (83541) files: Failed resolving UID: No error (83541) files: Failed resolving UID: No error (83541) files: Failed resolving UID: No error (83541) files: Failed resolving UID: No error (83541) files: Failed resolving UID: No error (83541) [files] = noop (83541) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (83541) sql: --> host/n65144.mpdft.gov.br (83541) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br' (83541) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (83541) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id (83541) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id (83541) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (83541) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority (83541) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority (83541) sql: User not found in any groups (83541) [sql] = notfound (83541) [expiration] = noop (83541) [logintime] = noop (83541) [pap] = noop (83541) } # authorize = updated (83541) Found Auth-Type = eap (83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (83541) authenticate { (83541) eap: Expiring EAP session with state 0x9017180393030136 (83541) eap: Finished EAP session with state 0x3abf883e3b78928a (83541) eap: Previous EAP request found for state 0x3abf883e3b78928a, released from the list (83541) eap: Peer sent packet with method EAP MSCHAPv2 (26) (83541) eap: Calling submodule eap_mschapv2 to process data (83541) eap: Sending EAP Success (code 3) ID 199 length 4 (83541) eap: Freeing handler (83541) [eap] = ok (83541) } # authenticate = ok (83541) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (83541) post-auth { (83541) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail (83541) reply_log: --> /var/log/freeradius/radacct/10.34.177.220/reply-detail (83541) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.177.220/reply-detail (83541) reply_log: EXPAND %t (83541) reply_log: --> Tue Jun 23 13:47:25 2020 (83541) [reply_log] = ok (83541) } # post-auth = ok (83541) Login OK: [host/n65144.mpdft.gov.br] (from client AP-NAI-A01-220 port 0 via TLS tunnel) (83541) } # server inner-tunnel (83541) Virtual server sending reply (83541) MS-MPPE-Encryption-Policy = Encryption-Allowed (83541) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (83541) MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747 (83541) MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4 (83541) EAP-Message = 0x03c70004 (83541) Message-Authenticator = 0x00000000000000000000000000000000 (83541) User-Name = "host/n65144.mpdft.gov.br" (83541) eap_peap: Got tunneled reply code 2 (83541) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (83541) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (83541) eap_peap: MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747 (83541) eap_peap: MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4 (83541) eap_peap: EAP-Message = 0x03c70004 (83541) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (83541) eap_peap: User-Name = "host/n65144.mpdft.gov.br" (83541) eap_peap: Got tunneled reply RADIUS code 2 (83541) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (83541) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (83541) eap_peap: MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747 (83541) eap_peap: MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4 (83541) eap_peap: EAP-Message = 0x03c70004 (83541) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (83541) eap_peap: User-Name = "host/n65144.mpdft.gov.br" (83541) eap_peap: Tunneled authentication was successful (83541) eap_peap: SUCCESS (83541) eap: Sending EAP Request (code 1) ID 200 length 46 (83541) eap: EAP session adding &reply:State = 0x592274a551ea6dcf (83541) [eap] = handled (83541) } # authenticate = handled (83541) Using Post-Auth-Type Challenge (83541) Post-Auth-Type sub-section not found. Ignoring. (83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83541) Sent Access-Challenge Id 124 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83541) EAP-Message = 0x01c8002e19001703030023fb13cb712244c0706e6e84e2592d8fff1bee7760032145bba442c608ceedd4c750c687 (83541) Message-Authenticator = 0x00000000000000000000000000000000 (83541) State = 0x592274a551ea6dcf5d11088ba56bbac4 (83541) Finished request (83542) Received Access-Request Id 125 from 10.34.177.220:37268 to 10.34.242.3:1812 length 331 (83542) User-Name = "host/n65144.mpdft.gov.br" (83542) NAS-IP-Address = 10.34.177.220 (83542) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83542) NAS-Port-Id = "00000001" (83542) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83542) NAS-Port-Type = Wireless-802.11 (83542) Event-Timestamp = "Jun 23 2020 13:47:24 -03" (83542) Service-Type = Framed-User (83542) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83542) Connect-Info = "CONNECT 0Mbps 802.11b" (83542) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83542) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83542) WLAN-Pairwise-Cipher = 1027076 (83542) WLAN-Group-Cipher = 1027076 (83542) WLAN-AKM-Suite = 1027073 (83542) Framed-MTU = 1400 (83542) EAP-Message = 0x02c8002e190017030300230000000000000004db3dc05d0228ead2f3ceaf6f5db445f3463c81d6f596111a7e908d (83542) State = 0x592274a551ea6dcf5d11088ba56bbac4 (83542) Message-Authenticator = 0xb85792e60ceecbb66116afddc05d25c5 (83542) session-state: No cached attributes (83542) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (83542) authorize { (83542) policy filter_username { (83542) if (&User-Name) { (83542) if (&User-Name) -> TRUE (83542) if (&User-Name) { (83542) if (&User-Name != "%{tolower:%{User-Name}}") { (83542) EXPAND %{tolower:%{User-Name}} (83542) --> host/n65144.mpdft.gov.br (83542) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (83542) if (&User-Name =~ / /) { (83542) if (&User-Name =~ / /) -> FALSE (83542) if (&User-Name =~ /@[^@]*@/ ) { (83542) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (83542) if (&User-Name =~ /\.\./ ) { (83542) if (&User-Name =~ /\.\./ ) -> FALSE (83542) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (83542) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (83542) if (&User-Name =~ /\.$/) { (83542) if (&User-Name =~ /\.$/) -> FALSE (83542) if (&User-Name =~ /@\./) { (83542) if (&User-Name =~ /@\./) -> FALSE (83542) } # if (&User-Name) = notfound (83542) } # policy filter_username = notfound (83542) [preprocess] = ok (83542) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (83542) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail (83542) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail (83542) auth_log: EXPAND %t (83542) auth_log: --> Tue Jun 23 13:47:25 2020 (83542) [auth_log] = ok (83542) [chap] = noop (83542) [mschap] = noop (83542) [digest] = noop (83542) suffix: Checking for suffix after "@" (83542) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83542) suffix: No such realm "NULL" (83542) [suffix] = noop (83542) eap: Peer sent EAP Response (code 2) ID 200 length 46 (83542) eap: Continuing tunnel setup (83542) [eap] = ok (83542) } # authorize = ok (83542) Found Auth-Type = eap (83542) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (83542) authenticate { (83542) eap: Expiring EAP session with state 0x9017180393030136 (83542) eap: Finished EAP session with state 0x592274a551ea6dcf (83542) eap: Previous EAP request found for state 0x592274a551ea6dcf, released from the list (83542) eap: Peer sent packet with method EAP PEAP (25) (83542) eap: Calling submodule eap_peap to process data (83542) eap_peap: Continuing EAP-TLS (83542) eap_peap: [eaptls verify] = ok (83542) eap_peap: Done initial handshake (83542) eap_peap: [eaptls process] = ok (83542) eap_peap: Session established. Decoding tunneled attributes (83542) eap_peap: PEAP state send tlv success (83542) eap_peap: Received EAP-TLV response (83542) eap_peap: Success (83542) eap: Sending EAP Success (code 3) ID 200 length 4 (83542) eap: Freeing handler (83542) [eap] = ok (83542) } # authenticate = ok (83542) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (83542) post-auth { (83542) update { (83542) No attributes updated (83542) } # update = noop (83542) sql: EXPAND .query (83542) sql: --> .query (83542) sql: Using query template 'query' (83542) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (83542) sql: --> host/n65144.mpdft.gov.br (83542) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br' (83542) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp})) (83542) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('host/n65144.mpdft.gov.br', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', TO_TIMESTAMP(1592930844)) (83542) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('host/n65144.mpdft.gov.br', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', TO_TIMESTAMP(1592930844)) (83542) sql: SQL query returned: success (83542) sql: 1 record(s) updated (83542) [sql] = ok (83542) [exec] = noop (83542) policy remove_reply_message_if_eap { (83542) if (&reply:EAP-Message && &reply:Reply-Message) { (83542) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (83542) else { (83542) [noop] = noop (83542) } # else = noop (83542) } # policy remove_reply_message_if_eap = noop (83542) } # post-auth = ok (83542) Login OK: [host/n65144.mpdft.gov.br] (from client AP-NAI-A01-220 port 0 cli 5C-C9-D3-7C-98-79) (83542) Sent Access-Accept Id 125 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0 (83542) MS-MPPE-Recv-Key = 0xc67d0eee420d607c416ac6b9c783634d1566c5980653e2416d115bd4d80e7ad0 (83542) MS-MPPE-Send-Key = 0xc2093b112098bd8a87cc2799b7cfbabf4a04e544efac9655d813d5cd83885a26 (83542) EAP-Message = 0x03c80004 (83542) Message-Authenticator = 0x00000000000000000000000000000000 (83542) User-Name = "host/n65144.mpdft.gov.br" (83542) Finished request (83565) Received Accounting-Request Id 126 from 10.34.177.220:34685 to 10.34.242.3:1813 length 265 (83565) Acct-Status-Type = Start (83565) Acct-Authentic = RADIUS (83565) User-Name = "host/n65144.mpdft.gov.br" (83565) NAS-IP-Address = 10.34.177.220 (83565) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA" (83565) NAS-Port-Id = "00000001" (83565) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT" (83565) NAS-Port-Type = Wireless-802.11 (83565) Event-Timestamp = "Jun 23 2020 13:47:27 -03" (83565) Service-Type = Framed-User (83565) Calling-Station-Id = "5C-C9-D3-7C-98-79" (83565) Connect-Info = "CONNECT 0Mbps 802.11b" (83565) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4" (83565) Acct-Multi-Session-Id = "BFD32763B61CDC83" (83565) WLAN-Pairwise-Cipher = 1027076 (83565) WLAN-Group-Cipher = 1027076 (83565) WLAN-AKM-Suite = 1027073 (83565) Framed-IP-Address = 172.28.252.122 (83565) Acct-Delay-Time = 0 (83565) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (83565) preacct { (83565) [preprocess] = ok (83565) update request { (83565) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} (83565) --> 1592930848 (83565) FreeRADIUS-Acct-Session-Start-Time = Jun 23 2020 13:47:28 -03 (83565) } # update request = noop (83565) policy acct_unique { (83565) update request { (83565) Tmp-String-9 := "ai:" (83565) } # update request = noop (83565) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (83565) EXPAND %{hex:&Class} (83565) --> (83565) EXPAND ^%{hex:&Tmp-String-9} (83565) --> ^61693a (83565) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (83565) else { (83565) update request { (83565) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{Calling-Station-Id}} (83565) --> baf7ceacc097faf87151791ad22e16e8 (83565) &Acct-Unique-Session-Id := baf7ceacc097faf87151791ad22e16e8 (83565) } # update request = noop (83565) } # else = noop (83565) } # policy acct_unique = noop (83565) suffix: Checking for suffix after "@" (83565) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL (83565) suffix: No such realm "NULL" (83565) [suffix] = noop (83565) files: acct_users: Matched entry DEFAULT at line 22 (83565) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (83565) files: --> host/n65144.mpdft.gov.br (83565) [files] = ok (83565) } # preacct = ok (83565) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (83565) accounting { (83565) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown} (83565) log_accounting: --> Accounting-Request.Start (83565) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) (83565) log_accounting: --> Tue, 23-06-2020 13:47:27 Connect: [host/n65144.mpdft.gov.br] (did 50-D4-F7-5B-96-CA:MPDFT cli 5C-C9-D3-7C-98-79 port ip 172.28.252.122) (83565) log_accounting: EXPAND /var/log/freeradius/linelog-accounting (83565) log_accounting: --> /var/log/freeradius/linelog-accounting (83565) [log_accounting] = ok (83565) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query} (83565) sql: --> type.start.query (83565) sql: Using query template 'query' (83565) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (83565) sql: --> host/n65144.mpdft.gov.br (83565) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br' (83565) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet) (83565) sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b96ca-74D3D7E99FDF31B4', 'baf7ceacc097faf87151791ad22e16e8', 'host/n65144.mpdft.gov.br', NULLIF('', ''), '10.34.177.220', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1592930847), TO_TIMESTAMP(1592930847), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', NULL, 'Framed-User', '', NULLIF('172.28.252.122', '')::inet) (83565) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b96ca-74D3D7E99FDF31B4', 'baf7ceacc097faf87151791ad22e16e8', 'host/n65144.mpdft.gov.br', NULLIF('', ''), '10.34.177.220', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1592930847), TO_TIMESTAMP(1592930847), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', NULL, 'Framed-User', '', NULLIF('172.28.252.122', '')::inet) (83565) sql: SQL query returned: success (83565) sql: 1 record(s) updated (83565) [sql] = ok (83565) if (&request:Acct-Status-Type == start) { (83565) if (&request:Acct-Status-Type == start) -> TRUE (83565) if (&request:Acct-Status-Type == start) { (83565) EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (83565) --> host/n65144.mpdft.gov.br (83565) SQL-User-Name set to 'host/n65144.mpdft.gov.br' (83565) Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1592930847), AcctUpdateTime = TO_TIMESTAMP(1592930847), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 0Mbps 802.11b' WHERE UserName = 'host/n65144.mpdft.gov.br' AND AcctUniqueId <> 'baf7ceacc097faf87151791ad22e16e8' AND CallingStationId = '5C-C9-D3-7C-98-79' AND AcctStopTime IS NULL (83565) SQL query affected no rows (83565) EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL} (83565) --> (83565) } # if (&request:Acct-Status-Type == start) = ok (83565) [exec] = noop (83565) attr_filter.accounting_response: EXPAND %{User-Name} (83565) attr_filter.accounting_response: --> host/n65144.mpdft.gov.br (83565) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (83565) [attr_filter.accounting_response] = updated (83565) } # accounting = updated (83565) Sent Accounting-Response Id 126 from 10.34.242.3:1813 to 10.34.177.220:34685 length 0 (83565) Finished request (83565) Cleaning up request packet ID 126 with timestamp +51982 (83533) Cleaning up request packet ID 116 with timestamp +51979 (83534) Cleaning up request packet ID 117 with timestamp +51979 (83535) Cleaning up request packet ID 118 with timestamp +51979 (83536) Cleaning up request packet ID 119 with timestamp +51979 (83537) Cleaning up request packet ID 120 with timestamp +51979 (83538) Cleaning up request packet ID 121 with timestamp +51979 (83539) Cleaning up request packet ID 122 with timestamp +51979 (83540) Cleaning up request packet ID 123 with timestamp +51979 (83541) Cleaning up request packet ID 124 with timestamp +51979 (83542) Cleaning up request packet ID 125 with timestamp +51979