I've been running and analyzing debug log for a while now... This worked (for 99,9%):
Does it have to be like this?
update outer.session-state { User-Name := &request:User-Name } So I don’t need to block via filter.
Talking to a user, I discovered how these outer users appears: configuring androids anonymous identity (obvius, I know, but I never tried it) Well, as I can't force them to left this field empty, I have to discover why these 0,1% is not working. Here is tow logs: working and one not working (at the botton, if needed, my inner-tunnel e default site-enabled) ============== DEBUG FOR WORKING PACKET ============ (757) Received Access-Request Id 251 from 10.34.87.223:58030 to 10.34.242.3:1812 length 260 (757) User-Name = "321457" (757) NAS-IP-Address = 10.34.87.223 (757) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (757) NAS-Port-Id = "00000001" (757) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (757) NAS-Port-Type = Wireless-802.11 (757) Event-Timestamp = "Jun 24 2020 14:21:10 -03" (757) Service-Type = Framed-User (757) Calling-Station-Id = "70-FD-46-BE-0D-8A" (757) Connect-Info = "CONNECT 0Mbps 802.11b" (757) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (757) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (757) WLAN-Pairwise-Cipher = 1027076 (757) WLAN-Group-Cipher = 1027076 (757) WLAN-AKM-Suite = 1027073 (757) Framed-MTU = 1400 (757) EAP-Message = 0x0243000b01333231343537 (757) Message-Authenticator = 0x5b97d8214a2888c145bf0fefcc4e78d1 (757) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (757) authorize { (757) policy filter_username { (757) if (&User-Name) { (757) if (&User-Name) -> TRUE (757) if (&User-Name) { (757) if (&User-Name != "%{tolower:%{User-Name}}") { (757) EXPAND %{tolower:%{User-Name}} (757) --> 321457 (757) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (757) if (&User-Name =~ /\// ) { (757) if (&User-Name =~ /\// ) -> FALSE (757) if (&User-Name =~ / /) { (757) if (&User-Name =~ / /) -> FALSE (757) if (&User-Name =~ /@[^@]*@/ ) { (757) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (757) if (&User-Name =~ /\.\./ ) { (757) if (&User-Name =~ /\.\./ ) -> FALSE (757) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (757) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (757) if (&User-Name =~ /\.$/) { (757) if (&User-Name =~ /\.$/) -> FALSE (757) if (&User-Name =~ /@\./) { (757) if (&User-Name =~ /@\./) -> FALSE (757) } # if (&User-Name) = notfound (757) } # policy filter_username = notfound (757) policy split_username_nai { (757) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (757) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (757) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (757) update request { (757) EXPAND %{1} (757) --> 321457 (757) &Stripped-User-Name := 321457 (757) EXPAND %{3} (757) --> (757) &Stripped-User-Domain = (757) } # update request = noop (757) [updated] = updated (757) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (757) ... skipping else: Preceding "if" was taken (757) } # policy split_username_nai = updated (757) [preprocess] = ok (757) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (757) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (757) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (757) auth_log: EXPAND %t (757) auth_log: --> Wed Jun 24 14:21:12 2020 (757) [auth_log] = ok (757) [chap] = noop (757) [mschap] = noop (757) [digest] = noop (757) suffix: Checking for suffix after "@" (757) suffix: No '@' in User-Name = "321457", looking up realm NULL (757) suffix: No such realm "NULL" (757) [suffix] = noop (757) eap: Peer sent EAP Response (code 2) ID 67 length 11 (757) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (757) [eap] = ok (757) } # authorize = ok (757) Found Auth-Type = eap (757) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (757) authenticate { (757) eap: Peer sent packet with method EAP Identity (1) (757) eap: Calling submodule eap_md5 to process data (757) eap_md5: Issuing MD5 Challenge (757) eap: Sending EAP Request (code 1) ID 68 length 22 (757) eap: EAP session adding &reply:State = 0xa44f7f64a40b7b04 (757) [eap] = handled (757) } # authenticate = handled (757) Using Post-Auth-Type Challenge (757) Post-Auth-Type sub-section not found. Ignoring. (757) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (757) Sent Access-Challenge Id 251 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (757) EAP-Message = 0x0144001604107b9dac6052ee6e19390d5bcefa2b7bfd (757) Message-Authenticator = 0x00000000000000000000000000000000 (757) State = 0xa44f7f64a40b7b04dd9f2a05e7c26035 (757) Finished request (760) Received Access-Request Id 252 from 10.34.87.223:58030 to 10.34.242.3:1812 length 273 (760) User-Name = "321457" (760) NAS-IP-Address = 10.34.87.223 (760) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (760) NAS-Port-Id = "00000001" (760) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (760) NAS-Port-Type = Wireless-802.11 (760) Event-Timestamp = "Jun 24 2020 14:21:10 -03" (760) Service-Type = Framed-User (760) Calling-Station-Id = "70-FD-46-BE-0D-8A" (760) Connect-Info = "CONNECT 0Mbps 802.11b" (760) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (760) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (760) WLAN-Pairwise-Cipher = 1027076 (760) WLAN-Group-Cipher = 1027076 (760) WLAN-AKM-Suite = 1027073 (760) Framed-MTU = 1400 (760) EAP-Message = 0x024400060319 (760) State = 0xa44f7f64a40b7b04dd9f2a05e7c26035 (760) Message-Authenticator = 0xc5f7d82f6510961bc609c44849336443 (760) session-state: No cached attributes (760) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (760) authorize { (760) policy filter_username { (760) if (&User-Name) { (760) if (&User-Name) -> TRUE (760) if (&User-Name) { (760) if (&User-Name != "%{tolower:%{User-Name}}") { (760) EXPAND %{tolower:%{User-Name}} (760) --> 321457 (760) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (760) if (&User-Name =~ /\// ) { (760) if (&User-Name =~ /\// ) -> FALSE (760) if (&User-Name =~ / /) { (760) if (&User-Name =~ / /) -> FALSE (760) if (&User-Name =~ /@[^@]*@/ ) { (760) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (760) if (&User-Name =~ /\.\./ ) { (760) if (&User-Name =~ /\.\./ ) -> FALSE (760) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (760) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (760) if (&User-Name =~ /\.$/) { (760) if (&User-Name =~ /\.$/) -> FALSE (760) if (&User-Name =~ /@\./) { (760) if (&User-Name =~ /@\./) -> FALSE (760) } # if (&User-Name) = notfound (760) } # policy filter_username = notfound (760) policy split_username_nai { (760) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (760) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (760) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (760) update request { (760) EXPAND %{1} (760) --> 321457 (760) &Stripped-User-Name := 321457 (760) EXPAND %{3} (760) --> (760) &Stripped-User-Domain = (760) } # update request = noop (760) [updated] = updated (760) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (760) ... skipping else: Preceding "if" was taken (760) } # policy split_username_nai = updated (760) [preprocess] = ok (760) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (760) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (760) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (760) auth_log: EXPAND %t (760) auth_log: --> Wed Jun 24 14:21:13 2020 (760) [auth_log] = ok (760) [chap] = noop (760) [mschap] = noop (760) [digest] = noop (760) suffix: Checking for suffix after "@" (760) suffix: No '@' in User-Name = "321457", looking up realm NULL (760) suffix: No such realm "NULL" (760) [suffix] = noop (760) eap: Peer sent EAP Response (code 2) ID 68 length 6 (760) eap: No EAP Start, assuming it's an on-going EAP conversation (760) [eap] = updated (760) files: Failed resolving UID: No error (760) files: Failed resolving UID: No error (760) files: Failed resolving UID: No error (760) files: Failed resolving UID: No error (760) files: Failed resolving UID: No error (760) [files] = noop (760) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (760) sql: --> 321457 (760) sql: SQL-User-Name set to '321457' (760) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (760) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '321457' ORDER BY id (760) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '321457' ORDER BY id (760) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (760) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='321457' ORDER BY priority (760) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='321457' ORDER BY priority (760) sql: User not found in any groups (760) [sql] = notfound (760) [expiration] = noop (760) [logintime] = noop (760) if (ok) { (760) if (ok) -> FALSE (760) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (760) pap: WARNING: Authentication will fail unless a "known good" password is available (760) [pap] = noop (760) } # authorize = updated (760) Found Auth-Type = eap (760) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (760) authenticate { (760) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (760) eap: Finished EAP session with state 0xa44f7f64a40b7b04 (760) eap: Previous EAP request found for state 0xa44f7f64a40b7b04, released from the list (760) eap: Peer sent packet with method EAP NAK (3) (760) eap: Found mutually acceptable type PEAP (25) (760) eap: Calling submodule eap_peap to process data (760) eap_peap: Initiating new EAP-TLS session (760) eap_peap: [eaptls start] = request (760) eap: Sending EAP Request (code 1) ID 69 length 6 (760) eap: EAP session adding &reply:State = 0xa44f7f64a50a6604 (760) [eap] = handled (760) } # authenticate = handled (760) Using Post-Auth-Type Challenge (760) Post-Auth-Type sub-section not found. Ignoring. (760) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (760) Sent Access-Challenge Id 252 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (760) EAP-Message = 0x014500061920 (760) Message-Authenticator = 0x00000000000000000000000000000000 (760) State = 0xa44f7f64a50a6604dd9f2a05e7c26035 (760) Finished request (763) Received Access-Request Id 253 from 10.34.87.223:58030 to 10.34.242.3:1812 length 438 (763) User-Name = "321457" (763) NAS-IP-Address = 10.34.87.223 (763) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (763) NAS-Port-Id = "00000001" (763) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (763) NAS-Port-Type = Wireless-802.11 (763) Event-Timestamp = "Jun 24 2020 14:21:11 -03" (763) Service-Type = Framed-User (763) Calling-Station-Id = "70-FD-46-BE-0D-8A" (763) Connect-Info = "CONNECT 0Mbps 802.11b" (763) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (763) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (763) WLAN-Pairwise-Cipher = 1027076 (763) WLAN-Group-Cipher = 1027076 (763) WLAN-AKM-Suite = 1027073 (763) Framed-MTU = 1400 (763) EAP-Message = 0x024500ab1980000000a1160301009c01000098030381b72e1f7d9acc726933c5b2658331ef8cc8806b275a6f9d6b23f15fe385d85400003cc02bc02f009ec02cc030009fcca9cca8c009c023c013c02700330067c00ac024c014c0280039006bc007c011009c009d002f003c0035003d0005000a010000 (763) State = 0xa44f7f64a50a6604dd9f2a05e7c26035 (763) Message-Authenticator = 0xc101a5cabfd2b6dc7fd2863e25399ace (763) session-state: No cached attributes (763) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (763) authorize { (763) policy filter_username { (763) if (&User-Name) { (763) if (&User-Name) -> TRUE (763) if (&User-Name) { (763) if (&User-Name != "%{tolower:%{User-Name}}") { (763) EXPAND %{tolower:%{User-Name}} (763) --> 321457 (763) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (763) if (&User-Name =~ /\// ) { (763) if (&User-Name =~ /\// ) -> FALSE (763) if (&User-Name =~ / /) { (763) if (&User-Name =~ / /) -> FALSE (763) if (&User-Name =~ /@[^@]*@/ ) { (763) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (763) if (&User-Name =~ /\.\./ ) { (763) if (&User-Name =~ /\.\./ ) -> FALSE (763) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (763) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (763) if (&User-Name =~ /\.$/) { (763) if (&User-Name =~ /\.$/) -> FALSE (763) if (&User-Name =~ /@\./) { (763) if (&User-Name =~ /@\./) -> FALSE (763) } # if (&User-Name) = notfound (763) } # policy filter_username = notfound (763) policy split_username_nai { (763) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (763) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (763) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (763) update request { (763) EXPAND %{1} (763) --> 321457 (763) &Stripped-User-Name := 321457 (763) EXPAND %{3} (763) --> (763) &Stripped-User-Domain = (763) } # update request = noop (763) [updated] = updated (763) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (763) ... skipping else: Preceding "if" was taken (763) } # policy split_username_nai = updated (763) [preprocess] = ok (763) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (763) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (763) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (763) auth_log: EXPAND %t (763) auth_log: --> Wed Jun 24 14:21:13 2020 (763) [auth_log] = ok (763) [chap] = noop (763) [mschap] = noop (763) [digest] = noop (763) suffix: Checking for suffix after "@" (763) suffix: No '@' in User-Name = "321457", looking up realm NULL (763) suffix: No such realm "NULL" (763) [suffix] = noop (763) eap: Peer sent EAP Response (code 2) ID 69 length 171 (763) eap: Continuing tunnel setup (763) [eap] = ok (763) } # authorize = ok (763) Found Auth-Type = eap (763) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (763) authenticate { (763) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (763) eap: Finished EAP session with state 0xa44f7f64a50a6604 (763) eap: Previous EAP request found for state 0xa44f7f64a50a6604, released from the list (763) eap: Peer sent packet with method EAP PEAP (25) (763) eap: Calling submodule eap_peap to process data (763) eap_peap: Continuing EAP-TLS (763) eap_peap: Peer indicated complete TLS record size will be 161 bytes (763) eap_peap: Got complete TLS record (161 bytes) (763) eap_peap: [eaptls verify] = length included (763) eap_peap: (other): before SSL initialization (763) eap_peap: TLS_accept: before SSL initialization (763) eap_peap: TLS_accept: before SSL initialization (763) eap_peap: <<< recv TLS 1.2 [length 009c] (763) eap_peap: TLS_accept: SSLv3/TLS read client hello (763) eap_peap: >>> send TLS 1.2 [length 003d] (763) eap_peap: TLS_accept: SSLv3/TLS write server hello (763) eap_peap: >>> send TLS 1.2 [length 0309] (763) eap_peap: TLS_accept: SSLv3/TLS write certificate (763) eap_peap: >>> send TLS 1.2 [length 014d] (763) eap_peap: TLS_accept: SSLv3/TLS write key exchange (763) eap_peap: >>> send TLS 1.2 [length 0004] (763) eap_peap: TLS_accept: SSLv3/TLS write server done (763) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (763) eap_peap: In SSL Handshake Phase (763) eap_peap: In SSL Accept mode (763) eap_peap: [eaptls process] = handled (763) eap: Sending EAP Request (code 1) ID 70 length 1004 (763) eap: EAP session adding &reply:State = 0xa44f7f64a6096604 (763) [eap] = handled (763) } # authenticate = handled (763) Using Post-Auth-Type Challenge (763) Post-Auth-Type sub-section not found. Ignoring. (763) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (763) Sent Access-Challenge Id 253 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (763) EAP-Message = 0x014603ec19c0000004ab160303003d0200003903031421541e93d31add097acc5d5c4b54d61a77aadc4239976b7410b514c7153cdb00c02f000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609 (763) Message-Authenticator = 0x00000000000000000000000000000000 (763) State = 0xa44f7f64a6096604dd9f2a05e7c26035 (763) Finished request (764) Received Access-Request Id 254 from 10.34.87.223:58030 to 10.34.242.3:1812 length 273 (764) User-Name = "321457" (764) NAS-IP-Address = 10.34.87.223 (764) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (764) NAS-Port-Id = "00000001" (764) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (764) NAS-Port-Type = Wireless-802.11 (764) Event-Timestamp = "Jun 24 2020 14:21:11 -03" (764) Service-Type = Framed-User (764) Calling-Station-Id = "70-FD-46-BE-0D-8A" (764) Connect-Info = "CONNECT 0Mbps 802.11b" (764) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (764) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (764) WLAN-Pairwise-Cipher = 1027076 (764) WLAN-Group-Cipher = 1027076 (764) WLAN-AKM-Suite = 1027073 (764) Framed-MTU = 1400 (764) EAP-Message = 0x024600061900 (764) State = 0xa44f7f64a6096604dd9f2a05e7c26035 (764) Message-Authenticator = 0x8e9c53dd077cd7d0230acfb260c8aed6 (764) session-state: No cached attributes (764) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (764) authorize { (764) policy filter_username { (764) if (&User-Name) { (764) if (&User-Name) -> TRUE (764) if (&User-Name) { (764) if (&User-Name != "%{tolower:%{User-Name}}") { (764) EXPAND %{tolower:%{User-Name}} (764) --> 321457 (764) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (764) if (&User-Name =~ /\// ) { (764) if (&User-Name =~ /\// ) -> FALSE (764) if (&User-Name =~ / /) { (764) if (&User-Name =~ / /) -> FALSE (764) if (&User-Name =~ /@[^@]*@/ ) { (764) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (764) if (&User-Name =~ /\.\./ ) { (764) if (&User-Name =~ /\.\./ ) -> FALSE (764) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (764) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (764) if (&User-Name =~ /\.$/) { (764) if (&User-Name =~ /\.$/) -> FALSE (764) if (&User-Name =~ /@\./) { (764) if (&User-Name =~ /@\./) -> FALSE (764) } # if (&User-Name) = notfound (764) } # policy filter_username = notfound (764) policy split_username_nai { (764) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (764) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (764) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (764) update request { (764) EXPAND %{1} (764) --> 321457 (764) &Stripped-User-Name := 321457 (764) EXPAND %{3} (764) --> (764) &Stripped-User-Domain = (764) } # update request = noop (764) [updated] = updated (764) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (764) ... skipping else: Preceding "if" was taken (764) } # policy split_username_nai = updated (764) [preprocess] = ok (764) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (764) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (764) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (764) auth_log: EXPAND %t (764) auth_log: --> Wed Jun 24 14:21:13 2020 (764) [auth_log] = ok (764) [chap] = noop (764) [mschap] = noop (764) [digest] = noop (764) suffix: Checking for suffix after "@" (764) suffix: No '@' in User-Name = "321457", looking up realm NULL (764) suffix: No such realm "NULL" (764) [suffix] = noop (764) eap: Peer sent EAP Response (code 2) ID 70 length 6 (764) eap: Continuing tunnel setup (764) [eap] = ok (764) } # authorize = ok (764) Found Auth-Type = eap (764) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (764) authenticate { (764) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (764) eap: Finished EAP session with state 0xa44f7f64a6096604 (764) eap: Previous EAP request found for state 0xa44f7f64a6096604, released from the list (764) eap: Peer sent packet with method EAP PEAP (25) (764) eap: Calling submodule eap_peap to process data (764) eap_peap: Continuing EAP-TLS (764) eap_peap: Peer ACKed our handshake fragment (764) eap_peap: [eaptls verify] = request (764) eap_peap: [eaptls process] = handled (764) eap: Sending EAP Request (code 1) ID 71 length 207 (764) eap: EAP session adding &reply:State = 0xa44f7f64a7086604 (764) [eap] = handled (764) } # authenticate = handled (764) Using Post-Auth-Type Challenge (764) Post-Auth-Type sub-section not found. Ignoring. (764) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (764) Sent Access-Challenge Id 254 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (764) EAP-Message = 0x014700cf1900e61bd97b1dc7439c95566d9ae87f362b9195be7adc3f77b668a41bed7f9dd833ba6250b3cd63779058702bc59c08b96f2628c0762cd1014094155e90b96601fa2b38b786eb4c5783ac98bb79901a11cf2c84319de6937e6fde7385cdd97d4fec1f6035d8a61bf158ce7f8fa1f4c9356473 (764) Message-Authenticator = 0x00000000000000000000000000000000 (764) State = 0xa44f7f64a7086604dd9f2a05e7c26035 (764) Finished request (765) Received Access-Request Id 255 from 10.34.87.223:58030 to 10.34.242.3:1812 length 403 (765) User-Name = "321457" (765) NAS-IP-Address = 10.34.87.223 (765) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (765) NAS-Port-Id = "00000001" (765) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (765) NAS-Port-Type = Wireless-802.11 (765) Event-Timestamp = "Jun 24 2020 14:21:11 -03" (765) Service-Type = Framed-User (765) Calling-Station-Id = "70-FD-46-BE-0D-8A" (765) Connect-Info = "CONNECT 0Mbps 802.11b" (765) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (765) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (765) WLAN-Pairwise-Cipher = 1027076 (765) WLAN-Group-Cipher = 1027076 (765) WLAN-AKM-Suite = 1027073 (765) Framed-MTU = 1400 (765) EAP-Message = 0x0247008819800000007e16030300461000004241040108ad053cb70377bd49ebd354b63037f761b15e1ab5440b5585714f3229f0bc82b38369a49acea7dce100805920db3e47dabfc2d08bffca2c25dbe63625dca51403030001011603030028000000000000000075b1ccb921c95a58aa06c792ed58f4 (765) State = 0xa44f7f64a7086604dd9f2a05e7c26035 (765) Message-Authenticator = 0x8ba6a03d424e4961b4bd0fadf8e7e500 (765) session-state: No cached attributes (765) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (765) authorize { (765) policy filter_username { (765) if (&User-Name) { (765) if (&User-Name) -> TRUE (765) if (&User-Name) { (765) if (&User-Name != "%{tolower:%{User-Name}}") { (765) EXPAND %{tolower:%{User-Name}} (765) --> 321457 (765) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (765) if (&User-Name =~ /\// ) { (765) if (&User-Name =~ /\// ) -> FALSE (765) if (&User-Name =~ / /) { (765) if (&User-Name =~ / /) -> FALSE (765) if (&User-Name =~ /@[^@]*@/ ) { (765) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (765) if (&User-Name =~ /\.\./ ) { (765) if (&User-Name =~ /\.\./ ) -> FALSE (765) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (765) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (765) if (&User-Name =~ /\.$/) { (765) if (&User-Name =~ /\.$/) -> FALSE (765) if (&User-Name =~ /@\./) { (765) if (&User-Name =~ /@\./) -> FALSE (765) } # if (&User-Name) = notfound (765) } # policy filter_username = notfound (765) policy split_username_nai { (765) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (765) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (765) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (765) update request { (765) EXPAND %{1} (765) --> 321457 (765) &Stripped-User-Name := 321457 (765) EXPAND %{3} (765) --> (765) &Stripped-User-Domain = (765) } # update request = noop (765) [updated] = updated (765) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (765) ... skipping else: Preceding "if" was taken (765) } # policy split_username_nai = updated (765) [preprocess] = ok (765) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (765) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (765) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (765) auth_log: EXPAND %t (765) auth_log: --> Wed Jun 24 14:21:13 2020 (765) [auth_log] = ok (765) [chap] = noop (765) [mschap] = noop (765) [digest] = noop (765) suffix: Checking for suffix after "@" (765) suffix: No '@' in User-Name = "321457", looking up realm NULL (765) suffix: No such realm "NULL" (765) [suffix] = noop (765) eap: Peer sent EAP Response (code 2) ID 71 length 136 (765) eap: Continuing tunnel setup (765) [eap] = ok (765) } # authorize = ok (765) Found Auth-Type = eap (765) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (765) authenticate { (765) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (765) eap: Finished EAP session with state 0xa44f7f64a7086604 (765) eap: Previous EAP request found for state 0xa44f7f64a7086604, released from the list (765) eap: Peer sent packet with method EAP PEAP (25) (765) eap: Calling submodule eap_peap to process data (765) eap_peap: Continuing EAP-TLS (765) eap_peap: Peer indicated complete TLS record size will be 126 bytes (765) eap_peap: Got complete TLS record (126 bytes) (765) eap_peap: [eaptls verify] = length included (765) eap_peap: TLS_accept: SSLv3/TLS write server done (765) eap_peap: <<< recv TLS 1.2 [length 0046] (765) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (765) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (765) eap_peap: <<< recv TLS 1.2 [length 0010] (765) eap_peap: TLS_accept: SSLv3/TLS read finished (765) eap_peap: >>> send TLS 1.2 [length 0001] (765) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (765) eap_peap: >>> send TLS 1.2 [length 0010] (765) eap_peap: TLS_accept: SSLv3/TLS write finished (765) eap_peap: (other): SSL negotiation finished successfully (765) eap_peap: SSL Connection Established (765) eap_peap: [eaptls process] = handled (765) eap: Sending EAP Request (code 1) ID 72 length 57 (765) eap: EAP session adding &reply:State = 0xa44f7f64a0076604 (765) [eap] = handled (765) } # authenticate = handled (765) Using Post-Auth-Type Challenge (765) Post-Auth-Type sub-section not found. Ignoring. (765) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (765) Sent Access-Challenge Id 255 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (765) EAP-Message = 0x0148003919001403030001011603030028a3eb5bde72e8f757a60ca8a9b6b7f7ba318970644cc8cf9cedfe251fd9659666083fe867938067b1 (765) Message-Authenticator = 0x00000000000000000000000000000000 (765) State = 0xa44f7f64a0076604dd9f2a05e7c26035 (765) Finished request (766) Received Access-Request Id 0 from 10.34.87.223:58030 to 10.34.242.3:1812 length 273 (766) User-Name = "321457" (766) NAS-IP-Address = 10.34.87.223 (766) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (766) NAS-Port-Id = "00000001" (766) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (766) NAS-Port-Type = Wireless-802.11 (766) Event-Timestamp = "Jun 24 2020 14:21:11 -03" (766) Service-Type = Framed-User (766) Calling-Station-Id = "70-FD-46-BE-0D-8A" (766) Connect-Info = "CONNECT 0Mbps 802.11b" (766) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (766) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (766) WLAN-Pairwise-Cipher = 1027076 (766) WLAN-Group-Cipher = 1027076 (766) WLAN-AKM-Suite = 1027073 (766) Framed-MTU = 1400 (766) EAP-Message = 0x024800061900 (766) State = 0xa44f7f64a0076604dd9f2a05e7c26035 (766) Message-Authenticator = 0x34618cd7843285417f2bf22c018e9956 (766) session-state: No cached attributes (766) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (766) authorize { (766) policy filter_username { (766) if (&User-Name) { (766) if (&User-Name) -> TRUE (766) if (&User-Name) { (766) if (&User-Name != "%{tolower:%{User-Name}}") { (766) EXPAND %{tolower:%{User-Name}} (766) --> 321457 (766) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (766) if (&User-Name =~ /\// ) { (766) if (&User-Name =~ /\// ) -> FALSE (766) if (&User-Name =~ / /) { (766) if (&User-Name =~ / /) -> FALSE (766) if (&User-Name =~ /@[^@]*@/ ) { (766) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (766) if (&User-Name =~ /\.\./ ) { (766) if (&User-Name =~ /\.\./ ) -> FALSE (766) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (766) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (766) if (&User-Name =~ /\.$/) { (766) if (&User-Name =~ /\.$/) -> FALSE (766) if (&User-Name =~ /@\./) { (766) if (&User-Name =~ /@\./) -> FALSE (766) } # if (&User-Name) = notfound (766) } # policy filter_username = notfound (766) policy split_username_nai { (766) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (766) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (766) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (766) update request { (766) EXPAND %{1} (766) --> 321457 (766) &Stripped-User-Name := 321457 (766) EXPAND %{3} (766) --> (766) &Stripped-User-Domain = (766) } # update request = noop (766) [updated] = updated (766) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (766) ... skipping else: Preceding "if" was taken (766) } # policy split_username_nai = updated (766) [preprocess] = ok (766) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (766) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (766) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (766) auth_log: EXPAND %t (766) auth_log: --> Wed Jun 24 14:21:13 2020 (766) [auth_log] = ok (766) [chap] = noop (766) [mschap] = noop (766) [digest] = noop (766) suffix: Checking for suffix after "@" (766) suffix: No '@' in User-Name = "321457", looking up realm NULL (766) suffix: No such realm "NULL" (766) [suffix] = noop (766) eap: Peer sent EAP Response (code 2) ID 72 length 6 (766) eap: Continuing tunnel setup (766) [eap] = ok (766) } # authorize = ok (766) Found Auth-Type = eap (766) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (766) authenticate { (766) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (766) eap: Finished EAP session with state 0xa44f7f64a0076604 (766) eap: Previous EAP request found for state 0xa44f7f64a0076604, released from the list (766) eap: Peer sent packet with method EAP PEAP (25) (766) eap: Calling submodule eap_peap to process data (766) eap_peap: Continuing EAP-TLS (766) eap_peap: Peer ACKed our handshake fragment. handshake is finished (766) eap_peap: [eaptls verify] = success (766) eap_peap: [eaptls process] = success (766) eap_peap: Session established. Decoding tunneled attributes (766) eap_peap: PEAP state TUNNEL ESTABLISHED (766) eap: Sending EAP Request (code 1) ID 73 length 40 (766) eap: EAP session adding &reply:State = 0xa44f7f64a1066604 (766) [eap] = handled (766) } # authenticate = handled (766) Using Post-Auth-Type Challenge (766) Post-Auth-Type sub-section not found. Ignoring. (766) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (766) Sent Access-Challenge Id 0 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (766) EAP-Message = 0x014900281900170303001da3eb5bde72e8f7589f7933f043a7f8fd1d94a80bca8a3e4b7ca1a17bc4 (766) Message-Authenticator = 0x00000000000000000000000000000000 (766) State = 0xa44f7f64a1066604dd9f2a05e7c26035 (766) Finished request (769) Received Access-Request Id 1 from 10.34.87.223:58030 to 10.34.242.3:1812 length 313 (769) User-Name = "321457" (769) NAS-IP-Address = 10.34.87.223 (769) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (769) NAS-Port-Id = "00000001" (769) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (769) NAS-Port-Type = Wireless-802.11 (769) Event-Timestamp = "Jun 24 2020 14:21:11 -03" (769) Service-Type = Framed-User (769) Calling-Station-Id = "70-FD-46-BE-0D-8A" (769) Connect-Info = "CONNECT 0Mbps 802.11b" (769) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (769) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (769) WLAN-Pairwise-Cipher = 1027076 (769) WLAN-Group-Cipher = 1027076 (769) WLAN-AKM-Suite = 1027073 (769) Framed-MTU = 1400 (769) EAP-Message = 0x0249002e1900170303002300000000000000015379bd5554b89258e3f28428fd044c453ae83a5bb03868943f5ae8 (769) State = 0xa44f7f64a1066604dd9f2a05e7c26035 (769) Message-Authenticator = 0x42020da0a72aa257ddd03a35e6524652 (769) session-state: No cached attributes (769) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (769) authorize { (769) policy filter_username { (769) if (&User-Name) { (769) if (&User-Name) -> TRUE (769) if (&User-Name) { (769) if (&User-Name != "%{tolower:%{User-Name}}") { (769) EXPAND %{tolower:%{User-Name}} (769) --> 321457 (769) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (769) if (&User-Name =~ /\// ) { (769) if (&User-Name =~ /\// ) -> FALSE (769) if (&User-Name =~ / /) { (769) if (&User-Name =~ / /) -> FALSE (769) if (&User-Name =~ /@[^@]*@/ ) { (769) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (769) if (&User-Name =~ /\.\./ ) { (769) if (&User-Name =~ /\.\./ ) -> FALSE (769) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (769) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (769) if (&User-Name =~ /\.$/) { (769) if (&User-Name =~ /\.$/) -> FALSE (769) if (&User-Name =~ /@\./) { (769) if (&User-Name =~ /@\./) -> FALSE (769) } # if (&User-Name) = notfound (769) } # policy filter_username = notfound (769) policy split_username_nai { (769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (769) update request { (769) EXPAND %{1} (769) --> 321457 (769) &Stripped-User-Name := 321457 (769) EXPAND %{3} (769) --> (769) &Stripped-User-Domain = (769) } # update request = noop (769) [updated] = updated (769) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (769) ... skipping else: Preceding "if" was taken (769) } # policy split_username_nai = updated (769) [preprocess] = ok (769) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (769) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (769) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (769) auth_log: EXPAND %t (769) auth_log: --> Wed Jun 24 14:21:13 2020 (769) [auth_log] = ok (769) [chap] = noop (769) [mschap] = noop (769) [digest] = noop (769) suffix: Checking for suffix after "@" (769) suffix: No '@' in User-Name = "321457", looking up realm NULL (769) suffix: No such realm "NULL" (769) [suffix] = noop (769) eap: Peer sent EAP Response (code 2) ID 73 length 46 (769) eap: Continuing tunnel setup (769) [eap] = ok (769) } # authorize = ok (769) Found Auth-Type = eap (769) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (769) authenticate { (769) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (769) eap: Finished EAP session with state 0xa44f7f64a1066604 (769) eap: Previous EAP request found for state 0xa44f7f64a1066604, released from the list (769) eap: Peer sent packet with method EAP PEAP (25) (769) eap: Calling submodule eap_peap to process data (769) eap_peap: Continuing EAP-TLS (769) eap_peap: [eaptls verify] = ok (769) eap_peap: Done initial handshake (769) eap_peap: [eaptls process] = ok (769) eap_peap: Session established. Decoding tunneled attributes (769) eap_peap: PEAP state WAITING FOR INNER IDENTITY (769) eap_peap: Identity - joao.bosco (769) eap_peap: Got inner identity 'joao.bosco' (769) eap_peap: Setting default EAP type for tunneled EAP session (769) eap_peap: Got tunneled request (769) eap_peap: EAP-Message = 0x0249000f016a6f616f2e626f73636f (769) eap_peap: Setting User-Name to joao.bosco (769) eap_peap: Sending tunneled request to inner-tunnel (769) eap_peap: EAP-Message = 0x0249000f016a6f616f2e626f73636f (769) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (769) eap_peap: User-Name = "joao.bosco" (769) Virtual server inner-tunnel received request (769) EAP-Message = 0x0249000f016a6f616f2e626f73636f (769) FreeRADIUS-Proxied-To = 127.0.0.1 (769) User-Name = "joao.bosco" (769) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (769) server inner-tunnel { (769) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (769) authorize { (769) policy filter_username { (769) if (&User-Name) { (769) if (&User-Name) -> TRUE (769) if (&User-Name) { (769) if (&User-Name != "%{tolower:%{User-Name}}") { (769) EXPAND %{tolower:%{User-Name}} (769) --> joao.bosco (769) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (769) if (&User-Name =~ /\// ) { (769) if (&User-Name =~ /\// ) -> FALSE (769) if (&User-Name =~ / /) { (769) if (&User-Name =~ / /) -> FALSE (769) if (&User-Name =~ /@[^@]*@/ ) { (769) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (769) if (&User-Name =~ /\.\./ ) { (769) if (&User-Name =~ /\.\./ ) -> FALSE (769) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (769) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (769) if (&User-Name =~ /\.$/) { (769) if (&User-Name =~ /\.$/) -> FALSE (769) if (&User-Name =~ /@\./) { (769) if (&User-Name =~ /@\./) -> FALSE (769) } # if (&User-Name) = notfound (769) } # policy filter_username = notfound (769) policy split_username_nai { (769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (769) update request { (769) EXPAND %{1} (769) --> joao.bosco (769) &Stripped-User-Name := joao.bosco (769) EXPAND %{3} (769) --> (769) &Stripped-User-Domain = (769) } # update request = noop (769) [updated] = updated (769) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (769) ... skipping else: Preceding "if" was taken (769) } # policy split_username_nai = updated (769) [chap] = noop (769) [mschap] = noop (769) suffix: Checking for suffix after "@" (769) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL (769) suffix: No such realm "NULL" (769) [suffix] = noop (769) update control { (769) &Proxy-To-Realm := LOCAL (769) } # update control = noop (769) eap: Peer sent EAP Response (code 2) ID 73 length 15 (769) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (769) [eap] = ok (769) } # authorize = ok (769) Found Auth-Type = eap (769) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (769) authenticate { (769) eap: Peer sent packet with method EAP Identity (1) (769) eap: Calling submodule eap_mschapv2 to process data (769) eap_mschapv2: Issuing Challenge (769) eap: Sending EAP Request (code 1) ID 74 length 43 (769) eap: EAP session adding &reply:State = 0x51d9eef05193f45a (769) [eap] = handled (769) } # authenticate = handled (769) } # server inner-tunnel (769) Virtual server sending reply (769) EAP-Message = 0x014a002b1a014a00261053addb6f534452e9c21a2a061cee1b2a667265657261646975732d332e302e3132 (769) Message-Authenticator = 0x00000000000000000000000000000000 (769) State = 0x51d9eef05193f45af86aca3e309ab33f (769) eap_peap: Got tunneled reply code 11 (769) eap_peap: EAP-Message = 0x014a002b1a014a00261053addb6f534452e9c21a2a061cee1b2a667265657261646975732d332e302e3132 (769) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (769) eap_peap: State = 0x51d9eef05193f45af86aca3e309ab33f (769) eap_peap: Got tunneled reply RADIUS code 11 (769) eap_peap: EAP-Message = 0x014a002b1a014a00261053addb6f534452e9c21a2a061cee1b2a667265657261646975732d332e302e3132 (769) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (769) eap_peap: State = 0x51d9eef05193f45af86aca3e309ab33f (769) eap_peap: Got tunneled Access-Challenge (769) eap: Sending EAP Request (code 1) ID 74 length 74 (769) eap: EAP session adding &reply:State = 0xa44f7f64a2056604 (769) [eap] = handled (769) } # authenticate = handled (769) Using Post-Auth-Type Challenge (769) Post-Auth-Type sub-section not found. Ignoring. (769) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (769) Sent Access-Challenge Id 1 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (769) EAP-Message = 0x014a004a1900170303003fa3eb5bde72e8f75908b3a5551d4fd734c4be4e09e9211c532244f154694140ee39a2a5221652cfa9ab03c3479ac2e7d73997491148efc814c98268d04423e2 (769) Message-Authenticator = 0x00000000000000000000000000000000 (769) State = 0xa44f7f64a2056604dd9f2a05e7c26035 (769) Finished request (770) Received Access-Request Id 2 from 10.34.87.223:58030 to 10.34.242.3:1812 length 367 (770) User-Name = "321457" (770) NAS-IP-Address = 10.34.87.223 (770) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (770) NAS-Port-Id = "00000001" (770) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (770) NAS-Port-Type = Wireless-802.11 (770) Event-Timestamp = "Jun 24 2020 14:21:11 -03" (770) Service-Type = Framed-User (770) Calling-Station-Id = "70-FD-46-BE-0D-8A" (770) Connect-Info = "CONNECT 0Mbps 802.11b" (770) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (770) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (770) WLAN-Pairwise-Cipher = 1027076 (770) WLAN-Group-Cipher = 1027076 (770) WLAN-AKM-Suite = 1027073 (770) Framed-MTU = 1400 (770) EAP-Message = 0x024a00641900170303005900000000000000029179f847ab4dc2d21f2daf73a3a77edf63beb405acfc69222021171c355883591ce3ae2d5f00b46c89c17d09604e3f7e028edc15852a723a23f6c06096e82ea8b599cf339177286214a3a99b316b259513 (770) State = 0xa44f7f64a2056604dd9f2a05e7c26035 (770) Message-Authenticator = 0x64fa5d7bb2a5e5c26483f9babb52af0e (770) session-state: No cached attributes (770) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (770) authorize { (770) policy filter_username { (770) if (&User-Name) { (770) if (&User-Name) -> TRUE (770) if (&User-Name) { (770) if (&User-Name != "%{tolower:%{User-Name}}") { (770) EXPAND %{tolower:%{User-Name}} (770) --> 321457 (770) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (770) if (&User-Name =~ /\// ) { (770) if (&User-Name =~ /\// ) -> FALSE (770) if (&User-Name =~ / /) { (770) if (&User-Name =~ / /) -> FALSE (770) if (&User-Name =~ /@[^@]*@/ ) { (770) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (770) if (&User-Name =~ /\.\./ ) { (770) if (&User-Name =~ /\.\./ ) -> FALSE (770) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (770) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (770) if (&User-Name =~ /\.$/) { (770) if (&User-Name =~ /\.$/) -> FALSE (770) if (&User-Name =~ /@\./) { (770) if (&User-Name =~ /@\./) -> FALSE (770) } # if (&User-Name) = notfound (770) } # policy filter_username = notfound (770) policy split_username_nai { (770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (770) update request { (770) EXPAND %{1} (770) --> 321457 (770) &Stripped-User-Name := 321457 (770) EXPAND %{3} (770) --> (770) &Stripped-User-Domain = (770) } # update request = noop (770) [updated] = updated (770) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (770) ... skipping else: Preceding "if" was taken (770) } # policy split_username_nai = updated (770) [preprocess] = ok (770) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (770) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (770) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (770) auth_log: EXPAND %t (770) auth_log: --> Wed Jun 24 14:21:13 2020 (770) [auth_log] = ok (770) [chap] = noop (770) [mschap] = noop (770) [digest] = noop (770) suffix: Checking for suffix after "@" (770) suffix: No '@' in User-Name = "321457", looking up realm NULL (770) suffix: No such realm "NULL" (770) [suffix] = noop (770) eap: Peer sent EAP Response (code 2) ID 74 length 100 (770) eap: Continuing tunnel setup (770) [eap] = ok (770) } # authorize = ok (770) Found Auth-Type = eap (770) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (770) authenticate { (770) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (770) eap: Finished EAP session with state 0xa44f7f64a2056604 (770) eap: Previous EAP request found for state 0xa44f7f64a2056604, released from the list (770) eap: Peer sent packet with method EAP PEAP (25) (770) eap: Calling submodule eap_peap to process data (770) eap_peap: Continuing EAP-TLS (770) eap_peap: [eaptls verify] = ok (770) eap_peap: Done initial handshake (770) eap_peap: [eaptls process] = ok (770) eap_peap: Session established. Decoding tunneled attributes (770) eap_peap: PEAP state phase2 (770) eap_peap: EAP method MSCHAPv2 (26) (770) eap_peap: Got tunneled request (770) eap_peap: EAP-Message = 0x024a00451a024a0040317edd61bab3a4a5dba22fa64805ad6b3a000000000000000095644adfe99660d5436482536faa63b841fdaa186c01d601006a6f616f2e626f73636f (770) eap_peap: Setting User-Name to joao.bosco (770) eap_peap: Sending tunneled request to inner-tunnel (770) eap_peap: EAP-Message = 0x024a00451a024a0040317edd61bab3a4a5dba22fa64805ad6b3a000000000000000095644adfe99660d5436482536faa63b841fdaa186c01d601006a6f616f2e626f73636f (770) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (770) eap_peap: User-Name = "joao.bosco" (770) eap_peap: State = 0x51d9eef05193f45af86aca3e309ab33f (770) Virtual server inner-tunnel received request (770) EAP-Message = 0x024a00451a024a0040317edd61bab3a4a5dba22fa64805ad6b3a000000000000000095644adfe99660d5436482536faa63b841fdaa186c01d601006a6f616f2e626f73636f (770) FreeRADIUS-Proxied-To = 127.0.0.1 (770) User-Name = "joao.bosco" (770) State = 0x51d9eef05193f45af86aca3e309ab33f (770) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (770) server inner-tunnel { (770) session-state: No cached attributes (770) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (770) authorize { (770) policy filter_username { (770) if (&User-Name) { (770) if (&User-Name) -> TRUE (770) if (&User-Name) { (770) if (&User-Name != "%{tolower:%{User-Name}}") { (770) EXPAND %{tolower:%{User-Name}} (770) --> joao.bosco (770) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (770) if (&User-Name =~ /\// ) { (770) if (&User-Name =~ /\// ) -> FALSE (770) if (&User-Name =~ / /) { (770) if (&User-Name =~ / /) -> FALSE (770) if (&User-Name =~ /@[^@]*@/ ) { (770) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (770) if (&User-Name =~ /\.\./ ) { (770) if (&User-Name =~ /\.\./ ) -> FALSE (770) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (770) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (770) if (&User-Name =~ /\.$/) { (770) if (&User-Name =~ /\.$/) -> FALSE (770) if (&User-Name =~ /@\./) { (770) if (&User-Name =~ /@\./) -> FALSE (770) } # if (&User-Name) = notfound (770) } # policy filter_username = notfound (770) policy split_username_nai { (770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (770) update request { (770) EXPAND %{1} (770) --> joao.bosco (770) &Stripped-User-Name := joao.bosco (770) EXPAND %{3} (770) --> (770) &Stripped-User-Domain = (770) } # update request = noop (770) [updated] = updated (770) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (770) ... skipping else: Preceding "if" was taken (770) } # policy split_username_nai = updated (770) [chap] = noop (770) [mschap] = noop (770) suffix: Checking for suffix after "@" (770) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL (770) suffix: No such realm "NULL" (770) [suffix] = noop (770) update control { (770) &Proxy-To-Realm := LOCAL (770) } # update control = noop (770) eap: Peer sent EAP Response (code 2) ID 74 length 69 (770) eap: No EAP Start, assuming it's an on-going EAP conversation (770) [eap] = updated (770) files: users: Matched entry DEFAULT at line 84 (770) [files] = ok (770) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (770) sql: --> joao.bosco (770) sql: SQL-User-Name set to 'joao.bosco' (770) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (770) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id (770) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id (770) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (770) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority (770) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority (770) sql: User not found in any groups (770) [sql] = notfound (770) [expiration] = noop (770) [logintime] = noop (770) [pap] = noop (770) } # authorize = updated (770) Found Auth-Type = eap (770) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (770) authenticate { (770) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (770) eap: Finished EAP session with state 0x51d9eef05193f45a (770) eap: Previous EAP request found for state 0x51d9eef05193f45a, released from the list (770) eap: Peer sent packet with method EAP MSCHAPv2 (26) (770) eap: Calling submodule eap_mschapv2 to process data (770) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (770) eap_mschapv2: authenticate { (770) mschap: Creating challenge hash with username: joao.bosco (770) mschap: Client is using MS-CHAPv2 (770) mschap: EXPAND %{mschap:User-Name} (770) mschap: --> joao.bosco (770) mschap: ERROR: No NT-Domain was found in the User-Name (770) mschap: EXPAND %{mschap:NT-Domain} (770) mschap: --> (770) mschap: sending authentication request user='joao.bosco' domain='' (770) mschap: Authenticated successfully (770) mschap: Adding MS-CHAPv2 MPPE keys (770) [mschap] = ok (770) } # authenticate = ok (770) MSCHAP Success (770) eap: Sending EAP Request (code 1) ID 75 length 51 (770) eap: EAP session adding &reply:State = 0x51d9eef05092f45a (770) [eap] = handled (770) } # authenticate = handled (770) } # server inner-tunnel (770) Virtual server sending reply (770) Idle-Timeout = 300 (770) EAP-Message = 0x014b00331a034a002e533d34353544333243423735363233313430433346303032323335313132314345383332444346363641 (770) Message-Authenticator = 0x00000000000000000000000000000000 (770) State = 0x51d9eef05092f45af86aca3e309ab33f (770) eap_peap: Got tunneled reply code 11 (770) eap_peap: Idle-Timeout = 300 (770) eap_peap: EAP-Message = 0x014b00331a034a002e533d34353544333243423735363233313430433346303032323335313132314345383332444346363641 (770) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (770) eap_peap: State = 0x51d9eef05092f45af86aca3e309ab33f (770) eap_peap: Got tunneled reply RADIUS code 11 (770) eap_peap: Idle-Timeout = 300 (770) eap_peap: EAP-Message = 0x014b00331a034a002e533d34353544333243423735363233313430433346303032323335313132314345383332444346363641 (770) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (770) eap_peap: State = 0x51d9eef05092f45af86aca3e309ab33f (770) eap_peap: Got tunneled Access-Challenge (770) eap: Sending EAP Request (code 1) ID 75 length 82 (770) eap: EAP session adding &reply:State = 0xa44f7f64a3046604 (770) [eap] = handled (770) } # authenticate = handled (770) Using Post-Auth-Type Challenge (770) Post-Auth-Type sub-section not found. Ignoring. (770) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (770) Sent Access-Challenge Id 2 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (770) EAP-Message = 0x014b005219001703030047a3eb5bde72e8f75a1f4b8481c411504c33305b9637036aea4e7db053f95d7c31e935156455848f079d12243134fcaf4553b54c28c82891ffa3e4f8690fba5ed94c2af6efaa77e8 (770) Message-Authenticator = 0x00000000000000000000000000000000 (770) State = 0xa44f7f64a3046604dd9f2a05e7c26035 (770) Finished request (771) Received Access-Request Id 3 from 10.34.87.223:58030 to 10.34.242.3:1812 length 304 (771) User-Name = "321457" (771) NAS-IP-Address = 10.34.87.223 (771) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (771) NAS-Port-Id = "00000001" (771) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (771) NAS-Port-Type = Wireless-802.11 (771) Event-Timestamp = "Jun 24 2020 14:21:11 -03" (771) Service-Type = Framed-User (771) Calling-Station-Id = "70-FD-46-BE-0D-8A" (771) Connect-Info = "CONNECT 0Mbps 802.11b" (771) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (771) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (771) WLAN-Pairwise-Cipher = 1027076 (771) WLAN-Group-Cipher = 1027076 (771) WLAN-AKM-Suite = 1027073 (771) Framed-MTU = 1400 (771) EAP-Message = 0x024b00251900170303001a0000000000000003695705aa6ea3fa4f9e764db8342fc4ef284e (771) State = 0xa44f7f64a3046604dd9f2a05e7c26035 (771) Message-Authenticator = 0x9442f992d6c781983fbd2914045a1126 (771) session-state: No cached attributes (771) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (771) authorize { (771) policy filter_username { (771) if (&User-Name) { (771) if (&User-Name) -> TRUE (771) if (&User-Name) { (771) if (&User-Name != "%{tolower:%{User-Name}}") { (771) EXPAND %{tolower:%{User-Name}} (771) --> 321457 (771) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (771) if (&User-Name =~ /\// ) { (771) if (&User-Name =~ /\// ) -> FALSE (771) if (&User-Name =~ / /) { (771) if (&User-Name =~ / /) -> FALSE (771) if (&User-Name =~ /@[^@]*@/ ) { (771) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (771) if (&User-Name =~ /\.\./ ) { (771) if (&User-Name =~ /\.\./ ) -> FALSE (771) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (771) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (771) if (&User-Name =~ /\.$/) { (771) if (&User-Name =~ /\.$/) -> FALSE (771) if (&User-Name =~ /@\./) { (771) if (&User-Name =~ /@\./) -> FALSE (771) } # if (&User-Name) = notfound (771) } # policy filter_username = notfound (771) policy split_username_nai { (771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (771) update request { (771) EXPAND %{1} (771) --> 321457 (771) &Stripped-User-Name := 321457 (771) EXPAND %{3} (771) --> (771) &Stripped-User-Domain = (771) } # update request = noop (771) [updated] = updated (771) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (771) ... skipping else: Preceding "if" was taken (771) } # policy split_username_nai = updated (771) [preprocess] = ok (771) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (771) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (771) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (771) auth_log: EXPAND %t (771) auth_log: --> Wed Jun 24 14:21:13 2020 (771) [auth_log] = ok (771) [chap] = noop (771) [mschap] = noop (771) [digest] = noop (771) suffix: Checking for suffix after "@" (771) suffix: No '@' in User-Name = "321457", looking up realm NULL (771) suffix: No such realm "NULL" (771) [suffix] = noop (771) eap: Peer sent EAP Response (code 2) ID 75 length 37 (771) eap: Continuing tunnel setup (771) [eap] = ok (771) } # authorize = ok (771) Found Auth-Type = eap (771) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (771) authenticate { (771) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (771) eap: Finished EAP session with state 0xa44f7f64a3046604 (771) eap: Previous EAP request found for state 0xa44f7f64a3046604, released from the list (771) eap: Peer sent packet with method EAP PEAP (25) (771) eap: Calling submodule eap_peap to process data (771) eap_peap: Continuing EAP-TLS (771) eap_peap: [eaptls verify] = ok (771) eap_peap: Done initial handshake (771) eap_peap: [eaptls process] = ok (771) eap_peap: Session established. Decoding tunneled attributes (771) eap_peap: PEAP state phase2 (771) eap_peap: EAP method MSCHAPv2 (26) (771) eap_peap: Got tunneled request (771) eap_peap: EAP-Message = 0x024b00061a03 (771) eap_peap: Setting User-Name to joao.bosco (771) eap_peap: Sending tunneled request to inner-tunnel (771) eap_peap: EAP-Message = 0x024b00061a03 (771) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (771) eap_peap: User-Name = "joao.bosco" (771) eap_peap: State = 0x51d9eef05092f45af86aca3e309ab33f (771) Virtual server inner-tunnel received request (771) EAP-Message = 0x024b00061a03 (771) FreeRADIUS-Proxied-To = 127.0.0.1 (771) User-Name = "joao.bosco" (771) State = 0x51d9eef05092f45af86aca3e309ab33f (771) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (771) server inner-tunnel { (771) session-state: No cached attributes (771) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (771) authorize { (771) policy filter_username { (771) if (&User-Name) { (771) if (&User-Name) -> TRUE (771) if (&User-Name) { (771) if (&User-Name != "%{tolower:%{User-Name}}") { (771) EXPAND %{tolower:%{User-Name}} (771) --> joao.bosco (771) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (771) if (&User-Name =~ /\// ) { (771) if (&User-Name =~ /\// ) -> FALSE (771) if (&User-Name =~ / /) { (771) if (&User-Name =~ / /) -> FALSE (771) if (&User-Name =~ /@[^@]*@/ ) { (771) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (771) if (&User-Name =~ /\.\./ ) { (771) if (&User-Name =~ /\.\./ ) -> FALSE (771) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (771) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (771) if (&User-Name =~ /\.$/) { (771) if (&User-Name =~ /\.$/) -> FALSE (771) if (&User-Name =~ /@\./) { (771) if (&User-Name =~ /@\./) -> FALSE (771) } # if (&User-Name) = notfound (771) } # policy filter_username = notfound (771) policy split_username_nai { (771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (771) update request { (771) EXPAND %{1} (771) --> joao.bosco (771) &Stripped-User-Name := joao.bosco (771) EXPAND %{3} (771) --> (771) &Stripped-User-Domain = (771) } # update request = noop (771) [updated] = updated (771) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (771) ... skipping else: Preceding "if" was taken (771) } # policy split_username_nai = updated (771) [chap] = noop (771) [mschap] = noop (771) suffix: Checking for suffix after "@" (771) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL (771) suffix: No such realm "NULL" (771) [suffix] = noop (771) update control { (771) &Proxy-To-Realm := LOCAL (771) } # update control = noop (771) eap: Peer sent EAP Response (code 2) ID 75 length 6 (771) eap: No EAP Start, assuming it's an on-going EAP conversation (771) [eap] = updated (771) files: users: Matched entry DEFAULT at line 84 (771) [files] = ok (771) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (771) sql: --> joao.bosco (771) sql: SQL-User-Name set to 'joao.bosco' (771) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (771) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id (771) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id (771) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (771) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority (771) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority (771) sql: User not found in any groups (771) [sql] = notfound (771) [expiration] = noop (771) [logintime] = noop (771) [pap] = noop (771) } # authorize = updated (771) Found Auth-Type = eap (771) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (771) authenticate { (771) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (771) eap: Finished EAP session with state 0x51d9eef05092f45a (771) eap: Previous EAP request found for state 0x51d9eef05092f45a, released from the list (771) eap: Peer sent packet with method EAP MSCHAPv2 (26) (771) eap: Calling submodule eap_mschapv2 to process data (771) eap: Sending EAP Success (code 3) ID 75 length 4 (771) eap: Freeing handler (771) [eap] = ok (771) } # authenticate = ok (771) # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (771) session { (771) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (771) sql: --> joao.bosco (771) sql: SQL-User-Name set to 'joao.bosco' (771) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL (771) sql: --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL (771) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL (771) [sql] = ok (771) } # session = ok (771) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (771) post-auth { (771) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail (771) reply_log: --> /var/log/freeradius/radacct/10.34.87.223/reply-detail (771) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.87.223/reply-detail (771) reply_log: EXPAND %t (771) reply_log: --> Wed Jun 24 14:21:13 2020 (771) [reply_log] = ok (771) update outer.session-state { (771) User-Name := &request:User-Name -> 'joao.bosco' (771) } # update outer.session-state = noop (771) } # post-auth = ok (771) Login OK: [joao.bosco] (from client AP-CEI-TER-223 port 0 via TLS tunnel) (771) } # server inner-tunnel (771) Virtual server sending reply (771) Idle-Timeout = 300 (771) MS-MPPE-Encryption-Policy = Encryption-Allowed (771) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (771) MS-MPPE-Send-Key = 0xcbb480d7f6179c96599ec58bdbf6eddc (771) MS-MPPE-Recv-Key = 0x6163fd50b56fefb6a5e7a12ccc4bd252 (771) EAP-Message = 0x034b0004 (771) Message-Authenticator = 0x00000000000000000000000000000000 (771) Stripped-User-Name := "joao.bosco" (771) eap_peap: Got tunneled reply code 2 (771) eap_peap: Idle-Timeout = 300 (771) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (771) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (771) eap_peap: MS-MPPE-Send-Key = 0xcbb480d7f6179c96599ec58bdbf6eddc (771) eap_peap: MS-MPPE-Recv-Key = 0x6163fd50b56fefb6a5e7a12ccc4bd252 (771) eap_peap: EAP-Message = 0x034b0004 (771) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (771) eap_peap: Stripped-User-Name := "joao.bosco" (771) eap_peap: Got tunneled reply RADIUS code 2 (771) eap_peap: Idle-Timeout = 300 (771) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (771) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (771) eap_peap: MS-MPPE-Send-Key = 0xcbb480d7f6179c96599ec58bdbf6eddc (771) eap_peap: MS-MPPE-Recv-Key = 0x6163fd50b56fefb6a5e7a12ccc4bd252 (771) eap_peap: EAP-Message = 0x034b0004 (771) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (771) eap_peap: Stripped-User-Name := "joao.bosco" (771) eap_peap: Tunneled authentication was successful (771) eap_peap: SUCCESS (771) eap: Sending EAP Request (code 1) ID 76 length 46 (771) eap: EAP session adding &reply:State = 0xa44f7f64ac036604 (771) [eap] = handled (771) } # authenticate = handled (771) Using Post-Auth-Type Challenge (771) Post-Auth-Type sub-section not found. Ignoring. (771) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (771) session-state: Saving cached attributes (771) User-Name := "joao.bosco" (771) Sent Access-Challenge Id 3 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (771) EAP-Message = 0x014c002e19001703030023a3eb5bde72e8f75b476d764d57d47de14e8b3244cdb2bdd44f4bf0fc595be62545171a (771) Message-Authenticator = 0x00000000000000000000000000000000 (771) State = 0xa44f7f64ac036604dd9f2a05e7c26035 (771) Finished request (772) Received Access-Request Id 4 from 10.34.87.223:58030 to 10.34.242.3:1812 length 313 (772) User-Name = "321457" (772) NAS-IP-Address = 10.34.87.223 (772) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (772) NAS-Port-Id = "00000001" (772) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (772) NAS-Port-Type = Wireless-802.11 (772) Event-Timestamp = "Jun 24 2020 14:21:11 -03" (772) Service-Type = Framed-User (772) Calling-Station-Id = "70-FD-46-BE-0D-8A" (772) Connect-Info = "CONNECT 0Mbps 802.11b" (772) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (772) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (772) WLAN-Pairwise-Cipher = 1027076 (772) WLAN-Group-Cipher = 1027076 (772) WLAN-AKM-Suite = 1027073 (772) Framed-MTU = 1400 (772) EAP-Message = 0x024c002e190017030300230000000000000004fda2bf219fdc0ef55bf7050cfc147e2b1ac003860d8506d1cf400b (772) State = 0xa44f7f64ac036604dd9f2a05e7c26035 (772) Message-Authenticator = 0x08c421bbfa2e7157408a6f2cf3214e1f (772) Restoring &session-state (772) &session-state:User-Name := "joao.bosco" (772) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (772) authorize { (772) policy filter_username { (772) if (&User-Name) { (772) if (&User-Name) -> TRUE (772) if (&User-Name) { (772) if (&User-Name != "%{tolower:%{User-Name}}") { (772) EXPAND %{tolower:%{User-Name}} (772) --> 321457 (772) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (772) if (&User-Name =~ /\// ) { (772) if (&User-Name =~ /\// ) -> FALSE (772) if (&User-Name =~ / /) { (772) if (&User-Name =~ / /) -> FALSE (772) if (&User-Name =~ /@[^@]*@/ ) { (772) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (772) if (&User-Name =~ /\.\./ ) { (772) if (&User-Name =~ /\.\./ ) -> FALSE (772) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (772) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (772) if (&User-Name =~ /\.$/) { (772) if (&User-Name =~ /\.$/) -> FALSE (772) if (&User-Name =~ /@\./) { (772) if (&User-Name =~ /@\./) -> FALSE (772) } # if (&User-Name) = notfound (772) } # policy filter_username = notfound (772) policy split_username_nai { (772) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (772) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (772) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (772) update request { (772) EXPAND %{1} (772) --> 321457 (772) &Stripped-User-Name := 321457 (772) EXPAND %{3} (772) --> (772) &Stripped-User-Domain = (772) } # update request = noop (772) [updated] = updated (772) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (772) ... skipping else: Preceding "if" was taken (772) } # policy split_username_nai = updated (772) [preprocess] = ok (772) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (772) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail (772) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail (772) auth_log: EXPAND %t (772) auth_log: --> Wed Jun 24 14:21:13 2020 (772) [auth_log] = ok (772) [chap] = noop (772) [mschap] = noop (772) [digest] = noop (772) suffix: Checking for suffix after "@" (772) suffix: No '@' in User-Name = "321457", looking up realm NULL (772) suffix: No such realm "NULL" (772) [suffix] = noop (772) eap: Peer sent EAP Response (code 2) ID 76 length 46 (772) eap: Continuing tunnel setup (772) [eap] = ok (772) } # authorize = ok (772) Found Auth-Type = eap (772) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (772) authenticate { (772) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d (772) eap: Finished EAP session with state 0xa44f7f64ac036604 (772) eap: Previous EAP request found for state 0xa44f7f64ac036604, released from the list (772) eap: Peer sent packet with method EAP PEAP (25) (772) eap: Calling submodule eap_peap to process data (772) eap_peap: Continuing EAP-TLS (772) eap_peap: [eaptls verify] = ok (772) eap_peap: Done initial handshake (772) eap_peap: [eaptls process] = ok (772) eap_peap: Session established. Decoding tunneled attributes (772) eap_peap: PEAP state send tlv success (772) eap_peap: Received EAP-TLV response (772) eap_peap: Success (772) eap: Sending EAP Success (code 3) ID 76 length 4 (772) eap: Freeing handler (772) [eap] = ok (772) } # authenticate = ok (772) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (772) post-auth { (772) update { (772) &reply::User-Name += &session-state:User-Name[*] -> 'joao.bosco' (772) } # update = noop (772) sql: EXPAND .query (772) sql: --> .query (772) sql: Using query template 'query' (772) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (772) sql: --> 321457 (772) sql: SQL-User-Name set to '321457' (772) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{SQL-User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{%{integer:Event-Timestamp}:-NOW()})) (772) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593019271)) (772) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593019271)) (772) sql: SQL query returned: success (772) sql: 1 record(s) updated (772) [sql] = ok (772) [exec] = noop (772) policy remove_reply_message_if_eap { (772) if (&reply:EAP-Message && &reply:Reply-Message) { (772) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (772) else { (772) [noop] = noop (772) } # else = noop (772) } # policy remove_reply_message_if_eap = noop (772) } # post-auth = ok (772) Login OK: [321457] (from client AP-CEI-TER-223 port 0 cli 70-FD-46-BE-0D-8A) (772) Sent Access-Accept Id 4 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0 (772) MS-MPPE-Recv-Key = 0xd4c273e37c10886abb1167c9c64b7e7a9555c080e574df74fdac80585fe89c4a (772) MS-MPPE-Send-Key = 0xbb83cd2094c7880532831cdf5e3c7986149e6a5c1d6bc4a84b9151c0988336a1 (772) EAP-Message = 0x034c0004 (772) Message-Authenticator = 0x00000000000000000000000000000000 (772) User-Name += "joao.bosco" (772) Finished request (785) Received Accounting-Request Id 5 from 10.34.87.223:36144 to 10.34.242.3:1813 length 251 (785) Acct-Status-Type = Start (785) Acct-Authentic = RADIUS (785) User-Name = "joao.bosco" (785) NAS-IP-Address = 10.34.87.223 (785) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C" (785) NAS-Port-Id = "00000001" (785) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT" (785) NAS-Port-Type = Wireless-802.11 (785) Event-Timestamp = "Jun 24 2020 14:21:14 -03" (785) Service-Type = Framed-User (785) Calling-Station-Id = "70-FD-46-BE-0D-8A" (785) Connect-Info = "CONNECT 0Mbps 802.11b" (785) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46" (785) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6" (785) WLAN-Pairwise-Cipher = 1027076 (785) WLAN-Group-Cipher = 1027076 (785) WLAN-AKM-Suite = 1027073 (785) Framed-IP-Address = 172.28.255.182 (785) Acct-Delay-Time = 0 (785) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (785) preacct { (785) [preprocess] = ok (785) policy split_username_nai { (785) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (785) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (785) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (785) update request { (785) EXPAND %{1} (785) --> joao.bosco (785) &Stripped-User-Name := joao.bosco (785) EXPAND %{3} (785) --> (785) &Stripped-User-Domain = (785) } # update request = noop (785) [updated] = updated (785) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (785) ... skipping else: Preceding "if" was taken (785) } # policy split_username_nai = updated (785) update request { (785) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} (785) --> 1593019276 (785) FreeRADIUS-Acct-Session-Start-Time = Jun 24 2020 14:21:16 -03 (785) } # update request = noop (785) policy acct_unique { (785) update request { (785) Tmp-String-9 := "ai:" (785) } # update request = noop (785) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (785) EXPAND %{hex:&Class} (785) --> (785) EXPAND ^%{hex:&Tmp-String-9} (785) --> ^61693a (785) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (785) else { (785) update request { (785) EXPAND %{Acct-Session-ID} (785) --> 50d4f75b869c-393F96E03B858B46 (785) &Acct-Unique-Session-Id := 50d4f75b869c-393F96E03B858B46 (785) EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (785) --> joao.bosco (785) &Acct-Unique-Session-Id := joao.bosco (785) EXPAND %{md5:%{%{Stripped-User-Name}:-%{User-Name}},%{Acct-Session-ID},%{Calling-Station-Id}} (785) --> 40fed0fa478c6669d9d1768d71840a84 (785) &Acct-Unique-Session-Id := 40fed0fa478c6669d9d1768d71840a84 (785) } # update request = noop (785) } # else = noop (785) } # policy acct_unique = noop (785) suffix: Checking for suffix after "@" (785) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL (785) suffix: No such realm "NULL" (785) [suffix] = noop (785) files: acct_users: Matched entry DEFAULT at line 22 (785) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (785) files: --> joao.bosco (785) [files] = ok (785) } # preacct = updated (785) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (785) accounting { (785) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown} (785) log_accounting: --> Accounting-Request.Start (785) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) (785) log_accounting: --> Wed, 24-06-2020 14:21:14 Connect: [joao.bosco] (did 50-D4-F7-5B-86-9C:MPDFT cli 70-FD-46-BE-0D-8A port ip 172.28.255.182) (785) log_accounting: EXPAND /var/log/freeradius/linelog-accounting (785) log_accounting: --> /var/log/freeradius/linelog-accounting (785) [log_accounting] = ok (785) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query} (785) sql: --> type.start.query (785) sql: Using query template 'query' (785) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (785) sql: --> joao.bosco (785) sql: SQL-User-Name set to 'joao.bosco' (785) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet) (785) sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b869c-393F96E03B858B46', '40fed0fa478c6669d9d1768d71840a84', 'joao.bosco', NULLIF('', ''), '10.34.87.223', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1593019274), TO_TIMESTAMP(1593019274), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', NULL, 'Framed-User', '', NULLIF('172.28.255.182', '')::inet) (785) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b869c-393F96E03B858B46', '40fed0fa478c6669d9d1768d71840a84', 'joao.bosco', NULLIF('', ''), '10.34.87.223', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1593019274), TO_TIMESTAMP(1593019274), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', NULL, 'Framed-User', '', NULLIF('172.28.255.182', '')::inet) (785) sql: SQL query returned: success (785) sql: 1 record(s) updated (785) [sql] = ok (785) if (&request:Acct-Status-Type == start) { (785) if (&request:Acct-Status-Type == start) -> TRUE (785) if (&request:Acct-Status-Type == start) { (785) EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (785) --> joao.bosco (785) SQL-User-Name set to 'joao.bosco' (785) Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1593019274), AcctUpdateTime = TO_TIMESTAMP(1593019274), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 0Mbps 802.11b' WHERE UserName = 'joao.bosco' AND AcctUniqueId <> '40fed0fa478c6669d9d1768d71840a84' AND CallingStationId = '70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL (785) SQL query affected no rows (785) EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL} (785) --> (785) } # if (&request:Acct-Status-Type == start) = ok (785) [exec] = noop (785) attr_filter.accounting_response: EXPAND %{User-Name} (785) attr_filter.accounting_response: --> joao.bosco (785) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (785) [attr_filter.accounting_response] = updated (785) } # accounting = updated (785) Sent Accounting-Response Id 5 from 10.34.242.3:1813 to 10.34.87.223:36144 length 0 (785) Finished request (785) Cleaning up request packet ID 5 with timestamp +196 (757) Cleaning up request packet ID 251 with timestamp +192 (760) Cleaning up request packet ID 252 with timestamp +193 (763) Cleaning up request packet ID 253 with timestamp +193 (764) Cleaning up request packet ID 254 with timestamp +193 (765) Cleaning up request packet ID 255 with timestamp +193 (766) Cleaning up request packet ID 0 with timestamp +193 (769) Cleaning up request packet ID 1 with timestamp +193 (770) Cleaning up request packet ID 2 with timestamp +193 (771) Cleaning up request packet ID 3 with timestamp +193 (772) Cleaning up request packet ID 4 with timestamp +193 ============== DEBUG FOR !!!!NOT WORKING!!!! PACKET ============ (11048) Received Access-Request Id 139 from 10.34.27.220:3489 to 10.34.242.3:1812 length 149 (11048) User-Name = "mpdft" (11048) NAS-IP-Address = 10.34.27.220 (11048) NAS-Port = 2 (11048) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11048) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11048) Framed-MTU = 1400 (11048) NAS-Port-Type = Wireless-802.11 (11048) Connect-Info = "CONNECT 54Mbps 802.11g" (11048) EAP-Message = 0x0200000a016d70646674 (11048) Message-Authenticator = 0x408a3294efb8f536a6500de929db9311 (11048) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11048) authorize { (11048) policy filter_username { (11048) if (&User-Name) { (11048) if (&User-Name) -> TRUE (11048) if (&User-Name) { (11048) if (&User-Name != "%{tolower:%{User-Name}}") { (11048) EXPAND %{tolower:%{User-Name}} (11048) --> mpdft (11048) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11048) if (&User-Name =~ /\// ) { (11048) if (&User-Name =~ /\// ) -> FALSE (11048) if (&User-Name =~ / /) { (11048) if (&User-Name =~ / /) -> FALSE (11048) if (&User-Name =~ /@[^@]*@/ ) { (11048) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11048) if (&User-Name =~ /\.\./ ) { (11048) if (&User-Name =~ /\.\./ ) -> FALSE (11048) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11048) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11048) if (&User-Name =~ /\.$/) { (11048) if (&User-Name =~ /\.$/) -> FALSE (11048) if (&User-Name =~ /@\./) { (11048) if (&User-Name =~ /@\./) -> FALSE (11048) } # if (&User-Name) = notfound (11048) } # policy filter_username = notfound (11048) policy split_username_nai { (11048) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11048) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11048) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11048) update request { (11048) EXPAND %{1} (11048) --> mpdft (11048) &Stripped-User-Name := mpdft (11048) EXPAND %{3} (11048) --> (11048) &Stripped-User-Domain = (11048) } # update request = noop (11048) [updated] = updated (11048) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11048) ... skipping else: Preceding "if" was taken (11048) } # policy split_username_nai = updated (11048) [preprocess] = ok (11048) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11048) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11048) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11048) auth_log: EXPAND %t (11048) auth_log: --> Wed Jun 24 15:00:27 2020 (11048) [auth_log] = ok (11048) [chap] = noop (11048) [mschap] = noop (11048) [digest] = noop (11048) suffix: Checking for suffix after "@" (11048) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11048) suffix: No such realm "NULL" (11048) [suffix] = noop (11048) eap: Peer sent EAP Response (code 2) ID 0 length 10 (11048) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (11048) [eap] = ok (11048) } # authorize = ok (11048) Found Auth-Type = eap (11048) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11048) authenticate { (11048) eap: Peer sent packet with method EAP Identity (1) (11048) eap: Calling submodule eap_md5 to process data (11048) eap_md5: Issuing MD5 Challenge (11048) eap: Sending EAP Request (code 1) ID 1 length 22 (11048) eap: EAP session adding &reply:State = 0xbb52a0a1bb53a4af (11048) [eap] = handled (11048) } # authenticate = handled (11048) Using Post-Auth-Type Challenge (11048) Post-Auth-Type sub-section not found. Ignoring. (11048) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11048) Sent Access-Challenge Id 139 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11048) EAP-Message = 0x010100160410b7e1efa9084013e0889cf10e97931880 (11048) Message-Authenticator = 0x00000000000000000000000000000000 (11048) State = 0xbb52a0a1bb53a4afa6d420c8f1230505 (11048) Finished request (11049) Received Access-Request Id 140 from 10.34.27.220:3489 to 10.34.242.3:1812 length 163 (11049) User-Name = "mpdft" (11049) NAS-IP-Address = 10.34.27.220 (11049) NAS-Port = 2 (11049) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11049) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11049) Framed-MTU = 1400 (11049) NAS-Port-Type = Wireless-802.11 (11049) Connect-Info = "CONNECT 54Mbps 802.11g" (11049) EAP-Message = 0x020100060319 (11049) State = 0xbb52a0a1bb53a4afa6d420c8f1230505 (11049) Message-Authenticator = 0x56eea29636534482dd0626f91ccc367c (11049) session-state: No cached attributes (11049) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11049) authorize { (11049) policy filter_username { (11049) if (&User-Name) { (11049) if (&User-Name) -> TRUE (11049) if (&User-Name) { (11049) if (&User-Name != "%{tolower:%{User-Name}}") { (11049) EXPAND %{tolower:%{User-Name}} (11049) --> mpdft (11049) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11049) if (&User-Name =~ /\// ) { (11049) if (&User-Name =~ /\// ) -> FALSE (11049) if (&User-Name =~ / /) { (11049) if (&User-Name =~ / /) -> FALSE (11049) if (&User-Name =~ /@[^@]*@/ ) { (11049) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11049) if (&User-Name =~ /\.\./ ) { (11049) if (&User-Name =~ /\.\./ ) -> FALSE (11049) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11049) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11049) if (&User-Name =~ /\.$/) { (11049) if (&User-Name =~ /\.$/) -> FALSE (11049) if (&User-Name =~ /@\./) { (11049) if (&User-Name =~ /@\./) -> FALSE (11049) } # if (&User-Name) = notfound (11049) } # policy filter_username = notfound (11049) policy split_username_nai { (11049) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11049) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11049) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11049) update request { (11049) EXPAND %{1} (11049) --> mpdft (11049) &Stripped-User-Name := mpdft (11049) EXPAND %{3} (11049) --> (11049) &Stripped-User-Domain = (11049) } # update request = noop (11049) [updated] = updated (11049) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11049) ... skipping else: Preceding "if" was taken (11049) } # policy split_username_nai = updated (11049) [preprocess] = ok (11049) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11049) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11049) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11049) auth_log: EXPAND %t (11049) auth_log: --> Wed Jun 24 15:00:27 2020 (11049) [auth_log] = ok (11049) [chap] = noop (11049) [mschap] = noop (11049) [digest] = noop (11049) suffix: Checking for suffix after "@" (11049) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11049) suffix: No such realm "NULL" (11049) [suffix] = noop (11049) eap: Peer sent EAP Response (code 2) ID 1 length 6 (11049) eap: No EAP Start, assuming it's an on-going EAP conversation (11049) [eap] = updated (11049) files: Failed resolving UID: No error (11049) files: Failed resolving UID: No error (11049) files: Failed resolving UID: No error (11049) files: Failed resolving UID: No error (11049) files: Failed resolving UID: No error (11049) [files] = noop (11049) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (11049) sql: --> mpdft (11049) sql: SQL-User-Name set to 'mpdft' (11049) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (11049) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'mpdft' ORDER BY id (11049) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'mpdft' ORDER BY id (11049) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (11049) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='mpdft' ORDER BY priority (11049) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='mpdft' ORDER BY priority (11049) sql: User not found in any groups (11049) [sql] = notfound (11049) [expiration] = noop (11049) [logintime] = noop (11049) if (ok) { (11049) if (ok) -> FALSE (11049) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (11049) pap: WARNING: Authentication will fail unless a "known good" password is available (11049) [pap] = noop (11049) } # authorize = updated (11049) Found Auth-Type = eap (11049) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11049) authenticate { (11049) eap: Expiring EAP session with state 0x663165b2651a7c1c (11049) eap: Finished EAP session with state 0xbb52a0a1bb53a4af (11049) eap: Previous EAP request found for state 0xbb52a0a1bb53a4af, released from the list (11049) eap: Peer sent packet with method EAP NAK (3) (11049) eap: Found mutually acceptable type PEAP (25) (11049) eap: Calling submodule eap_peap to process data (11049) eap_peap: Initiating new EAP-TLS session (11049) eap_peap: [eaptls start] = request (11049) eap: Sending EAP Request (code 1) ID 2 length 6 (11049) eap: EAP session adding &reply:State = 0xbb52a0a1ba50b9af (11049) [eap] = handled (11049) } # authenticate = handled (11049) Using Post-Auth-Type Challenge (11049) Post-Auth-Type sub-section not found. Ignoring. (11049) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11049) Sent Access-Challenge Id 140 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11049) EAP-Message = 0x010200061920 (11049) Message-Authenticator = 0x00000000000000000000000000000000 (11049) State = 0xbb52a0a1ba50b9afa6d420c8f1230505 (11049) Finished request (11050) Received Access-Request Id 141 from 10.34.27.220:3489 to 10.34.242.3:1812 length 328 (11050) User-Name = "mpdft" (11050) NAS-IP-Address = 10.34.27.220 (11050) NAS-Port = 2 (11050) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11050) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11050) Framed-MTU = 1400 (11050) NAS-Port-Type = Wireless-802.11 (11050) Connect-Info = "CONNECT 54Mbps 802.11g" (11050) EAP-Message = 0x020200ab1980000000a1160301009c0100009803039c4c361bc616647397a5fcbb62da353c8e280950e62470a9b076ee8a4df5731200003cc02bc02f009ec02cc030009fcca9cca8c009c023c013c02700330067c00ac024c014c0280039006bc007c011009c009d002f003c0035003d0005000a010000 (11050) State = 0xbb52a0a1ba50b9afa6d420c8f1230505 (11050) Message-Authenticator = 0xee12d9c33e702dde45cc68d947157e10 (11050) session-state: No cached attributes (11050) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11050) authorize { (11050) policy filter_username { (11050) if (&User-Name) { (11050) if (&User-Name) -> TRUE (11050) if (&User-Name) { (11050) if (&User-Name != "%{tolower:%{User-Name}}") { (11050) EXPAND %{tolower:%{User-Name}} (11050) --> mpdft (11050) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11050) if (&User-Name =~ /\// ) { (11050) if (&User-Name =~ /\// ) -> FALSE (11050) if (&User-Name =~ / /) { (11050) if (&User-Name =~ / /) -> FALSE (11050) if (&User-Name =~ /@[^@]*@/ ) { (11050) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11050) if (&User-Name =~ /\.\./ ) { (11050) if (&User-Name =~ /\.\./ ) -> FALSE (11050) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11050) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11050) if (&User-Name =~ /\.$/) { (11050) if (&User-Name =~ /\.$/) -> FALSE (11050) if (&User-Name =~ /@\./) { (11050) if (&User-Name =~ /@\./) -> FALSE (11050) } # if (&User-Name) = notfound (11050) } # policy filter_username = notfound (11050) policy split_username_nai { (11050) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11050) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11050) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11050) update request { (11050) EXPAND %{1} (11050) --> mpdft (11050) &Stripped-User-Name := mpdft (11050) EXPAND %{3} (11050) --> (11050) &Stripped-User-Domain = (11050) } # update request = noop (11050) [updated] = updated (11050) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11050) ... skipping else: Preceding "if" was taken (11050) } # policy split_username_nai = updated (11050) [preprocess] = ok (11050) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11050) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11050) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11050) auth_log: EXPAND %t (11050) auth_log: --> Wed Jun 24 15:00:27 2020 (11050) [auth_log] = ok (11050) [chap] = noop (11050) [mschap] = noop (11050) [digest] = noop (11050) suffix: Checking for suffix after "@" (11050) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11050) suffix: No such realm "NULL" (11050) [suffix] = noop (11050) eap: Peer sent EAP Response (code 2) ID 2 length 171 (11050) eap: Continuing tunnel setup (11050) [eap] = ok (11050) } # authorize = ok (11050) Found Auth-Type = eap (11050) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11050) authenticate { (11050) eap: Expiring EAP session with state 0x663165b2651a7c1c (11050) eap: Finished EAP session with state 0xbb52a0a1ba50b9af (11050) eap: Previous EAP request found for state 0xbb52a0a1ba50b9af, released from the list (11050) eap: Peer sent packet with method EAP PEAP (25) (11050) eap: Calling submodule eap_peap to process data (11050) eap_peap: Continuing EAP-TLS (11050) eap_peap: Peer indicated complete TLS record size will be 161 bytes (11050) eap_peap: Got complete TLS record (161 bytes) (11050) eap_peap: [eaptls verify] = length included (11050) eap_peap: (other): before SSL initialization (11050) eap_peap: TLS_accept: before SSL initialization (11050) eap_peap: TLS_accept: before SSL initialization (11050) eap_peap: <<< recv TLS 1.2 [length 009c] (11050) eap_peap: TLS_accept: SSLv3/TLS read client hello (11050) eap_peap: >>> send TLS 1.2 [length 003d] (11050) eap_peap: TLS_accept: SSLv3/TLS write server hello (11050) eap_peap: >>> send TLS 1.2 [length 0309] (11050) eap_peap: TLS_accept: SSLv3/TLS write certificate (11050) eap_peap: >>> send TLS 1.2 [length 014d] (11050) eap_peap: TLS_accept: SSLv3/TLS write key exchange (11050) eap_peap: >>> send TLS 1.2 [length 0004] (11050) eap_peap: TLS_accept: SSLv3/TLS write server done (11050) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (11050) eap_peap: In SSL Handshake Phase (11050) eap_peap: In SSL Accept mode (11050) eap_peap: [eaptls process] = handled (11050) eap: Sending EAP Request (code 1) ID 3 length 1004 (11050) eap: EAP session adding &reply:State = 0xbb52a0a1b951b9af (11050) [eap] = handled (11050) } # authenticate = handled (11050) Using Post-Auth-Type Challenge (11050) Post-Auth-Type sub-section not found. Ignoring. (11050) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11050) Sent Access-Challenge Id 141 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11050) EAP-Message = 0x010303ec19c0000004ab160303003d020000390303bff8d5bbdafc2ef1f9fe4ff68c004d2d5d255f840adf436732d14e188fb4896900c02f000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609 (11050) Message-Authenticator = 0x00000000000000000000000000000000 (11050) State = 0xbb52a0a1b951b9afa6d420c8f1230505 (11050) Finished request (11051) Received Access-Request Id 142 from 10.34.27.220:3489 to 10.34.242.3:1812 length 163 (11051) User-Name = "mpdft" (11051) NAS-IP-Address = 10.34.27.220 (11051) NAS-Port = 2 (11051) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11051) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11051) Framed-MTU = 1400 (11051) NAS-Port-Type = Wireless-802.11 (11051) Connect-Info = "CONNECT 54Mbps 802.11g" (11051) EAP-Message = 0x020300061900 (11051) State = 0xbb52a0a1b951b9afa6d420c8f1230505 (11051) Message-Authenticator = 0x91c78843c332dee8045c2bd4d2518647 (11051) session-state: No cached attributes (11051) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11051) authorize { (11051) policy filter_username { (11051) if (&User-Name) { (11051) if (&User-Name) -> TRUE (11051) if (&User-Name) { (11051) if (&User-Name != "%{tolower:%{User-Name}}") { (11051) EXPAND %{tolower:%{User-Name}} (11051) --> mpdft (11051) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11051) if (&User-Name =~ /\// ) { (11051) if (&User-Name =~ /\// ) -> FALSE (11051) if (&User-Name =~ / /) { (11051) if (&User-Name =~ / /) -> FALSE (11051) if (&User-Name =~ /@[^@]*@/ ) { (11051) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11051) if (&User-Name =~ /\.\./ ) { (11051) if (&User-Name =~ /\.\./ ) -> FALSE (11051) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11051) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11051) if (&User-Name =~ /\.$/) { (11051) if (&User-Name =~ /\.$/) -> FALSE (11051) if (&User-Name =~ /@\./) { (11051) if (&User-Name =~ /@\./) -> FALSE (11051) } # if (&User-Name) = notfound (11051) } # policy filter_username = notfound (11051) policy split_username_nai { (11051) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11051) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11051) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11051) update request { (11051) EXPAND %{1} (11051) --> mpdft (11051) &Stripped-User-Name := mpdft (11051) EXPAND %{3} (11051) --> (11051) &Stripped-User-Domain = (11051) } # update request = noop (11051) [updated] = updated (11051) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11051) ... skipping else: Preceding "if" was taken (11051) } # policy split_username_nai = updated (11051) [preprocess] = ok (11051) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11051) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11051) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11051) auth_log: EXPAND %t (11051) auth_log: --> Wed Jun 24 15:00:27 2020 (11051) [auth_log] = ok (11051) [chap] = noop (11051) [mschap] = noop (11051) [digest] = noop (11051) suffix: Checking for suffix after "@" (11051) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11051) suffix: No such realm "NULL" (11051) [suffix] = noop (11051) eap: Peer sent EAP Response (code 2) ID 3 length 6 (11051) eap: Continuing tunnel setup (11051) [eap] = ok (11051) } # authorize = ok (11051) Found Auth-Type = eap (11051) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11051) authenticate { (11051) eap: Expiring EAP session with state 0x663165b2651a7c1c (11051) eap: Finished EAP session with state 0xbb52a0a1b951b9af (11051) eap: Previous EAP request found for state 0xbb52a0a1b951b9af, released from the list (11051) eap: Peer sent packet with method EAP PEAP (25) (11051) eap: Calling submodule eap_peap to process data (11051) eap_peap: Continuing EAP-TLS (11051) eap_peap: Peer ACKed our handshake fragment (11051) eap_peap: [eaptls verify] = request (11051) eap_peap: [eaptls process] = handled (11051) eap: Sending EAP Request (code 1) ID 4 length 207 (11051) eap: EAP session adding &reply:State = 0xbb52a0a1b856b9af (11051) [eap] = handled (11051) } # authenticate = handled (11051) Using Post-Auth-Type Challenge (11051) Post-Auth-Type sub-section not found. Ignoring. (11051) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11051) Sent Access-Challenge Id 142 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11051) EAP-Message = 0x010400cf190077d923f57ef28aa1228670ecd396ae9f5120736fed21274cc4e43fe548da4b0018966c35ae455f4bd6fe6740c7c8414a8adcd72b383bcd96b08acbb06444bd5259dbef85f8b44d37c2cbfffeb6c98619f1bcdba6d5e2e6f70b494289c12f22675199072877351a1e1e55c1901b67e1c0ce (11051) Message-Authenticator = 0x00000000000000000000000000000000 (11051) State = 0xbb52a0a1b856b9afa6d420c8f1230505 (11051) Finished request (11052) Received Access-Request Id 143 from 10.34.27.220:3489 to 10.34.242.3:1812 length 293 (11052) User-Name = "mpdft" (11052) NAS-IP-Address = 10.34.27.220 (11052) NAS-Port = 2 (11052) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11052) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11052) Framed-MTU = 1400 (11052) NAS-Port-Type = Wireless-802.11 (11052) Connect-Info = "CONNECT 54Mbps 802.11g" (11052) EAP-Message = 0x0204008819800000007e16030300461000004241049d1d0aa98e339ec73f7114217ba102b7ec0faa4f48bd4430255a0c9f30e6e43587cbd5b858dd3eb66644df3703a1a74c19bcf7f526a95af9d8605e85aaa0b4e114030300010116030300280000000000000000b8d30db4ebe845ea5264df4293f41a (11052) State = 0xbb52a0a1b856b9afa6d420c8f1230505 (11052) Message-Authenticator = 0x8117b45ab21207f6cc0085f9906d6737 (11052) session-state: No cached attributes (11052) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11052) authorize { (11052) policy filter_username { (11052) if (&User-Name) { (11052) if (&User-Name) -> TRUE (11052) if (&User-Name) { (11052) if (&User-Name != "%{tolower:%{User-Name}}") { (11052) EXPAND %{tolower:%{User-Name}} (11052) --> mpdft (11052) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11052) if (&User-Name =~ /\// ) { (11052) if (&User-Name =~ /\// ) -> FALSE (11052) if (&User-Name =~ / /) { (11052) if (&User-Name =~ / /) -> FALSE (11052) if (&User-Name =~ /@[^@]*@/ ) { (11052) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11052) if (&User-Name =~ /\.\./ ) { (11052) if (&User-Name =~ /\.\./ ) -> FALSE (11052) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11052) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11052) if (&User-Name =~ /\.$/) { (11052) if (&User-Name =~ /\.$/) -> FALSE (11052) if (&User-Name =~ /@\./) { (11052) if (&User-Name =~ /@\./) -> FALSE (11052) } # if (&User-Name) = notfound (11052) } # policy filter_username = notfound (11052) policy split_username_nai { (11052) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11052) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11052) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11052) update request { (11052) EXPAND %{1} (11052) --> mpdft (11052) &Stripped-User-Name := mpdft (11052) EXPAND %{3} (11052) --> (11052) &Stripped-User-Domain = (11052) } # update request = noop (11052) [updated] = updated (11052) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11052) ... skipping else: Preceding "if" was taken (11052) } # policy split_username_nai = updated (11052) [preprocess] = ok (11052) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11052) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11052) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11052) auth_log: EXPAND %t (11052) auth_log: --> Wed Jun 24 15:00:27 2020 (11052) [auth_log] = ok (11052) [chap] = noop (11052) [mschap] = noop (11052) [digest] = noop (11052) suffix: Checking for suffix after "@" (11052) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11052) suffix: No such realm "NULL" (11052) [suffix] = noop (11052) eap: Peer sent EAP Response (code 2) ID 4 length 136 (11052) eap: Continuing tunnel setup (11052) [eap] = ok (11052) } # authorize = ok (11052) Found Auth-Type = eap (11052) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11052) authenticate { (11052) eap: Expiring EAP session with state 0x663165b2651a7c1c (11052) eap: Finished EAP session with state 0xbb52a0a1b856b9af (11052) eap: Previous EAP request found for state 0xbb52a0a1b856b9af, released from the list (11052) eap: Peer sent packet with method EAP PEAP (25) (11052) eap: Calling submodule eap_peap to process data (11052) eap_peap: Continuing EAP-TLS (11052) eap_peap: Peer indicated complete TLS record size will be 126 bytes (11052) eap_peap: Got complete TLS record (126 bytes) (11052) eap_peap: [eaptls verify] = length included (11052) eap_peap: TLS_accept: SSLv3/TLS write server done (11052) eap_peap: <<< recv TLS 1.2 [length 0046] (11052) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (11052) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (11052) eap_peap: <<< recv TLS 1.2 [length 0010] (11052) eap_peap: TLS_accept: SSLv3/TLS read finished (11052) eap_peap: >>> send TLS 1.2 [length 0001] (11052) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (11052) eap_peap: >>> send TLS 1.2 [length 0010] (11052) eap_peap: TLS_accept: SSLv3/TLS write finished (11052) eap_peap: (other): SSL negotiation finished successfully (11052) eap_peap: SSL Connection Established (11052) eap_peap: [eaptls process] = handled (11052) eap: Sending EAP Request (code 1) ID 5 length 57 (11052) eap: EAP session adding &reply:State = 0xbb52a0a1bf57b9af (11052) [eap] = handled (11052) } # authenticate = handled (11052) Using Post-Auth-Type Challenge (11052) Post-Auth-Type sub-section not found. Ignoring. (11052) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11052) Sent Access-Challenge Id 143 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11052) EAP-Message = 0x01050039190014030300010116030300288995cd8a76492654a82f8d2fc75b6ca674a25e522583f0877dfaf2b235972f869cd889c0383b0a82 (11052) Message-Authenticator = 0x00000000000000000000000000000000 (11052) State = 0xbb52a0a1bf57b9afa6d420c8f1230505 (11052) Finished request (11053) Received Access-Request Id 144 from 10.34.27.220:3489 to 10.34.242.3:1812 length 163 (11053) User-Name = "mpdft" (11053) NAS-IP-Address = 10.34.27.220 (11053) NAS-Port = 2 (11053) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11053) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11053) Framed-MTU = 1400 (11053) NAS-Port-Type = Wireless-802.11 (11053) Connect-Info = "CONNECT 54Mbps 802.11g" (11053) EAP-Message = 0x020500061900 (11053) State = 0xbb52a0a1bf57b9afa6d420c8f1230505 (11053) Message-Authenticator = 0xcd93b19502ff6f920112fbb490021062 (11053) session-state: No cached attributes (11053) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11053) authorize { (11053) policy filter_username { (11053) if (&User-Name) { (11053) if (&User-Name) -> TRUE (11053) if (&User-Name) { (11053) if (&User-Name != "%{tolower:%{User-Name}}") { (11053) EXPAND %{tolower:%{User-Name}} (11053) --> mpdft (11053) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11053) if (&User-Name =~ /\// ) { (11053) if (&User-Name =~ /\// ) -> FALSE (11053) if (&User-Name =~ / /) { (11053) if (&User-Name =~ / /) -> FALSE (11053) if (&User-Name =~ /@[^@]*@/ ) { (11053) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11053) if (&User-Name =~ /\.\./ ) { (11053) if (&User-Name =~ /\.\./ ) -> FALSE (11053) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11053) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11053) if (&User-Name =~ /\.$/) { (11053) if (&User-Name =~ /\.$/) -> FALSE (11053) if (&User-Name =~ /@\./) { (11053) if (&User-Name =~ /@\./) -> FALSE (11053) } # if (&User-Name) = notfound (11053) } # policy filter_username = notfound (11053) policy split_username_nai { (11053) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11053) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11053) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11053) update request { (11053) EXPAND %{1} (11053) --> mpdft (11053) &Stripped-User-Name := mpdft (11053) EXPAND %{3} (11053) --> (11053) &Stripped-User-Domain = (11053) } # update request = noop (11053) [updated] = updated (11053) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11053) ... skipping else: Preceding "if" was taken (11053) } # policy split_username_nai = updated (11053) [preprocess] = ok (11053) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11053) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11053) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11053) auth_log: EXPAND %t (11053) auth_log: --> Wed Jun 24 15:00:27 2020 (11053) [auth_log] = ok (11053) [chap] = noop (11053) [mschap] = noop (11053) [digest] = noop (11053) suffix: Checking for suffix after "@" (11053) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11053) suffix: No such realm "NULL" (11053) [suffix] = noop (11053) eap: Peer sent EAP Response (code 2) ID 5 length 6 (11053) eap: Continuing tunnel setup (11053) [eap] = ok (11053) } # authorize = ok (11053) Found Auth-Type = eap (11053) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11053) authenticate { (11053) eap: Expiring EAP session with state 0x663165b2651a7c1c (11053) eap: Finished EAP session with state 0xbb52a0a1bf57b9af (11053) eap: Previous EAP request found for state 0xbb52a0a1bf57b9af, released from the list (11053) eap: Peer sent packet with method EAP PEAP (25) (11053) eap: Calling submodule eap_peap to process data (11053) eap_peap: Continuing EAP-TLS (11053) eap_peap: Peer ACKed our handshake fragment. handshake is finished (11053) eap_peap: [eaptls verify] = success (11053) eap_peap: [eaptls process] = success (11053) eap_peap: Session established. Decoding tunneled attributes (11053) eap_peap: PEAP state TUNNEL ESTABLISHED (11053) eap: Sending EAP Request (code 1) ID 6 length 40 (11053) eap: EAP session adding &reply:State = 0xbb52a0a1be54b9af (11053) [eap] = handled (11053) } # authenticate = handled (11053) Using Post-Auth-Type Challenge (11053) Post-Auth-Type sub-section not found. Ignoring. (11053) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11053) Sent Access-Challenge Id 144 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11053) EAP-Message = 0x010600281900170303001d8995cd8a76492655aa9ea54c3b4322eaca154c899222b9039194e9813a (11053) Message-Authenticator = 0x00000000000000000000000000000000 (11053) State = 0xbb52a0a1be54b9afa6d420c8f1230505 (11053) Finished request (11054) Received Access-Request Id 145 from 10.34.27.220:3489 to 10.34.242.3:1812 length 211 (11054) User-Name = "mpdft" (11054) NAS-IP-Address = 10.34.27.220 (11054) NAS-Port = 2 (11054) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11054) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11054) Framed-MTU = 1400 (11054) NAS-Port-Type = Wireless-802.11 (11054) Connect-Info = "CONNECT 54Mbps 802.11g" (11054) EAP-Message = 0x020600361900170303002b0000000000000001d8fc0d85e42ff3c7a9007d28e781d3f96bc92ec34bdd11b8e07e78a5c01255342524f0 (11054) State = 0xbb52a0a1be54b9afa6d420c8f1230505 (11054) Message-Authenticator = 0x970cdd80924dea90c2936c50ab414e02 (11054) session-state: No cached attributes (11054) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11054) authorize { (11054) policy filter_username { (11054) if (&User-Name) { (11054) if (&User-Name) -> TRUE (11054) if (&User-Name) { (11054) if (&User-Name != "%{tolower:%{User-Name}}") { (11054) EXPAND %{tolower:%{User-Name}} (11054) --> mpdft (11054) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11054) if (&User-Name =~ /\// ) { (11054) if (&User-Name =~ /\// ) -> FALSE (11054) if (&User-Name =~ / /) { (11054) if (&User-Name =~ / /) -> FALSE (11054) if (&User-Name =~ /@[^@]*@/ ) { (11054) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11054) if (&User-Name =~ /\.\./ ) { (11054) if (&User-Name =~ /\.\./ ) -> FALSE (11054) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11054) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11054) if (&User-Name =~ /\.$/) { (11054) if (&User-Name =~ /\.$/) -> FALSE (11054) if (&User-Name =~ /@\./) { (11054) if (&User-Name =~ /@\./) -> FALSE (11054) } # if (&User-Name) = notfound (11054) } # policy filter_username = notfound (11054) policy split_username_nai { (11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11054) update request { (11054) EXPAND %{1} (11054) --> mpdft (11054) &Stripped-User-Name := mpdft (11054) EXPAND %{3} (11054) --> (11054) &Stripped-User-Domain = (11054) } # update request = noop (11054) [updated] = updated (11054) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11054) ... skipping else: Preceding "if" was taken (11054) } # policy split_username_nai = updated (11054) [preprocess] = ok (11054) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11054) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11054) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11054) auth_log: EXPAND %t (11054) auth_log: --> Wed Jun 24 15:00:27 2020 (11054) [auth_log] = ok (11054) [chap] = noop (11054) [mschap] = noop (11054) [digest] = noop (11054) suffix: Checking for suffix after "@" (11054) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11054) suffix: No such realm "NULL" (11054) [suffix] = noop (11054) eap: Peer sent EAP Response (code 2) ID 6 length 54 (11054) eap: Continuing tunnel setup (11054) [eap] = ok (11054) } # authorize = ok (11054) Found Auth-Type = eap (11054) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11054) authenticate { (11054) eap: Expiring EAP session with state 0x663165b2651a7c1c (11054) eap: Finished EAP session with state 0xbb52a0a1be54b9af (11054) eap: Previous EAP request found for state 0xbb52a0a1be54b9af, released from the list (11054) eap: Peer sent packet with method EAP PEAP (25) (11054) eap: Calling submodule eap_peap to process data (11054) eap_peap: Continuing EAP-TLS (11054) eap_peap: [eaptls verify] = ok (11054) eap_peap: Done initial handshake (11054) eap_peap: [eaptls process] = ok (11054) eap_peap: Session established. Decoding tunneled attributes (11054) eap_peap: PEAP state WAITING FOR INNER IDENTITY (11054) eap_peap: Identity - denisson.magalhaes (11054) eap_peap: Got inner identity 'denisson.magalhaes' (11054) eap_peap: Setting default EAP type for tunneled EAP session (11054) eap_peap: Got tunneled request (11054) eap_peap: EAP-Message = 0x020600170164656e6973736f6e2e6d6167616c68616573 (11054) eap_peap: Setting User-Name to denisson.magalhaes (11054) eap_peap: Sending tunneled request to inner-tunnel (11054) eap_peap: EAP-Message = 0x020600170164656e6973736f6e2e6d6167616c68616573 (11054) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (11054) eap_peap: User-Name = "denisson.magalhaes" (11054) Virtual server inner-tunnel received request (11054) EAP-Message = 0x020600170164656e6973736f6e2e6d6167616c68616573 (11054) FreeRADIUS-Proxied-To = 127.0.0.1 (11054) User-Name = "denisson.magalhaes" (11054) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (11054) server inner-tunnel { (11054) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11054) authorize { (11054) policy filter_username { (11054) if (&User-Name) { (11054) if (&User-Name) -> TRUE (11054) if (&User-Name) { (11054) if (&User-Name != "%{tolower:%{User-Name}}") { (11054) EXPAND %{tolower:%{User-Name}} (11054) --> denisson.magalhaes (11054) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11054) if (&User-Name =~ /\// ) { (11054) if (&User-Name =~ /\// ) -> FALSE (11054) if (&User-Name =~ / /) { (11054) if (&User-Name =~ / /) -> FALSE (11054) if (&User-Name =~ /@[^@]*@/ ) { (11054) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11054) if (&User-Name =~ /\.\./ ) { (11054) if (&User-Name =~ /\.\./ ) -> FALSE (11054) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11054) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11054) if (&User-Name =~ /\.$/) { (11054) if (&User-Name =~ /\.$/) -> FALSE (11054) if (&User-Name =~ /@\./) { (11054) if (&User-Name =~ /@\./) -> FALSE (11054) } # if (&User-Name) = notfound (11054) } # policy filter_username = notfound (11054) policy split_username_nai { (11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11054) update request { (11054) EXPAND %{1} (11054) --> denisson.magalhaes (11054) &Stripped-User-Name := denisson.magalhaes (11054) EXPAND %{3} (11054) --> (11054) &Stripped-User-Domain = (11054) } # update request = noop (11054) [updated] = updated (11054) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11054) ... skipping else: Preceding "if" was taken (11054) } # policy split_username_nai = updated (11054) [chap] = noop (11054) [mschap] = noop (11054) suffix: Checking for suffix after "@" (11054) suffix: No '@' in User-Name = "denisson.magalhaes", looking up realm NULL (11054) suffix: No such realm "NULL" (11054) [suffix] = noop (11054) update control { (11054) &Proxy-To-Realm := LOCAL (11054) } # update control = noop (11054) eap: Peer sent EAP Response (code 2) ID 6 length 23 (11054) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (11054) [eap] = ok (11054) } # authorize = ok (11054) Found Auth-Type = eap (11054) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11054) authenticate { (11054) eap: Peer sent packet with method EAP Identity (1) (11054) eap: Calling submodule eap_mschapv2 to process data (11054) eap_mschapv2: Issuing Challenge (11054) eap: Sending EAP Request (code 1) ID 7 length 43 (11054) eap: EAP session adding &reply:State = 0x42859db4428287cc (11054) [eap] = handled (11054) } # authenticate = handled (11054) } # server inner-tunnel (11054) Virtual server sending reply (11054) EAP-Message = 0x0107002b1a0107002610f29348c6e9f606d19366f0b2aa8f7768667265657261646975732d332e302e3132 (11054) Message-Authenticator = 0x00000000000000000000000000000000 (11054) State = 0x42859db4428287cc3b9481c4f9ea1542 (11054) eap_peap: Got tunneled reply code 11 (11054) eap_peap: EAP-Message = 0x0107002b1a0107002610f29348c6e9f606d19366f0b2aa8f7768667265657261646975732d332e302e3132 (11054) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (11054) eap_peap: State = 0x42859db4428287cc3b9481c4f9ea1542 (11054) eap_peap: Got tunneled reply RADIUS code 11 (11054) eap_peap: EAP-Message = 0x0107002b1a0107002610f29348c6e9f606d19366f0b2aa8f7768667265657261646975732d332e302e3132 (11054) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (11054) eap_peap: State = 0x42859db4428287cc3b9481c4f9ea1542 (11054) eap_peap: Got tunneled Access-Challenge (11054) eap: Sending EAP Request (code 1) ID 7 length 74 (11054) eap: EAP session adding &reply:State = 0xbb52a0a1bd55b9af (11054) [eap] = handled (11054) } # authenticate = handled (11054) Using Post-Auth-Type Challenge (11054) Post-Auth-Type sub-section not found. Ignoring. (11054) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11054) Sent Access-Challenge Id 145 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11054) EAP-Message = 0x0107004a1900170303003f8995cd8a764926562bcf6a8d4e4fc36150939a3009148fd8d27651059f01ecb32a009ed57b2d586e2c8fdfc5574e7a006d90b1d5a56e19f86fd3ae11155229 (11054) Message-Authenticator = 0x00000000000000000000000000000000 (11054) State = 0xbb52a0a1bd55b9afa6d420c8f1230505 (11054) Finished request (11055) Received Access-Request Id 146 from 10.34.27.220:3489 to 10.34.242.3:1812 length 265 (11055) User-Name = "mpdft" (11055) NAS-IP-Address = 10.34.27.220 (11055) NAS-Port = 2 (11055) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11055) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11055) Framed-MTU = 1400 (11055) NAS-Port-Type = Wireless-802.11 (11055) Connect-Info = "CONNECT 54Mbps 802.11g" (11055) EAP-Message = 0x0207006c1900170303006100000000000000024d591a24a1d1ce11848fa5356bb8f2bf4f0862b3b05595d98b477efde9817e3fe9a90e73500086263fa7700d87902ddb01e2a0102b19e6c925e461ae10f42f0f17fda0b9381010aa00b76bb59fa7bf2091764c1fb3a468489a (11055) State = 0xbb52a0a1bd55b9afa6d420c8f1230505 (11055) Message-Authenticator = 0xb206d85e899e2eb17db70c79d6d07fec (11055) session-state: No cached attributes (11055) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11055) authorize { (11055) policy filter_username { (11055) if (&User-Name) { (11055) if (&User-Name) -> TRUE (11055) if (&User-Name) { (11055) if (&User-Name != "%{tolower:%{User-Name}}") { (11055) EXPAND %{tolower:%{User-Name}} (11055) --> mpdft (11055) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11055) if (&User-Name =~ /\// ) { (11055) if (&User-Name =~ /\// ) -> FALSE (11055) if (&User-Name =~ / /) { (11055) if (&User-Name =~ / /) -> FALSE (11055) if (&User-Name =~ /@[^@]*@/ ) { (11055) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11055) if (&User-Name =~ /\.\./ ) { (11055) if (&User-Name =~ /\.\./ ) -> FALSE (11055) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11055) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11055) if (&User-Name =~ /\.$/) { (11055) if (&User-Name =~ /\.$/) -> FALSE (11055) if (&User-Name =~ /@\./) { (11055) if (&User-Name =~ /@\./) -> FALSE (11055) } # if (&User-Name) = notfound (11055) } # policy filter_username = notfound (11055) policy split_username_nai { (11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11055) update request { (11055) EXPAND %{1} (11055) --> mpdft (11055) &Stripped-User-Name := mpdft (11055) EXPAND %{3} (11055) --> (11055) &Stripped-User-Domain = (11055) } # update request = noop (11055) [updated] = updated (11055) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11055) ... skipping else: Preceding "if" was taken (11055) } # policy split_username_nai = updated (11055) [preprocess] = ok (11055) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11055) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11055) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11055) auth_log: EXPAND %t (11055) auth_log: --> Wed Jun 24 15:00:27 2020 (11055) [auth_log] = ok (11055) [chap] = noop (11055) [mschap] = noop (11055) [digest] = noop (11055) suffix: Checking for suffix after "@" (11055) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11055) suffix: No such realm "NULL" (11055) [suffix] = noop (11055) eap: Peer sent EAP Response (code 2) ID 7 length 108 (11055) eap: Continuing tunnel setup (11055) [eap] = ok (11055) } # authorize = ok (11055) Found Auth-Type = eap (11055) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11055) authenticate { (11055) eap: Expiring EAP session with state 0x663165b2651a7c1c (11055) eap: Finished EAP session with state 0xbb52a0a1bd55b9af (11055) eap: Previous EAP request found for state 0xbb52a0a1bd55b9af, released from the list (11055) eap: Peer sent packet with method EAP PEAP (25) (11055) eap: Calling submodule eap_peap to process data (11055) eap_peap: Continuing EAP-TLS (11055) eap_peap: [eaptls verify] = ok (11055) eap_peap: Done initial handshake (11055) eap_peap: [eaptls process] = ok (11055) eap_peap: Session established. Decoding tunneled attributes (11055) eap_peap: PEAP state phase2 (11055) eap_peap: EAP method MSCHAPv2 (26) (11055) eap_peap: Got tunneled request (11055) eap_peap: EAP-Message = 0x0207004d1a0207004831136f25023f2aa6ee6d38270b3e2595e10000000000000000ec06ee23ed82afbcbc4b824a9d92d2d2391f9c837c9a06470064656e6973736f6e2e6d6167616c68616573 (11055) eap_peap: Setting User-Name to denisson.magalhaes (11055) eap_peap: Sending tunneled request to inner-tunnel (11055) eap_peap: EAP-Message = 0x0207004d1a0207004831136f25023f2aa6ee6d38270b3e2595e10000000000000000ec06ee23ed82afbcbc4b824a9d92d2d2391f9c837c9a06470064656e6973736f6e2e6d6167616c68616573 (11055) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (11055) eap_peap: User-Name = "denisson.magalhaes" (11055) eap_peap: State = 0x42859db4428287cc3b9481c4f9ea1542 (11055) Virtual server inner-tunnel received request (11055) EAP-Message = 0x0207004d1a0207004831136f25023f2aa6ee6d38270b3e2595e10000000000000000ec06ee23ed82afbcbc4b824a9d92d2d2391f9c837c9a06470064656e6973736f6e2e6d6167616c68616573 (11055) FreeRADIUS-Proxied-To = 127.0.0.1 (11055) User-Name = "denisson.magalhaes" (11055) State = 0x42859db4428287cc3b9481c4f9ea1542 (11055) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (11055) server inner-tunnel { (11055) session-state: No cached attributes (11055) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11055) authorize { (11055) policy filter_username { (11055) if (&User-Name) { (11055) if (&User-Name) -> TRUE (11055) if (&User-Name) { (11055) if (&User-Name != "%{tolower:%{User-Name}}") { (11055) EXPAND %{tolower:%{User-Name}} (11055) --> denisson.magalhaes (11055) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11055) if (&User-Name =~ /\// ) { (11055) if (&User-Name =~ /\// ) -> FALSE (11055) if (&User-Name =~ / /) { (11055) if (&User-Name =~ / /) -> FALSE (11055) if (&User-Name =~ /@[^@]*@/ ) { (11055) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11055) if (&User-Name =~ /\.\./ ) { (11055) if (&User-Name =~ /\.\./ ) -> FALSE (11055) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11055) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11055) if (&User-Name =~ /\.$/) { (11055) if (&User-Name =~ /\.$/) -> FALSE (11055) if (&User-Name =~ /@\./) { (11055) if (&User-Name =~ /@\./) -> FALSE (11055) } # if (&User-Name) = notfound (11055) } # policy filter_username = notfound (11055) policy split_username_nai { (11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11055) update request { (11055) EXPAND %{1} (11055) --> denisson.magalhaes (11055) &Stripped-User-Name := denisson.magalhaes (11055) EXPAND %{3} (11055) --> (11055) &Stripped-User-Domain = (11055) } # update request = noop (11055) [updated] = updated (11055) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11055) ... skipping else: Preceding "if" was taken (11055) } # policy split_username_nai = updated (11055) [chap] = noop (11055) [mschap] = noop (11055) suffix: Checking for suffix after "@" (11055) suffix: No '@' in User-Name = "denisson.magalhaes", looking up realm NULL (11055) suffix: No such realm "NULL" (11055) [suffix] = noop (11055) update control { (11055) &Proxy-To-Realm := LOCAL (11055) } # update control = noop (11055) eap: Peer sent EAP Response (code 2) ID 7 length 77 (11055) eap: No EAP Start, assuming it's an on-going EAP conversation (11055) [eap] = updated (11055) files: users: Matched entry DEFAULT at line 90 (11055) [files] = ok (11055) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (11055) sql: --> denisson.magalhaes (11055) sql: SQL-User-Name set to 'denisson.magalhaes' (11055) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (11055) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id (11055) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id (11055) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (11055) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority (11055) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority (11055) sql: User not found in any groups (11055) [sql] = notfound (11055) [expiration] = noop (11055) [logintime] = noop (11055) [pap] = noop (11055) } # authorize = updated (11055) Found Auth-Type = eap (11055) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11055) authenticate { (11055) eap: Expiring EAP session with state 0x663165b2651a7c1c (11055) eap: Finished EAP session with state 0x42859db4428287cc (11055) eap: Previous EAP request found for state 0x42859db4428287cc, released from the list (11055) eap: Peer sent packet with method EAP MSCHAPv2 (26) (11055) eap: Calling submodule eap_mschapv2 to process data (11055) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11055) eap_mschapv2: authenticate { (11055) mschap: Creating challenge hash with username: denisson.magalhaes (11055) mschap: Client is using MS-CHAPv2 (11055) mschap: EXPAND %{mschap:User-Name} (11055) mschap: --> denisson.magalhaes (11055) mschap: ERROR: No NT-Domain was found in the User-Name (11055) mschap: EXPAND %{mschap:NT-Domain} (11055) mschap: --> (11055) mschap: sending authentication request user='denisson.magalhaes' domain='' (11055) mschap: Authenticated successfully (11055) mschap: Adding MS-CHAPv2 MPPE keys (11055) [mschap] = ok (11055) } # authenticate = ok (11055) MSCHAP Success (11055) eap: Sending EAP Request (code 1) ID 8 length 51 (11055) eap: EAP session adding &reply:State = 0x42859db4438d87cc (11055) [eap] = handled (11055) } # authenticate = handled (11055) } # server inner-tunnel (11055) Virtual server sending reply (11055) Idle-Timeout = 300 (11055) EAP-Message = 0x010800331a0307002e533d39463737433846384146344239334537444145393234433131363335374242303144424430433334 (11055) Message-Authenticator = 0x00000000000000000000000000000000 (11055) State = 0x42859db4438d87cc3b9481c4f9ea1542 (11055) eap_peap: Got tunneled reply code 11 (11055) eap_peap: Idle-Timeout = 300 (11055) eap_peap: EAP-Message = 0x010800331a0307002e533d39463737433846384146344239334537444145393234433131363335374242303144424430433334 (11055) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (11055) eap_peap: State = 0x42859db4438d87cc3b9481c4f9ea1542 (11055) eap_peap: Got tunneled reply RADIUS code 11 (11055) eap_peap: Idle-Timeout = 300 (11055) eap_peap: EAP-Message = 0x010800331a0307002e533d39463737433846384146344239334537444145393234433131363335374242303144424430433334 (11055) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (11055) eap_peap: State = 0x42859db4438d87cc3b9481c4f9ea1542 (11055) eap_peap: Got tunneled Access-Challenge (11055) eap: Sending EAP Request (code 1) ID 8 length 82 (11055) eap: EAP session adding &reply:State = 0xbb52a0a1bc5ab9af (11055) [eap] = handled (11055) } # authenticate = handled (11055) Using Post-Auth-Type Challenge (11055) Post-Auth-Type sub-section not found. Ignoring. (11055) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11055) Sent Access-Challenge Id 146 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11055) EAP-Message = 0x01080052190017030300478995cd8a764926570ee0b4bf6e9b90dd0bdaa8f1f13a3d44bceb60b3d4c779cd0e31ebfbe40fa16df76e27769cdfcc6b9f3fefc910c56308bef902dc01e91b87251ed4fa655992 (11055) Message-Authenticator = 0x00000000000000000000000000000000 (11055) State = 0xbb52a0a1bc5ab9afa6d420c8f1230505 (11055) Finished request (11056) Received Access-Request Id 147 from 10.34.27.220:3489 to 10.34.242.3:1812 length 194 (11056) User-Name = "mpdft" (11056) NAS-IP-Address = 10.34.27.220 (11056) NAS-Port = 2 (11056) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11056) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11056) Framed-MTU = 1400 (11056) NAS-Port-Type = Wireless-802.11 (11056) Connect-Info = "CONNECT 54Mbps 802.11g" (11056) EAP-Message = 0x020800251900170303001a00000000000000030c71fdcc8d24f633a88e6aa816fe57085c9a (11056) State = 0xbb52a0a1bc5ab9afa6d420c8f1230505 (11056) Message-Authenticator = 0xef807e88c37c705c6ec3fa5bbcc830e6 (11056) session-state: No cached attributes (11056) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11056) authorize { (11056) policy filter_username { (11056) if (&User-Name) { (11056) if (&User-Name) -> TRUE (11056) if (&User-Name) { (11056) if (&User-Name != "%{tolower:%{User-Name}}") { (11056) EXPAND %{tolower:%{User-Name}} (11056) --> mpdft (11056) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11056) if (&User-Name =~ /\// ) { (11056) if (&User-Name =~ /\// ) -> FALSE (11056) if (&User-Name =~ / /) { (11056) if (&User-Name =~ / /) -> FALSE (11056) if (&User-Name =~ /@[^@]*@/ ) { (11056) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11056) if (&User-Name =~ /\.\./ ) { (11056) if (&User-Name =~ /\.\./ ) -> FALSE (11056) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11056) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11056) if (&User-Name =~ /\.$/) { (11056) if (&User-Name =~ /\.$/) -> FALSE (11056) if (&User-Name =~ /@\./) { (11056) if (&User-Name =~ /@\./) -> FALSE (11056) } # if (&User-Name) = notfound (11056) } # policy filter_username = notfound (11056) policy split_username_nai { (11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11056) update request { (11056) EXPAND %{1} (11056) --> mpdft (11056) &Stripped-User-Name := mpdft (11056) EXPAND %{3} (11056) --> (11056) &Stripped-User-Domain = (11056) } # update request = noop (11056) [updated] = updated (11056) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11056) ... skipping else: Preceding "if" was taken (11056) } # policy split_username_nai = updated (11056) [preprocess] = ok (11056) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11056) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11056) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11056) auth_log: EXPAND %t (11056) auth_log: --> Wed Jun 24 15:00:27 2020 (11056) [auth_log] = ok (11056) [chap] = noop (11056) [mschap] = noop (11056) [digest] = noop (11056) suffix: Checking for suffix after "@" (11056) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11056) suffix: No such realm "NULL" (11056) [suffix] = noop (11056) eap: Peer sent EAP Response (code 2) ID 8 length 37 (11056) eap: Continuing tunnel setup (11056) [eap] = ok (11056) } # authorize = ok (11056) Found Auth-Type = eap (11056) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11056) authenticate { (11056) eap: Expiring EAP session with state 0x663165b2651a7c1c (11056) eap: Finished EAP session with state 0xbb52a0a1bc5ab9af (11056) eap: Previous EAP request found for state 0xbb52a0a1bc5ab9af, released from the list (11056) eap: Peer sent packet with method EAP PEAP (25) (11056) eap: Calling submodule eap_peap to process data (11056) eap_peap: Continuing EAP-TLS (11056) eap_peap: [eaptls verify] = ok (11056) eap_peap: Done initial handshake (11056) eap_peap: [eaptls process] = ok (11056) eap_peap: Session established. Decoding tunneled attributes (11056) eap_peap: PEAP state phase2 (11056) eap_peap: EAP method MSCHAPv2 (26) (11056) eap_peap: Got tunneled request (11056) eap_peap: EAP-Message = 0x020800061a03 (11056) eap_peap: Setting User-Name to denisson.magalhaes (11056) eap_peap: Sending tunneled request to inner-tunnel (11056) eap_peap: EAP-Message = 0x020800061a03 (11056) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (11056) eap_peap: User-Name = "denisson.magalhaes" (11056) eap_peap: State = 0x42859db4438d87cc3b9481c4f9ea1542 (11056) Virtual server inner-tunnel received request (11056) EAP-Message = 0x020800061a03 (11056) FreeRADIUS-Proxied-To = 127.0.0.1 (11056) User-Name = "denisson.magalhaes" (11056) State = 0x42859db4438d87cc3b9481c4f9ea1542 (11056) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (11056) server inner-tunnel { (11056) session-state: No cached attributes (11056) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11056) authorize { (11056) policy filter_username { (11056) if (&User-Name) { (11056) if (&User-Name) -> TRUE (11056) if (&User-Name) { (11056) if (&User-Name != "%{tolower:%{User-Name}}") { (11056) EXPAND %{tolower:%{User-Name}} (11056) --> denisson.magalhaes (11056) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11056) if (&User-Name =~ /\// ) { (11056) if (&User-Name =~ /\// ) -> FALSE (11056) if (&User-Name =~ / /) { (11056) if (&User-Name =~ / /) -> FALSE (11056) if (&User-Name =~ /@[^@]*@/ ) { (11056) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11056) if (&User-Name =~ /\.\./ ) { (11056) if (&User-Name =~ /\.\./ ) -> FALSE (11056) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11056) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11056) if (&User-Name =~ /\.$/) { (11056) if (&User-Name =~ /\.$/) -> FALSE (11056) if (&User-Name =~ /@\./) { (11056) if (&User-Name =~ /@\./) -> FALSE (11056) } # if (&User-Name) = notfound (11056) } # policy filter_username = notfound (11056) policy split_username_nai { (11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11056) update request { (11056) EXPAND %{1} (11056) --> denisson.magalhaes (11056) &Stripped-User-Name := denisson.magalhaes (11056) EXPAND %{3} (11056) --> (11056) &Stripped-User-Domain = (11056) } # update request = noop (11056) [updated] = updated (11056) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11056) ... skipping else: Preceding "if" was taken (11056) } # policy split_username_nai = updated (11056) [chap] = noop (11056) [mschap] = noop (11056) suffix: Checking for suffix after "@" (11056) suffix: No '@' in User-Name = "denisson.magalhaes", looking up realm NULL (11056) suffix: No such realm "NULL" (11056) [suffix] = noop (11056) update control { (11056) &Proxy-To-Realm := LOCAL (11056) } # update control = noop (11056) eap: Peer sent EAP Response (code 2) ID 8 length 6 (11056) eap: No EAP Start, assuming it's an on-going EAP conversation (11056) [eap] = updated (11056) files: users: Matched entry DEFAULT at line 90 (11056) [files] = ok (11056) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (11056) sql: --> denisson.magalhaes (11056) sql: SQL-User-Name set to 'denisson.magalhaes' (11056) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id (11056) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id (11056) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id (11056) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority (11056) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority (11056) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority (11056) sql: User not found in any groups (11056) [sql] = notfound (11056) [expiration] = noop (11056) [logintime] = noop (11056) [pap] = noop (11056) } # authorize = updated (11056) Found Auth-Type = eap (11056) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11056) authenticate { (11056) eap: Expiring EAP session with state 0x663165b2651a7c1c (11056) eap: Finished EAP session with state 0x42859db4438d87cc (11056) eap: Previous EAP request found for state 0x42859db4438d87cc, released from the list (11056) eap: Peer sent packet with method EAP MSCHAPv2 (26) (11056) eap: Calling submodule eap_mschapv2 to process data (11056) eap: Sending EAP Success (code 3) ID 8 length 4 (11056) eap: Freeing handler (11056) [eap] = ok (11056) } # authenticate = ok (11056) # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11056) session { (11056) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (11056) sql: --> denisson.magalhaes (11056) sql: SQL-User-Name set to 'denisson.magalhaes' (11056) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL (11056) sql: --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='denisson.magalhaes' AND CallingStationId<>'A8-16-D0-C6-45-D3' AND AcctStopTime IS NULL (11056) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='denisson.magalhaes' AND CallingStationId<>'A8-16-D0-C6-45-D3' AND AcctStopTime IS NULL (11056) [sql] = ok (11056) } # session = ok (11056) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11056) post-auth { (11056) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail (11056) reply_log: --> /var/log/freeradius/radacct/10.34.27.220/reply-detail (11056) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.27.220/reply-detail (11056) reply_log: EXPAND %t (11056) reply_log: --> Wed Jun 24 15:00:27 2020 (11056) [reply_log] = ok (11056) update outer.session-state { (11056) User-Name := &request:User-Name -> 'denisson.magalhaes' (11056) } # update outer.session-state = noop (11056) } # post-auth = ok (11056) Login OK: [denisson.magalhaes] (from client AP-SD1-A07-Q01 port 0 via TLS tunnel) (11056) } # server inner-tunnel (11056) Virtual server sending reply (11056) Idle-Timeout = 300 (11056) MS-MPPE-Encryption-Policy = Encryption-Allowed (11056) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (11056) MS-MPPE-Send-Key = 0x6e195124f599fe1fae1ed036f5c66547 (11056) MS-MPPE-Recv-Key = 0x1595c5858cee7d4fefedf94fa1423200 (11056) EAP-Message = 0x03080004 (11056) Message-Authenticator = 0x00000000000000000000000000000000 (11056) Stripped-User-Name := "denisson.magalhaes" (11056) eap_peap: Got tunneled reply code 2 (11056) eap_peap: Idle-Timeout = 300 (11056) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (11056) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (11056) eap_peap: MS-MPPE-Send-Key = 0x6e195124f599fe1fae1ed036f5c66547 (11056) eap_peap: MS-MPPE-Recv-Key = 0x1595c5858cee7d4fefedf94fa1423200 (11056) eap_peap: EAP-Message = 0x03080004 (11056) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (11056) eap_peap: Stripped-User-Name := "denisson.magalhaes" (11056) eap_peap: Got tunneled reply RADIUS code 2 (11056) eap_peap: Idle-Timeout = 300 (11056) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (11056) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (11056) eap_peap: MS-MPPE-Send-Key = 0x6e195124f599fe1fae1ed036f5c66547 (11056) eap_peap: MS-MPPE-Recv-Key = 0x1595c5858cee7d4fefedf94fa1423200 (11056) eap_peap: EAP-Message = 0x03080004 (11056) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (11056) eap_peap: Stripped-User-Name := "denisson.magalhaes" (11056) eap_peap: Tunneled authentication was successful (11056) eap_peap: SUCCESS (11056) eap: Sending EAP Request (code 1) ID 9 length 46 (11056) eap: EAP session adding &reply:State = 0xbb52a0a1b35bb9af (11056) [eap] = handled (11056) } # authenticate = handled (11056) Using Post-Auth-Type Challenge (11056) Post-Auth-Type sub-section not found. Ignoring. (11056) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11056) session-state: Saving cached attributes (11056) User-Name := "denisson.magalhaes" (11056) Sent Access-Challenge Id 147 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11056) EAP-Message = 0x0109002e190017030300238995cd8a7649265810e5b3e27abcad75ff296090e62e67146c82208d190ceeacb5d460 (11056) Message-Authenticator = 0x00000000000000000000000000000000 (11056) State = 0xbb52a0a1b35bb9afa6d420c8f1230505 (11056) Finished request (11057) Received Access-Request Id 148 from 10.34.27.220:3489 to 10.34.242.3:1812 length 203 (11057) User-Name = "mpdft" (11057) NAS-IP-Address = 10.34.27.220 (11057) NAS-Port = 2 (11057) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11057) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11057) Framed-MTU = 1400 (11057) NAS-Port-Type = Wireless-802.11 (11057) Connect-Info = "CONNECT 54Mbps 802.11g" (11057) EAP-Message = 0x0209002e1900170303002300000000000000042a5735c1019043f4750eb742ccd3d54f92363af7bf12b2cdada0db (11057) State = 0xbb52a0a1b35bb9afa6d420c8f1230505 (11057) Message-Authenticator = 0xb335bdc2af14c15b83e0f5d023601714 (11057) Restoring &session-state (11057) &session-state:User-Name := "denisson.magalhaes" (11057) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11057) authorize { (11057) policy filter_username { (11057) if (&User-Name) { (11057) if (&User-Name) -> TRUE (11057) if (&User-Name) { (11057) if (&User-Name != "%{tolower:%{User-Name}}") { (11057) EXPAND %{tolower:%{User-Name}} (11057) --> mpdft (11057) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE (11057) if (&User-Name =~ /\// ) { (11057) if (&User-Name =~ /\// ) -> FALSE (11057) if (&User-Name =~ / /) { (11057) if (&User-Name =~ / /) -> FALSE (11057) if (&User-Name =~ /@[^@]*@/ ) { (11057) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11057) if (&User-Name =~ /\.\./ ) { (11057) if (&User-Name =~ /\.\./ ) -> FALSE (11057) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11057) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11057) if (&User-Name =~ /\.$/) { (11057) if (&User-Name =~ /\.$/) -> FALSE (11057) if (&User-Name =~ /@\./) { (11057) if (&User-Name =~ /@\./) -> FALSE (11057) } # if (&User-Name) = notfound (11057) } # policy filter_username = notfound (11057) policy split_username_nai { (11057) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11057) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11057) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11057) update request { (11057) EXPAND %{1} (11057) --> mpdft (11057) &Stripped-User-Name := mpdft (11057) EXPAND %{3} (11057) --> (11057) &Stripped-User-Domain = (11057) } # update request = noop (11057) [updated] = updated (11057) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11057) ... skipping else: Preceding "if" was taken (11057) } # policy split_username_nai = updated (11057) [preprocess] = ok (11057) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail (11057) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail (11057) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail (11057) auth_log: EXPAND %t (11057) auth_log: --> Wed Jun 24 15:00:27 2020 (11057) [auth_log] = ok (11057) [chap] = noop (11057) [mschap] = noop (11057) [digest] = noop (11057) suffix: Checking for suffix after "@" (11057) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11057) suffix: No such realm "NULL" (11057) [suffix] = noop (11057) eap: Peer sent EAP Response (code 2) ID 9 length 46 (11057) eap: Continuing tunnel setup (11057) [eap] = ok (11057) } # authorize = ok (11057) Found Auth-Type = eap (11057) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11057) authenticate { (11057) eap: Expiring EAP session with state 0x663165b2651a7c1c (11057) eap: Finished EAP session with state 0xbb52a0a1b35bb9af (11057) eap: Previous EAP request found for state 0xbb52a0a1b35bb9af, released from the list (11057) eap: Peer sent packet with method EAP PEAP (25) (11057) eap: Calling submodule eap_peap to process data (11057) eap_peap: Continuing EAP-TLS (11057) eap_peap: [eaptls verify] = ok (11057) eap_peap: Done initial handshake (11057) eap_peap: [eaptls process] = ok (11057) eap_peap: Session established. Decoding tunneled attributes (11057) eap_peap: PEAP state send tlv success (11057) eap_peap: Received EAP-TLV response (11057) eap_peap: Success (11057) eap: Sending EAP Success (code 3) ID 9 length 4 (11057) eap: Freeing handler (11057) [eap] = ok (11057) } # authenticate = ok (11057) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (11057) post-auth { (11057) update { (11057) &reply::User-Name += &session-state:User-Name[*] -> 'denisson.magalhaes' (11057) } # update = noop (11057) sql: EXPAND .query (11057) sql: --> .query (11057) sql: Using query template 'query' (11057) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (11057) sql: --> mpdft (11057) sql: SQL-User-Name set to 'mpdft' (11057) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{SQL-User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{%{integer:Event-Timestamp}:-NOW()})) (11057) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('mpdft', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', TO_TIMESTAMP(1593021627)) (11057) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('mpdft', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', TO_TIMESTAMP(1593021627)) (11057) sql: SQL query returned: success (11057) sql: 1 record(s) updated (11057) [sql] = ok (11057) [exec] = noop (11057) policy remove_reply_message_if_eap { (11057) if (&reply:EAP-Message && &reply:Reply-Message) { (11057) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11057) else { (11057) [noop] = noop (11057) } # else = noop (11057) } # policy remove_reply_message_if_eap = noop (11057) } # post-auth = ok (11057) Login OK: [mpdft] (from client AP-SD1-A07-Q01 port 2 cli A8-16-D0-C6-45-D3) (11057) Sent Access-Accept Id 148 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0 (11057) MS-MPPE-Recv-Key = 0xbafc3f0b8b2ee70c827cea2182df7129b67364884f6e0fa5221f8dbbd5ce911c (11057) MS-MPPE-Send-Key = 0x70a6a9086da56a737960ddfdc624c60cd5cbcf5de4e547b0691b74df50815224 (11057) EAP-Message = 0x03090004 (11057) Message-Authenticator = 0x00000000000000000000000000000000 (11057) User-Name += "denisson.magalhaes" (11057) Finished request (11058) Received Accounting-Request Id 149 from 10.34.27.220:3491 to 10.34.242.3:1813 length 144 (11058) Acct-Session-Id = "38D550D0-00000013" (11058) Acct-Status-Type = Start (11058) Acct-Authentic = RADIUS (11058) User-Name = "mpdft" (11058) NAS-IP-Address = 10.34.27.220 (11058) NAS-Port = 2 (11058) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT" (11058) Calling-Station-Id = "A8-16-D0-C6-45-D3" (11058) NAS-Port-Type = Wireless-802.11 (11058) Connect-Info = "CONNECT 54Mbps 802.11g" (11058) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (11058) preacct { (11058) [preprocess] = ok (11058) policy split_username_nai { (11058) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11058) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (11058) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (11058) update request { (11058) EXPAND %{1} (11058) --> mpdft (11058) &Stripped-User-Name := mpdft (11058) EXPAND %{3} (11058) --> (11058) &Stripped-User-Domain = (11058) } # update request = noop (11058) [updated] = updated (11058) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (11058) ... skipping else: Preceding "if" was taken (11058) } # policy split_username_nai = updated (11058) update request { (11058) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} (11058) --> 1593021627 (11058) FreeRADIUS-Acct-Session-Start-Time = Jun 24 2020 15:00:27 -03 (11058) } # update request = noop (11058) policy acct_unique { (11058) update request { (11058) Tmp-String-9 := "ai:" (11058) } # update request = noop (11058) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (11058) EXPAND %{hex:&Class} (11058) --> (11058) EXPAND ^%{hex:&Tmp-String-9} (11058) --> ^61693a (11058) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (11058) else { (11058) update request { (11058) EXPAND %{Acct-Session-ID} (11058) --> 38D550D0-00000013 (11058) &Acct-Unique-Session-Id := 38D550D0-00000013 (11058) EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (11058) --> mpdft (11058) &Acct-Unique-Session-Id := mpdft (11058) EXPAND %{md5:%{%{Stripped-User-Name}:-%{User-Name}},%{Acct-Session-ID},%{Calling-Station-Id}} (11058) --> 1c92c41b581f7829c15ebabed38f906d (11058) &Acct-Unique-Session-Id := 1c92c41b581f7829c15ebabed38f906d (11058) } # update request = noop (11058) } # else = noop (11058) } # policy acct_unique = noop (11058) suffix: Checking for suffix after "@" (11058) suffix: No '@' in User-Name = "mpdft", looking up realm NULL (11058) suffix: No such realm "NULL" (11058) [suffix] = noop (11058) files: acct_users: Matched entry DEFAULT at line 22 (11058) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (11058) files: --> mpdft (11058) [files] = ok (11058) } # preacct = updated (11058) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (11058) accounting { (11058) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown} (11058) log_accounting: --> Accounting-Request.Start (11058) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) (11058) log_accounting: --> Wed, 24-06-2020 15:00:27 Connect: [mpdft] (did 5C-D9-98-14-22-88:MPDFT cli A8-16-D0-C6-45-D3 port 2 ip ) (11058) log_accounting: EXPAND /var/log/freeradius/linelog-accounting (11058) log_accounting: --> /var/log/freeradius/linelog-accounting (11058) [log_accounting] = ok (11058) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query} (11058) sql: --> type.start.query (11058) sql: Using query template 'query' (11058) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (11058) sql: --> mpdft (11058) sql: SQL-User-Name set to 'mpdft' (11058) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet) (11058) sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38D550D0-00000013', '1c92c41b581f7829c15ebabed38f906d', 'mpdft', NULLIF('', ''), '10.34.27.220', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593021627), TO_TIMESTAMP(1593021627), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', NULL, '', '', NULLIF('', '')::inet) (11058) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38D550D0-00000013', '1c92c41b581f7829c15ebabed38f906d', 'mpdft', NULLIF('', ''), '10.34.27.220', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593021627), TO_TIMESTAMP(1593021627), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', NULL, '', '', NULLIF('', '')::inet) (11058) sql: SQL query returned: success (11058) sql: 1 record(s) updated (11058) [sql] = ok (11058) if (&request:Acct-Status-Type == start) { (11058) if (&request:Acct-Status-Type == start) -> TRUE (11058) if (&request:Acct-Status-Type == start) { (11058) EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}} (11058) --> mpdft (11058) SQL-User-Name set to 'mpdft' (11058) Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1593021627), AcctUpdateTime = TO_TIMESTAMP(1593021627), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 54Mbps 802.11g' WHERE UserName = 'mpdft' AND AcctUniqueId <> '1c92c41b581f7829c15ebabed38f906d' AND CallingStationId = 'A8-16-D0-C6-45-D3' AND AcctStopTime IS NULL (11058) SQL query affected no rows (11058) EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL} (11058) --> (11058) } # if (&request:Acct-Status-Type == start) = ok (11058) [exec] = noop (11058) attr_filter.accounting_response: EXPAND %{User-Name} (11058) attr_filter.accounting_response: --> mpdft (11058) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (11058) [attr_filter.accounting_response] = updated (11058) } # accounting = updated (11058) Sent Accounting-Response Id 149 from 10.34.242.3:1813 to 10.34.27.220:3491 length 0 (11058) Finished request (11058) Cleaning up request packet ID 149 with timestamp +2547 (11048) Cleaning up request packet ID 139 with timestamp +2547 (11049) Cleaning up request packet ID 140 with timestamp +2547 (11050) Cleaning up request packet ID 141 with timestamp +2547 (11051) Cleaning up request packet ID 142 with timestamp +2547 (11052) Cleaning up request packet ID 143 with timestamp +2547 (11053) Cleaning up request packet ID 144 with timestamp +2547 (11054) Cleaning up request packet ID 145 with timestamp +2547 (11055) Cleaning up request packet ID 146 with timestamp +2547 (11056) Cleaning up request packet ID 147 with timestamp +2547 (11057) Cleaning up request packet ID 148 with timestamp +2547 ============== MY INNER-TUNNEL VS ============ root@vp2-seg-008:/var/log/freeradius# grep -vE "#|^$" /etc/freeradius/3.0/sites-enabled/inner-tunnel | less server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { filter_username split_username_nai chap mschap suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } files sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap eap } session { sql } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } update outer.session-state { User-Name := &request:User-Name } } pre-proxy { pre_proxy_log } post-proxy { filter_username split_username_nai post_proxy_log eap } ============== MY DEFAULT VS ============ root@vp2-seg-008:/var/log/freeradius# grep -vE "#|^$" /etc/freeradius/3.0/sites-enabled/default server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { filter_username split_username_nai preprocess auth_log chap mschap digest suffix eap { ok = return } files sql -ldap expiration logintime if (ok) { update control { MS-CHAP-Use-NTLM-Auth := No } } pap } authenticate { Auth-Type NTLM_AUTH { ntlm_auth } Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest eap } preacct { preprocess split_username_nai update request { FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" } acct_unique suffix files } accounting { log_accounting sql if (&request:Acct-Status-Type == start) { %{sql:UPDATE radacct \ SET \ AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), \ AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), \ AcctTerminateCause = 'Stalled-session', \ ConnectInfo_stop = '%{Connect-Info}' \ WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' \ AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' \ AND CallingStationId = '%{Calling-Station-Id}' \ AND AcctStopTime IS NULL} } exec attr_filter.accounting_response Acct-Type Status-Server { } } session { sql } post-auth { update { &reply: += &session-state: } sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { sql attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { filter_username split_username_nai eap } }