As I said, I searched for "inner-tunnel“ in the below output and can find "proxy-inner-tunnel“, indeed. But this is another virtual server, or am I wrong? Or please correct me on this, if this is not true: (14) Received Access-Request Id 161 from 1.2.3.4:63606 to 130.92.10.33:1812 length 461 (14) User-Name = anonymous@unibe.ch (14) Service-Type = Framed-User (14) Cisco-AVPair = "service-type=Framed" (14) Framed-MTU = 1485 (14) EAP-Message = 0x0201001701616e6f6e796d6f757340756e6962652e6368 (14) Message-Authenticator = 0xcda0dbee35c44f95af0a726f08995386 (14) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (14) Cisco-AVPair = "method=dot1x" (14) Cisco-AVPair = "client-iif-id=2818574557" (14) Cisco-AVPair = "vlan-id=1000" (14) NAS-IP-Address = 1.2.3.4 (14) NAS-Port-Id = "capwap_9000000c" (14) NAS-Port-Type = Wireless-802.11 (14) NAS-Port = 4211 (14) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (14) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (14) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (14) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (14) Airespace-Wlan-Id = 97 (14) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (14) WLAN-Group-Cipher = 1027076 (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027075 (14) WLAN-Group-Mgmt-Cipher = 1027078 (14) # Executing section authorize from file /etc/freeradius/sites-enabled/default (14) authorize { (14) policy rewrite_called_station_id { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> 2C-E3-8E-ED-31-E0 (14) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (14) } # update request = noop (14) if ("%{8}") { (14) EXPAND %{8} (14) --> eduroam (14) if ("%{8}") -> TRUE (14) if ("%{8}") { (14) update request { (14) EXPAND %{8} (14) --> eduroam (14) &Called-Station-SSID := eduroam (14) EXPAND %{Called-Station-Id}:%{8} (14) --> 2C-E3-8E-ED-31-E0:eduroam (14) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (14) } # update request = noop (14) } # if ("%{8}") = noop (14) [updated] = updated (14) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_called_station_id = updated (14) policy rewrite_calling_station_id { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> AC-DF-A1-B1-F1-5A (14) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (14) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (14) --> AC:DF:A1:B1:F1:5A (14) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (14) } # update request = noop (14) [updated] = updated (14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_calling_station_id = updated (14) if (Service-Type == Call-Check) { (14) if (Service-Type == Call-Check) -> FALSE (14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (14) EXPAND Packet-Src-IP-Address (14) --> 1.2.3.4 (14) EXPAND Packet-Src-IP-Address (14) --> 1.2.3.4 (14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (14) if (EAP-Message) { (14) if (EAP-Message) -> TRUE (14) if (EAP-Message) { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = updated (14) } # policy filter_username = updated (14) suffix: Checking for suffix after "@" (14) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (14) suffix: Found realm "UNIBE.CH" (14) suffix: Adding Realm = "UNIBE.CH" (14) suffix: Authentication realm is LOCAL (14) [suffix] = ok (14) policy deny_no_realm { (14) if (User-Name && (User-Name !~ /@/)) { (14) if (User-Name && (User-Name !~ /@/)) -> FALSE (14) } # policy deny_no_realm = updated (14) update request { (14) EXPAND %{toupper:%{Realm}} (14) --> UNIBE.CH (14) Realm := UNIBE.CH (14) } # update request = noop (14) eap: Peer sent EAP Response (code 2) ID 1 length 23 (14) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (14) [eap] = ok (14) } # if (EAP-Message) = ok (14) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (14) } # authorize = updated (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) Auth-Type eap { (14) eap: Peer sent packet with method EAP Identity (1) (14) eap: Using default_eap_type = PEAP (14) eap: Calling submodule eap_peap to process data (14) eap_peap: (TLS) PEAP -Initiating new session (14) eap: Sending EAP Request (code 1) ID 2 length 6 (14) eap: EAP session adding &reply:State = 0x1a0c7e771a0e6752 (14) [eap] = handled (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) EXPAND Response-Packet-Type (14) --> Access-Challenge (14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) attr_filter.access_challenge: EXPAND %{User-Name} (14) attr_filter.access_challenge: --> anonymous@unibe.ch (14) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (14) [attr_filter.access_challenge.post-auth] = updated (14) [handled] = handled (14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (14) } # Auth-Type eap = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) session-state: Saving cached attributes (14) Framed-MTU = 1014 (14) Sent Access-Challenge Id 161 from 130.92.10.33:1812 to 1.2.3.4:63606 length 64 (14) EAP-Message = 0x010200061920 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x1a0c7e771a0e675279b57cf47df95d07 (14) Finished request (15) Received Access-Request Id 162 from 1.2.3.4:63606 to 130.92.10.33:1812 length 617 (15) User-Name = anonymous@unibe.ch (15) Service-Type = Framed-User (15) Cisco-AVPair = "service-type=Framed" (15) Framed-MTU = 1485 (15) EAP-Message = 0x020200a119800000009716030100920100008e03036909999b25b7e27b2e2e231f9c546c4a37d3b858ee2635bdaf836b8c39d42d6800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306010005000501000000000012000000170000 (15) Message-Authenticator = 0xdf959aef8b75ae98ed4dda59508b7a60 (15) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (15) Cisco-AVPair = "method=dot1x" (15) Cisco-AVPair = "client-iif-id=2818574557" (15) Cisco-AVPair = "vlan-id=1000" (15) NAS-IP-Address = 1.2.3.4 (15) NAS-Port-Id = "capwap_9000000c" (15) NAS-Port-Type = Wireless-802.11 (15) NAS-Port = 4211 (15) State = 0x1a0c7e771a0e675279b57cf47df95d07 (15) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (15) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (15) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (15) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (15) Airespace-Wlan-Id = 97 (15) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (15) WLAN-Group-Cipher = 1027076 (15) WLAN-Pairwise-Cipher = 1027076 (15) WLAN-AKM-Suite = 1027075 (15) WLAN-Group-Mgmt-Cipher = 1027078 (15) Restoring &session-state (15) &session-state:Framed-MTU = 1014 (15) # Executing section authorize from file /etc/freeradius/sites-enabled/default (15) authorize { (15) policy rewrite_called_station_id { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> 2C-E3-8E-ED-31-E0 (15) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (15) } # update request = noop (15) if ("%{8}") { (15) EXPAND %{8} (15) --> eduroam (15) if ("%{8}") -> TRUE (15) if ("%{8}") { (15) update request { (15) EXPAND %{8} (15) --> eduroam (15) &Called-Station-SSID := eduroam (15) EXPAND %{Called-Station-Id}:%{8} (15) --> 2C-E3-8E-ED-31-E0:eduroam (15) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (15) } # update request = noop (15) } # if ("%{8}") = noop (15) [updated] = updated (15) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_called_station_id = updated (15) policy rewrite_calling_station_id { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> AC-DF-A1-B1-F1-5A (15) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (15) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (15) --> AC:DF:A1:B1:F1:5A (15) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (15) } # update request = noop (15) [updated] = updated (15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_calling_station_id = updated (15) if (Service-Type == Call-Check) { (15) if (Service-Type == Call-Check) -> FALSE (15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (15) EXPAND Packet-Src-IP-Address (15) --> 1.2.3.4 (15) EXPAND Packet-Src-IP-Address (15) --> 1.2.3.4 (15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (15) if (EAP-Message) { (15) if (EAP-Message) -> TRUE (15) if (EAP-Message) { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = updated (15) } # policy filter_username = updated (15) suffix: Checking for suffix after "@" (15) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (15) suffix: Found realm "UNIBE.CH" (15) suffix: Adding Realm = "UNIBE.CH" (15) suffix: Authentication realm is LOCAL (15) [suffix] = ok (15) policy deny_no_realm { (15) if (User-Name && (User-Name !~ /@/)) { (15) if (User-Name && (User-Name !~ /@/)) -> FALSE (15) } # policy deny_no_realm = updated (15) update request { (15) EXPAND %{toupper:%{Realm}} (15) --> UNIBE.CH (15) Realm := UNIBE.CH (15) } # update request = noop (15) eap: Peer sent EAP Response (code 2) ID 2 length 161 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # if (EAP-Message) = ok (15) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (15) } # authorize = updated (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/sites-enabled/default (15) Auth-Type eap { (15) eap: Removing EAP session with state 0x1a0c7e771a0e6752 (15) eap: Previous EAP request found for state 0x1a0c7e771a0e6752, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (15) eap_peap: (TLS) EAP Got all data (151 bytes) (15) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (15) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (15) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (15) eap_peap: (TLS) PEAP - In Handshake Phase (15) eap: Sending EAP Request (code 1) ID 3 length 1024 (15) eap: EAP session adding &reply:State = 0x1a0c7e771b0f6752 (15) [eap] = handled (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) EXPAND Response-Packet-Type (15) --> Access-Challenge (15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) attr_filter.access_challenge: EXPAND %{User-Name} (15) attr_filter.access_challenge: --> anonymous@unibe.ch (15) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (15) [attr_filter.access_challenge.post-auth] = updated (15) [handled] = handled (15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (15) } # Auth-Type eap = handled (15) Using Post-Auth-Type Challenge (15) Post-Auth-Type sub-section not found. Ignoring. (15) # Executing group from file /etc/freeradius/sites-enabled/default (15) session-state: Saving cached attributes (15) Framed-MTU = 1014 (15) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (15) Sent Access-Challenge Id 162 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1090 (15) EAP-Message = 0x0103040019c000001135160303003d020000390303f0334014735b9a350f95ccc549063d3e99ba127b1d030030444f574e4752440100c010000011ff01000100000b000401000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x1a0c7e771b0f675279b57cf47df95d07 (15) Finished request (16) Received Access-Request Id 163 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (16) User-Name = anonymous@unibe.ch (16) Service-Type = Framed-User (16) Cisco-AVPair = "service-type=Framed" (16) Framed-MTU = 1485 (16) EAP-Message = 0x020100061900 (16) Message-Authenticator = 0x256013f8a4cd33b09aea930439831655 (16) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (16) Cisco-AVPair = "method=dot1x" (16) Cisco-AVPair = "client-iif-id=2818574557" (16) Cisco-AVPair = "vlan-id=1000" (16) NAS-IP-Address = 1.2.3.4 (16) NAS-Port-Id = "capwap_9000000c" (16) NAS-Port-Type = Wireless-802.11 (16) NAS-Port = 4211 (16) State = 0x1a0c7e771b0f675279b57cf47df95d07 (16) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (16) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (16) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (16) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (16) Airespace-Wlan-Id = 97 (16) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (16) WLAN-Group-Cipher = 1027076 (16) WLAN-Pairwise-Cipher = 1027076 (16) WLAN-AKM-Suite = 1027075 (16) WLAN-Group-Mgmt-Cipher = 1027078 (16) Restoring &session-state (16) &session-state:Framed-MTU = 1014 (16) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (16) # Executing section authorize from file /etc/freeradius/sites-enabled/default (16) authorize { (16) policy rewrite_called_station_id { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> 2C-E3-8E-ED-31-E0 (16) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (16) } # update request = noop (16) if ("%{8}") { (16) EXPAND %{8} (16) --> eduroam (16) if ("%{8}") -> TRUE (16) if ("%{8}") { (16) update request { (16) EXPAND %{8} (16) --> eduroam (16) &Called-Station-SSID := eduroam (16) EXPAND %{Called-Station-Id}:%{8} (16) --> 2C-E3-8E-ED-31-E0:eduroam (16) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (16) } # update request = noop (16) } # if ("%{8}") = noop (16) [updated] = updated (16) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_called_station_id = updated (16) policy rewrite_calling_station_id { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> AC-DF-A1-B1-F1-5A (16) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (16) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (16) --> AC:DF:A1:B1:F1:5A (16) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (16) } # update request = noop (16) [updated] = updated (16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_calling_station_id = updated (16) if (Service-Type == Call-Check) { (16) if (Service-Type == Call-Check) -> FALSE (16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (16) EXPAND Packet-Src-IP-Address (16) --> 1.2.3.4 (16) EXPAND Packet-Src-IP-Address (16) --> 1.2.3.4 (16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (16) if (EAP-Message) { (16) if (EAP-Message) -> TRUE (16) if (EAP-Message) { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = updated (16) } # policy filter_username = updated (16) suffix: Checking for suffix after "@" (16) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (16) suffix: Found realm "UNIBE.CH" (16) suffix: Adding Realm = "UNIBE.CH" (16) suffix: Authentication realm is LOCAL (16) [suffix] = ok (16) policy deny_no_realm { (16) if (User-Name && (User-Name !~ /@/)) { (16) if (User-Name && (User-Name !~ /@/)) -> FALSE (16) } # policy deny_no_realm = updated (16) update request { (16) EXPAND %{toupper:%{Realm}} (16) --> UNIBE.CH (16) Realm := UNIBE.CH (16) } # update request = noop (16) eap: Peer sent EAP Response (code 2) ID 3 length 6 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # if (EAP-Message) = ok (16) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (16) } # authorize = updated (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) Auth-Type eap { (16) eap: Removing EAP session with state 0x1a0c7e771b0f6752 (16) eap: Previous EAP request found for state 0x1a0c7e771b0f6752, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: (TLS) Peer ACKed our handshake fragment (16) eap: Sending EAP Request (code 1) ID 4 length 1020 (16) eap: EAP session adding &reply:State = 0x1a0c7e7718086752 (16) [eap] = handled (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) EXPAND Response-Packet-Type (16) --> Access-Challenge (16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) attr_filter.access_challenge: EXPAND %{User-Name} (16) attr_filter.access_challenge: --> anonymous@unibe.ch (16) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (16) [attr_filter.access_challenge.post-auth] = updated (16) [handled] = handled (16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (16) } # Auth-Type eap = handled (16) Using Post-Auth-Type Challenge (16) Post-Auth-Type sub-section not found. Ignoring. (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) session-state: Saving cached attributes (16) Framed-MTU = 1014 (16) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (16) Sent Access-Challenge Id 163 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086 (16) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040210003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x1a0c7e771808675279b57cf47df95d07 (16) Finished request (17) Received Access-Request Id 164 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (17) User-Name = anonymous@unibe.ch (17) Service-Type = Framed-User (17) Cisco-AVPair = "service-type=Framed" (17) Framed-MTU = 1485 (17) EAP-Message = 0x020400061900 (17) Message-Authenticator = 0x6f9b085346287fdd22fc589a3c0b70f2 (17) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (17) Cisco-AVPair = "method=dot1x" (17) Cisco-AVPair = "client-iif-id=2818574557" (17) Cisco-AVPair = "vlan-id=1000" (17) NAS-IP-Address = 1.2.3.4 (17) NAS-Port-Id = "capwap_9000000c" (17) NAS-Port-Type = Wireless-802.11 (17) NAS-Port = 4211 (17) State = 0x1a0c7e771808675279b57cf47df95d07 (17) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (17) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (17) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (17) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (17) Airespace-Wlan-Id = 97 (17) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (17) WLAN-Group-Cipher = 1027076 (17) WLAN-Pairwise-Cipher = 1027076 (17) WLAN-AKM-Suite = 1027075 (17) WLAN-Group-Mgmt-Cipher = 1027078 (17) Restoring &session-state (17) &session-state:Framed-MTU = 1014 (17) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (17) # Executing section authorize from file /etc/freeradius/sites-enabled/default (17) authorize { (17) policy rewrite_called_station_id { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> 2C-E3-8E-ED-31-E0 (17) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (17) } # update request = noop (17) if ("%{8}") { (17) EXPAND %{8} (17) --> eduroam (17) if ("%{8}") -> TRUE (17) if ("%{8}") { (17) update request { (17) EXPAND %{8} (17) --> eduroam (17) &Called-Station-SSID := eduroam (17) EXPAND %{Called-Station-Id}:%{8} (17) --> 2C-E3-8E-ED-31-E0:eduroam (17) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (17) } # update request = noop (17) } # if ("%{8}") = noop (17) [updated] = updated (17) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_called_station_id = updated (17) policy rewrite_calling_station_id { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> AC-DF-A1-B1-F1-5A (17) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (17) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (17) --> AC:DF:A1:B1:F1:5A (17) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (17) } # update request = noop (17) [updated] = updated (17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_calling_station_id = updated (17) if (Service-Type == Call-Check) { (17) if (Service-Type == Call-Check) -> FALSE (17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (17) EXPAND Packet-Src-IP-Address (17) --> 1.2.3.4 (17) EXPAND Packet-Src-IP-Address (17) --> 1.2.3.4 (17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (17) if (EAP-Message) { (17) if (EAP-Message) -> TRUE (17) if (EAP-Message) { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = updated (17) } # policy filter_username = updated (17) suffix: Checking for suffix after "@" (17) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (17) suffix: Found realm "UNIBE.CH" (17) suffix: Adding Realm = "UNIBE.CH" (17) suffix: Authentication realm is LOCAL (17) [suffix] = ok (17) policy deny_no_realm { (17) if (User-Name && (User-Name !~ /@/)) { (17) if (User-Name && (User-Name !~ /@/)) -> FALSE (17) } # policy deny_no_realm = updated (17) update request { (17) EXPAND %{toupper:%{Realm}} (17) --> UNIBE.CH (17) Realm := UNIBE.CH (17) } # update request = noop (17) eap: Peer sent EAP Response (code 2) ID 4 length 6 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # if (EAP-Message) = ok (17) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (17) } # authorize = updated (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) Auth-Type eap { (17) eap: Removing EAP session with state 0x1a0c7e7718086752 (17) eap: Previous EAP request found for state 0x1a0c7e7718086752, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: (TLS) Peer ACKed our handshake fragment (17) eap: Sending EAP Request (code 1) ID 5 length 1020 (17) eap: EAP session adding &reply:State = 0x1a0c7e7719096752 (17) [eap] = handled (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) EXPAND Response-Packet-Type (17) --> Access-Challenge (17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) attr_filter.access_challenge: EXPAND %{User-Name} (17) attr_filter.access_challenge: --> anonymous@unibe.ch (17) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (17) [attr_filter.access_challenge.post-auth] = updated (17) [handled] = handled (17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (17) } # Auth-Type eap = handled (17) Using Post-Auth-Type Challenge (17) Post-Auth-Type sub-section not found. Ignoring. (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) session-state: Saving cached attributes (17) Framed-MTU = 1014 (17) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (17) Sent Access-Challenge Id 164 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086 (17) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x1a0c7e771909675279b57cf47df95d07 (17) Finished request (18) Received Access-Request Id 165 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (18) User-Name = anonymous@unibe.ch (18) Service-Type = Framed-User (18) Cisco-AVPair = "service-type=Framed" (18) Framed-MTU = 1485 (18) EAP-Message = 0x020500061900 (18) Message-Authenticator = 0xc196c62add7f8f693998f8856485d83b (18) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (18) Cisco-AVPair = "method=dot1x" (18) Cisco-AVPair = "client-iif-id=2818574557" (18) Cisco-AVPair = "vlan-id=1000" (18) NAS-IP-Address = 1.2.3.4 (18) NAS-Port-Id = "capwap_9000000c" (18) NAS-Port-Type = Wireless-802.11 (18) NAS-Port = 4211 (18) State = 0x1a0c7e771909675279b57cf47df95d07 (18) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (18) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (18) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (18) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (18) Airespace-Wlan-Id = 97 (18) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (18) WLAN-Group-Cipher = 1027076 (18) WLAN-Pairwise-Cipher = 1027076 (18) WLAN-AKM-Suite = 1027075 (18) WLAN-Group-Mgmt-Cipher = 1027078 (18) Restoring &session-state (18) &session-state:Framed-MTU = 1014 (18) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (18) # Executing section authorize from file /etc/freeradius/sites-enabled/default (18) authorize { (18) policy rewrite_called_station_id { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) update request { Waking up in 0.2 seconds. (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> 2C-E3-8E-ED-31-E0 (18) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (18) } # update request = noop (18) if ("%{8}") { (18) EXPAND %{8} (18) --> eduroam (18) if ("%{8}") -> TRUE (18) if ("%{8}") { (18) update request { (18) EXPAND %{8} (18) --> eduroam (18) &Called-Station-SSID := eduroam (18) EXPAND %{Called-Station-Id}:%{8} (18) --> 2C-E3-8E-ED-31-E0:eduroam (18) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (18) } # update request = noop (18) } # if ("%{8}") = noop (18) [updated] = updated (18) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_called_station_id = updated (18) policy rewrite_calling_station_id { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) update request { (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> AC-DF-A1-B1-F1-5A (18) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (18) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (18) --> AC:DF:A1:B1:F1:5A (18) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (18) } # update request = noop (18) [updated] = updated (18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_calling_station_id = updated (18) if (Service-Type == Call-Check) { (18) if (Service-Type == Call-Check) -> FALSE (18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (18) EXPAND Packet-Src-IP-Address (18) --> 1.2.3.4 (18) EXPAND Packet-Src-IP-Address (18) --> 1.2.3.4 (18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (18) if (EAP-Message) { (18) if (EAP-Message) -> TRUE (18) if (EAP-Message) { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = updated (18) } # policy filter_username = updated (18) suffix: Checking for suffix after "@" (18) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (18) suffix: Found realm "UNIBE.CH" (18) suffix: Adding Realm = "UNIBE.CH" (18) suffix: Authentication realm is LOCAL (18) [suffix] = ok (18) policy deny_no_realm { (18) if (User-Name && (User-Name !~ /@/)) { (18) if (User-Name && (User-Name !~ /@/)) -> FALSE (18) } # policy deny_no_realm = updated (18) update request { (18) EXPAND %{toupper:%{Realm}} (18) --> UNIBE.CH (18) Realm := UNIBE.CH (18) } # update request = noop (18) eap: Peer sent EAP Response (code 2) ID 5 length 6 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # if (EAP-Message) = ok (18) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (18) } # authorize = updated (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/sites-enabled/default (18) Auth-Type eap { (18) eap: Removing EAP session with state 0x1a0c7e7719096752 (18) eap: Previous EAP request found for state 0x1a0c7e7719096752, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: (TLS) Peer ACKed our handshake fragment (18) eap: Sending EAP Request (code 1) ID 6 length 1020 (18) eap: EAP session adding &reply:State = 0x1a0c7e771e0a6752 (18) [eap] = handled (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) EXPAND Response-Packet-Type (18) --> Access-Challenge (18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) attr_filter.access_challenge: EXPAND %{User-Name} (18) attr_filter.access_challenge: --> anonymous@unibe.ch (18) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (18) [attr_filter.access_challenge.post-auth] = updated (18) [handled] = handled (18) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (18) } # Auth-Type eap = handled (18) Using Post-Auth-Type Challenge (18) Post-Auth-Type sub-section not found. Ignoring. (18) # Executing group from file /etc/freeradius/sites-enabled/default (18) session-state: Saving cached attributes (18) Framed-MTU = 1014 (18) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (18) Sent Access-Challenge Id 165 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086 (18) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x1a0c7e771e0a675279b57cf47df95d07 (18) Finished request (19) Received Access-Request Id 166 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (19) User-Name = anonymous@unibe.ch (19) Service-Type = Framed-User (19) Cisco-AVPair = "service-type=Framed" (19) Framed-MTU = 1485 (19) EAP-Message = 0x020600061900 (19) Message-Authenticator = 0x572ab59ccb8ceac06d4c053497b4dad6 (19) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (19) Cisco-AVPair = "method=dot1x" (19) Cisco-AVPair = "client-iif-id=2818574557" (19) Cisco-AVPair = "vlan-id=1000" (19) NAS-IP-Address = 1.2.3.4 (19) NAS-Port-Id = "capwap_9000000c" (19) NAS-Port-Type = Wireless-802.11 (19) NAS-Port = 4211 (19) State = 0x1a0c7e771e0a675279b57cf47df95d07 (19) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (19) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (19) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (19) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (19) Airespace-Wlan-Id = 97 (19) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (19) WLAN-Group-Cipher = 1027076 (19) WLAN-Pairwise-Cipher = 1027076 (19) WLAN-AKM-Suite = 1027075 (19) WLAN-Group-Mgmt-Cipher = 1027078 (19) Restoring &session-state (19) &session-state:Framed-MTU = 1014 (19) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (19) # Executing section authorize from file /etc/freeradius/sites-enabled/default (19) authorize { (19) policy rewrite_called_station_id { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> 2C-E3-8E-ED-31-E0 (19) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (19) } # update request = noop (19) if ("%{8}") { (19) EXPAND %{8} (19) --> eduroam (19) if ("%{8}") -> TRUE (19) if ("%{8}") { (19) update request { (19) EXPAND %{8} (19) --> eduroam (19) &Called-Station-SSID := eduroam (19) EXPAND %{Called-Station-Id}:%{8} (19) --> 2C-E3-8E-ED-31-E0:eduroam (19) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (19) } # update request = noop (19) } # if ("%{8}") = noop (19) [updated] = updated (19) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_called_station_id = updated (19) policy rewrite_calling_station_id { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> AC-DF-A1-B1-F1-5A (19) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (19) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (19) --> AC:DF:A1:B1:F1:5A (19) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (19) } # update request = noop (19) [updated] = updated (19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_calling_station_id = updated (19) if (Service-Type == Call-Check) { (19) if (Service-Type == Call-Check) -> FALSE (19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (19) EXPAND Packet-Src-IP-Address (19) --> 1.2.3.4 (19) EXPAND Packet-Src-IP-Address (19) --> 1.2.3.4 (19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (19) if (EAP-Message) { (19) if (EAP-Message) -> TRUE (19) if (EAP-Message) { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = updated (19) } # policy filter_username = updated (19) suffix: Checking for suffix after "@" (19) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (19) suffix: Found realm "UNIBE.CH" (19) suffix: Adding Realm = "UNIBE.CH" (19) suffix: Authentication realm is LOCAL (19) [suffix] = ok (19) policy deny_no_realm { (19) if (User-Name && (User-Name !~ /@/)) { (19) if (User-Name && (User-Name !~ /@/)) -> FALSE (19) } # policy deny_no_realm = updated (19) update request { (19) EXPAND %{toupper:%{Realm}} (19) --> UNIBE.CH (19) Realm := UNIBE.CH (19) } # update request = noop (19) eap: Peer sent EAP Response (code 2) ID 6 length 6 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # if (EAP-Message) = ok (19) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (19) } # authorize = updated (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/sites-enabled/default (19) Auth-Type eap { (19) eap: Removing EAP session with state 0x1a0c7e771e0a6752 (19) eap: Previous EAP request found for state 0x1a0c7e771e0a6752, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: (TLS) Peer ACKed our handshake fragment (19) eap: Sending EAP Request (code 1) ID 7 length 355 (19) eap: EAP session adding &reply:State = 0x1a0c7e771f0b6752 (19) [eap] = handled (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) EXPAND Response-Packet-Type (19) --> Access-Challenge (19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) attr_filter.access_challenge: EXPAND %{User-Name} (19) attr_filter.access_challenge: --> anonymous@unibe.ch (19) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (19) [attr_filter.access_challenge.post-auth] = updated (19) [handled] = handled (19) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (19) } # Auth-Type eap = handled (19) Using Post-Auth-Type Challenge (19) Post-Auth-Type sub-section not found. Ignoring. (19) # Executing group from file /etc/freeradius/sites-enabled/default (19) session-state: Saving cached attributes (19) Framed-MTU = 1014 (19) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (19) Sent Access-Challenge Id 166 from 130.92.10.33:1812 to 1.2.3.4:63606 length 415 (19) EAP-Message = 0x01070163190032b6160303014d0c0001490300174104b201a57bca112447dfce17a89ba625c372e0c009eea006a95c79ba5b83514cfc4abe5c00673d4584a35b11ecef0ee23a6e2a18d0c95f8a48f744f685b7bfb054040101001e420d428e4df3bafadfc43614f7e02a46b54eb352afdd238fbe58786c1286d9f48726ae0f45415d47bfb81a54ebf3ac667c828dea5428d65f8c0a1634fc04cd2fddd88809d833251f68c1b85caea91c7c135b8d87ee7b5c91c3fec8e93d09ae2157a548d07e80f8a8ba9cc9267bef2fc1e9433312e89e45d1dbf9650fa7c0f5eb555b12ebf51e2575fe325de4871702c00041a05bf89a779a12f8b0eba2fe702054fb0fc16ec288b6861c55fd6d9a853a574516dbb5684d8b61318e526bc7328643edc25ee4692ac13c9843aba9a028992b5befa9331b65a63b890e5432d66d27e4fc6eae4f0aa2625394096c5e7e469992c9e8003b3af457be9e8309fac01116030100040e000000 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0x1a0c7e771f0b675279b57cf47df95d07 (19) Finished request (20) Received Access-Request Id 167 from 1.2.3.4:63606 to 130.92.10.33:1812 length 592 (20) User-Name = anonymous@unibe.ch (20) Service-Type = Framed-User (20) Cisco-AVPair = "service-type=Framed" (20) Framed-MTU = 1485 (20) EAP-Message = 0x0207008819800000007e16030300461000004241044bdd335d8636b35b96f838a591e11c19c257fa1853f19b291dd5e25fc57342414c3f644fb0abbd7078454afdc6a47d7f15433d807ebbb5d30efaeb9bc509783f14030100010116030300283667ef69fc720083fa52d1f339bce71060104b344322cb0514ad95532ba10a78d425cd99eb1ea915 (20) Message-Authenticator = 0xfa3c07c12db0b8ddfacd1df94f1e5aff (20) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (20) Cisco-AVPair = "method=dot1x" (20) Cisco-AVPair = "client-iif-id=2818574557" (20) Cisco-AVPair = "vlan-id=1000" (20) NAS-IP-Address = 1.2.3.4 (20) NAS-Port-Id = "capwap_9000000c" (20) NAS-Port-Type = Wireless-802.11 (20) NAS-Port = 4211 (20) State = 0x1a0c7e771f0b675279b57cf47df95d07 (20) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (20) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (20) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (20) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (20) Airespace-Wlan-Id = 97 (20) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (20) WLAN-Group-Cipher = 1027076 (20) WLAN-Pairwise-Cipher = 1027076 (20) WLAN-AKM-Suite = 1027075 (20) WLAN-Group-Mgmt-Cipher = 1027078 (20) Restoring &session-state (20) &session-state:Framed-MTU = 1014 (20) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (20) # Executing section authorize from file /etc/freeradius/sites-enabled/default (20) authorize { (20) policy rewrite_called_station_id { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> 2C-E3-8E-ED-31-E0 (20) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (20) } # update request = noop (20) if ("%{8}") { (20) EXPAND %{8} (20) --> eduroam (20) if ("%{8}") -> TRUE (20) if ("%{8}") { (20) update request { (20) EXPAND %{8} (20) --> eduroam (20) &Called-Station-SSID := eduroam (20) EXPAND %{Called-Station-Id}:%{8} (20) --> 2C-E3-8E-ED-31-E0:eduroam (20) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (20) } # update request = noop (20) } # if ("%{8}") = noop (20) [updated] = updated (20) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_called_station_id = updated (20) policy rewrite_calling_station_id { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> AC-DF-A1-B1-F1-5A (20) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (20) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (20) --> AC:DF:A1:B1:F1:5A (20) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (20) } # update request = noop (20) [updated] = updated (20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_calling_station_id = updated (20) if (Service-Type == Call-Check) { (20) if (Service-Type == Call-Check) -> FALSE (20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (20) EXPAND Packet-Src-IP-Address (20) --> 1.2.3.4 (20) EXPAND Packet-Src-IP-Address (20) --> 1.2.3.4 (20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (20) if (EAP-Message) { (20) if (EAP-Message) -> TRUE (20) if (EAP-Message) { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = updated (20) } # policy filter_username = updated (20) suffix: Checking for suffix after "@" (20) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (20) suffix: Found realm "UNIBE.CH" (20) suffix: Adding Realm = "UNIBE.CH" (20) suffix: Authentication realm is LOCAL (20) [suffix] = ok (20) policy deny_no_realm { (20) if (User-Name && (User-Name !~ /@/)) { (20) if (User-Name && (User-Name !~ /@/)) -> FALSE (20) } # policy deny_no_realm = updated (20) update request { (20) EXPAND %{toupper:%{Realm}} (20) --> UNIBE.CH (20) Realm := UNIBE.CH (20) } # update request = noop (20) eap: Peer sent EAP Response (code 2) ID 7 length 136 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # if (EAP-Message) = ok (20) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (20) } # authorize = updated (20) Found Auth-Type = eap (20) # Executing group from file /etc/freeradius/sites-enabled/default (20) Auth-Type eap { (20) eap: Removing EAP session with state 0x1a0c7e771f0b6752 (20) eap: Previous EAP request found for state 0x1a0c7e771f0b6752, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (20) eap_peap: (TLS) EAP Got all data (126 bytes) (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (20) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (20) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (20) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (20) eap_peap: (TLS) PEAP - Connection Established (20) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) eap_peap: TLS-Session-Version = "TLS 1.2" (20) eap: Sending EAP Request (code 1) ID 8 length 57 (20) eap: EAP session adding &reply:State = 0x1a0c7e771c046752 (20) [eap] = handled (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) EXPAND Response-Packet-Type (20) --> Access-Challenge (20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) attr_filter.access_challenge: EXPAND %{User-Name} (20) attr_filter.access_challenge: --> anonymous@unibe.ch (20) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (20) [attr_filter.access_challenge.post-auth] = updated (20) [handled] = handled (20) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (20) } # Auth-Type eap = handled (20) Using Post-Auth-Type Challenge (20) Post-Auth-Type sub-section not found. Ignoring. (20) # Executing group from file /etc/freeradius/sites-enabled/default (20) session-state: Saving cached attributes (20) Framed-MTU = 1014 (20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) TLS-Session-Version = "TLS 1.2" (20) Sent Access-Challenge Id 167 from 130.92.10.33:1812 to 1.2.3.4:63606 length 115 (20) EAP-Message = 0x010800391900140301000101160303002869cd9549766a5c057197e758662301e6fe3808b412033491c980bcc9560e2fe6e86f4e532b875f92 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0x1a0c7e771c04675279b57cf47df95d07 (20) Finished request (21) Received Access-Request Id 168 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (21) User-Name = anonymous@unibe.ch (21) Service-Type = Framed-User (21) Cisco-AVPair = "service-type=Framed" (21) Framed-MTU = 1485 (21) EAP-Message = 0x020800061900 (21) Message-Authenticator = 0x9c7f30b1e78bb9f5274c566d1a73f367 (21) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (21) Cisco-AVPair = "method=dot1x" (21) Cisco-AVPair = "client-iif-id=2818574557" (21) Cisco-AVPair = "vlan-id=1000" (21) NAS-IP-Address = 1.2.3.4 (21) NAS-Port-Id = "capwap_9000000c" (21) NAS-Port-Type = Wireless-802.11 (21) NAS-Port = 4211 (21) State = 0x1a0c7e771c04675279b57cf47df95d07 (21) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (21) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (21) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (21) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (21) Airespace-Wlan-Id = 97 (21) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (21) WLAN-Group-Cipher = 1027076 (21) WLAN-Pairwise-Cipher = 1027076 (21) WLAN-AKM-Suite = 1027075 (21) WLAN-Group-Mgmt-Cipher = 1027078 (21) Restoring &session-state (21) &session-state:Framed-MTU = 1014 (21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" Waking up in 0.2 seconds. (21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) &session-state:TLS-Session-Version = "TLS 1.2" (21) # Executing section authorize from file /etc/freeradius/sites-enabled/default (21) authorize { (21) policy rewrite_called_station_id { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> 2C-E3-8E-ED-31-E0 (21) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (21) } # update request = noop (21) if ("%{8}") { (21) EXPAND %{8} (21) --> eduroam (21) if ("%{8}") -> TRUE (21) if ("%{8}") { (21) update request { (21) EXPAND %{8} (21) --> eduroam (21) &Called-Station-SSID := eduroam (21) EXPAND %{Called-Station-Id}:%{8} (21) --> 2C-E3-8E-ED-31-E0:eduroam (21) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (21) } # update request = noop (21) } # if ("%{8}") = noop (21) [updated] = updated (21) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_called_station_id = updated (21) policy rewrite_calling_station_id { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> AC-DF-A1-B1-F1-5A (21) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (21) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (21) --> AC:DF:A1:B1:F1:5A (21) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (21) } # update request = noop (21) [updated] = updated (21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_calling_station_id = updated (21) if (Service-Type == Call-Check) { (21) if (Service-Type == Call-Check) -> FALSE (21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (21) EXPAND Packet-Src-IP-Address (21) --> 1.2.3.4 (21) EXPAND Packet-Src-IP-Address (21) --> 1.2.3.4 (21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (21) if (EAP-Message) { (21) if (EAP-Message) -> TRUE (21) if (EAP-Message) { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = updated (21) } # policy filter_username = updated (21) suffix: Checking for suffix after "@" (21) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (21) suffix: Found realm "UNIBE.CH" (21) suffix: Adding Realm = "UNIBE.CH" (21) suffix: Authentication realm is LOCAL (21) [suffix] = ok (21) policy deny_no_realm { (21) if (User-Name && (User-Name !~ /@/)) { (21) if (User-Name && (User-Name !~ /@/)) -> FALSE (21) } # policy deny_no_realm = updated (21) update request { (21) EXPAND %{toupper:%{Realm}} (21) --> UNIBE.CH (21) Realm := UNIBE.CH (21) } # update request = noop (21) eap: Peer sent EAP Response (code 2) ID 8 length 6 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # if (EAP-Message) = ok (21) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (21) } # authorize = updated (21) Found Auth-Type = eap (21) # Executing group from file /etc/freeradius/sites-enabled/default (21) Auth-Type eap { (21) eap: Removing EAP session with state 0x1a0c7e771c046752 (21) eap: Previous EAP request found for state 0x1a0c7e771c046752, released from the list (21) eap: Peer sent packet with method EAP PEAP (25) (21) eap: Calling submodule eap_peap to process data (21) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (21) eap_peap: Session established. Decoding tunneled attributes (21) eap_peap: PEAP state TUNNEL ESTABLISHED (21) eap: Sending EAP Request (code 1) ID 9 length 40 (21) eap: EAP session adding &reply:State = 0x1a0c7e771d056752 (21) [eap] = handled (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) EXPAND Response-Packet-Type (21) --> Access-Challenge (21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) attr_filter.access_challenge: EXPAND %{User-Name} (21) attr_filter.access_challenge: --> anonymous@unibe.ch (21) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (21) [attr_filter.access_challenge.post-auth] = updated (21) [handled] = handled (21) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (21) } # Auth-Type eap = handled (21) Using Post-Auth-Type Challenge (21) Post-Auth-Type sub-section not found. Ignoring. (21) # Executing group from file /etc/freeradius/sites-enabled/default (21) session-state: Saving cached attributes (21) Framed-MTU = 1014 (21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) TLS-Session-Version = "TLS 1.2" (21) Sent Access-Challenge Id 168 from 130.92.10.33:1812 to 1.2.3.4:63606 length 98 (21) EAP-Message = 0x010900281900170303001d69cd9549766a5c065b771e1e6ad4419bc5deec9aca8c6dc933d69e4320 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0x1a0c7e771d05675279b57cf47df95d07 (21) Finished request (22) Received Access-Request Id 169 from 1.2.3.4:63606 to 130.92.10.33:1812 length 516 (22) User-Name = anonymous@unibe.ch (22) Service-Type = Framed-User (22) Cisco-AVPair = "service-type=Framed" (22) Framed-MTU = 1485 (22) EAP-Message = 0x0209003c190017030300313667ef69fc720084f72dcb9c5d07674afc517dc2cee1604014c42f78dd87c1fc4dd53bf9579819c736546b1d6568257d75 (22) Message-Authenticator = 0x06ac4226a9e15764f25be4a011e74e0d (22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (22) Cisco-AVPair = "method=dot1x" (22) Cisco-AVPair = "client-iif-id=2818574557" (22) Cisco-AVPair = "vlan-id=1000" (22) NAS-IP-Address = 1.2.3.4 (22) NAS-Port-Id = "capwap_9000000c" (22) NAS-Port-Type = Wireless-802.11 (22) NAS-Port = 4211 (22) State = 0x1a0c7e771d05675279b57cf47df95d07 (22) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (22) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (22) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (22) Airespace-Wlan-Id = 97 (22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) WLAN-Group-Cipher = 1027076 (22) WLAN-Pairwise-Cipher = 1027076 (22) WLAN-AKM-Suite = 1027075 (22) WLAN-Group-Mgmt-Cipher = 1027078 (22) Restoring &session-state (22) &session-state:Framed-MTU = 1014 (22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (22) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (22) &session-state:TLS-Session-Version = "TLS 1.2" (22) # Executing section authorize from file /etc/freeradius/sites-enabled/default (22) authorize { (22) policy rewrite_called_station_id { (22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (22) update request { (22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (22) --> 2C-E3-8E-ED-31-E0 (22) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (22) } # update request = noop (22) if ("%{8}") { (22) EXPAND %{8} (22) --> eduroam (22) if ("%{8}") -> TRUE (22) if ("%{8}") { (22) update request { (22) EXPAND %{8} (22) --> eduroam (22) &Called-Station-SSID := eduroam (22) EXPAND %{Called-Station-Id}:%{8} (22) --> 2C-E3-8E-ED-31-E0:eduroam (22) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (22) } # update request = noop (22) } # if ("%{8}") = noop (22) [updated] = updated (22) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (22) ... skipping else: Preceding "if" was taken (22) } # policy rewrite_called_station_id = updated (22) policy rewrite_calling_station_id { (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (22) update request { (22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (22) --> AC-DF-A1-B1-F1-5A (22) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (22) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (22) --> AC:DF:A1:B1:F1:5A (22) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (22) } # update request = noop (22) [updated] = updated (22) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (22) ... skipping else: Preceding "if" was taken (22) } # policy rewrite_calling_station_id = updated (22) if (Service-Type == Call-Check) { (22) if (Service-Type == Call-Check) -> FALSE (22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (22) EXPAND Packet-Src-IP-Address (22) --> 1.2.3.4 (22) EXPAND Packet-Src-IP-Address (22) --> 1.2.3.4 (22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (22) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (22) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (22) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (22) if (EAP-Message) { (22) if (EAP-Message) -> TRUE (22) if (EAP-Message) { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = updated (22) } # policy filter_username = updated (22) suffix: Checking for suffix after "@" (22) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (22) suffix: Found realm "UNIBE.CH" (22) suffix: Adding Realm = "UNIBE.CH" (22) suffix: Authentication realm is LOCAL (22) [suffix] = ok (22) policy deny_no_realm { (22) if (User-Name && (User-Name !~ /@/)) { (22) if (User-Name && (User-Name !~ /@/)) -> FALSE (22) } # policy deny_no_realm = updated (22) update request { (22) EXPAND %{toupper:%{Realm}} (22) --> UNIBE.CH (22) Realm := UNIBE.CH (22) } # update request = noop (22) eap: Peer sent EAP Response (code 2) ID 9 length 60 (22) eap: Continuing tunnel setup (22) [eap] = ok (22) } # if (EAP-Message) = ok (22) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (22) } # authorize = updated (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/sites-enabled/default (22) Auth-Type eap { (22) eap: Removing EAP session with state 0x1a0c7e771d056752 (22) eap: Previous EAP request found for state 0x1a0c7e771d056752, released from the list (22) eap: Peer sent packet with method EAP PEAP (25) (22) eap: Calling submodule eap_peap to process data (22) eap_peap: (TLS) EAP Done initial handshake (22) eap_peap: Session established. Decoding tunneled attributes (22) eap_peap: PEAP state WAITING FOR INNER IDENTITY (22) eap_peap: Identity - jon.doe@unibe.ch (22) eap_peap: Got inner identity 'jon.doe@unibe.ch' (22) eap_peap: Setting default EAP type for tunneled EAP session (22) eap_peap: Got tunneled request (22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) eap_peap: Setting User-Name to jon.doe@unibe.ch (22) eap_peap: Sending tunneled request to proxy-inner-tunnel (22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (22) eap_peap: User-Name = jon.doe@unibe.ch (22) eap_peap: Service-Type = Framed-User (22) eap_peap: Cisco-AVPair = "service-type=Framed" (22) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (22) eap_peap: Cisco-AVPair = "method=dot1x" (22) eap_peap: Cisco-AVPair = "client-iif-id=2818574557" (22) eap_peap: Cisco-AVPair = "vlan-id=1000" (22) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (22) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (22) eap_peap: Framed-MTU = 1485 (22) eap_peap: NAS-IP-Address = 1.2.3.4 (22) eap_peap: NAS-Port-Id = "capwap_9000000c" (22) eap_peap: NAS-Port-Type = Wireless-802.11 (22) eap_peap: NAS-Port = 4211 (22) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (22) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (22) eap_peap: Airespace-Wlan-Id = 97 (22) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) eap_peap: WLAN-Group-Cipher = 1027076 (22) eap_peap: WLAN-Pairwise-Cipher = 1027076 (22) eap_peap: WLAN-AKM-Suite = 1027075 (22) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078 (22) Virtual server proxy-inner-tunnel received request (22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) FreeRADIUS-Proxied-To = 127.0.0.1 (22) User-Name = jon.doe@unibe.ch (22) Service-Type = Framed-User (22) Cisco-AVPair = "service-type=Framed" (22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (22) Cisco-AVPair = "method=dot1x" (22) Cisco-AVPair = "client-iif-id=2818574557" (22) Cisco-AVPair = "vlan-id=1000" (22) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (22) Framed-MTU = 1485 (22) NAS-IP-Address = 1.2.3.4 (22) NAS-Port-Id = "capwap_9000000c" (22) NAS-Port-Type = Wireless-802.11 (22) NAS-Port = 4211 (22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (22) Airespace-Wlan-Id = 97 (22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) WLAN-Group-Cipher = 1027076 (22) WLAN-Pairwise-Cipher = 1027076 (22) WLAN-AKM-Suite = 1027075 (22) WLAN-Group-Mgmt-Cipher = 1027078 (22) server proxy-inner-tunnel { (22) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (22) authorize { (22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (22) if (!NAS-Port-Type){ (22) if (!NAS-Port-Type) -> FALSE (22) update control { (22) &Proxy-To-Realm := REALM-NPS-DEV (22) } # update control = noop (22) } # authorize = noop (22) } # server proxy-inner-tunnel (22) Virtual server sending reply (22) eap_peap: Got tunneled reply code 0 (22) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (22) eap: WARNING: Tunneled session will be proxied. Not doing EAP (22) [eap] = handled (22) if (handled && (Response-Packet-Type == Access-Challenge)) { (22) EXPAND Response-Packet-Type (22) --> (22) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (22) } # Auth-Type eap = handled (22) Starting proxy to home server 9.9.9.9 port 1812 (22) server default { (22) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (22) pre-proxy { (22) attr_filter.pre-proxy: EXPAND %{Realm} (22) attr_filter.pre-proxy: --> UNIBE.CH (22) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (22) [attr_filter.pre-proxy] = updated (22) } # pre-proxy = updated (22) } (22) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000 (22) Sent Access-Request Id 22 from 0.0.0.0:57225 to 9.9.9.9:1812 length 196 (22) Operator-Name := "1unibe.ch" (22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) User-Name = jon.doe@unibe.ch (22) NAS-IP-Address = 1.2.3.4 (22) NAS-Port-Type = Wireless-802.11 (22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) Message-Authenticator = 0x (22) Proxy-State = 0x313639 (22) Clearing existing &reply: attributes (22) Received Access-Challenge Id 22 from 9.9.9.9:1812 to 130.92.10.33:57225 length 128 (22) Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3 (22) Proxy-State = 0x313639 (22) Session-Timeout = 60 (22) EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632 (22) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (22) server default { Waking up in 0.2 seconds. (22) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (22) post-proxy { (22) attr_filter.post-proxy: EXPAND %{Realm} (22) attr_filter.post-proxy: --> UNIBE.CH (22) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (22) [attr_filter.post-proxy] = updated (22) eap: Doing post-proxy callback (22) eap: Passing reply from proxy back into the tunnel (22) eap: Got tunneled reply RADIUS code 11 (22) eap: Tunnel-Type := VLAN (22) eap: Tunnel-Medium-Type := IEEE-802 (22) eap: Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3 (22) eap: Proxy-State = 0x313639 (22) eap: EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632 (22) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (22) eap: Got tunneled Access-Challenge (22) eap: Reply was handled (22) eap: Sending EAP Request (code 1) ID 10 length 70 (22) eap: EAP session adding &reply:State = 0x1a0c7e7712066752 (22) [eap] = ok (22) } # post-proxy = updated (22) } (22) session-state: Saving cached attributes (22) Framed-MTU = 1014 (22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (22) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (22) TLS-Session-Version = "TLS 1.2" (22) Using Post-Auth-Type Challenge (22) Post-Auth-Type sub-section not found. Ignoring. (22) # Executing group from file /etc/freeradius/sites-enabled/default (22) Sent Access-Challenge Id 169 from 130.92.10.33:1812 to 1.2.3.4:63606 length 128 (22) EAP-Message = 0x010a00461900170303003b69cd9549766a5c07e7a533b4954f2b8a2f7d523485391d6347a7c8b129d5f82e531ee88bad59bbd4d844e6ca0cdcd6368cc58ada378c7aa1d5fb65 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0x1a0c7e771206675279b57cf47df95d07 (22) Finished request (23) Received Access-Request Id 170 from 1.2.3.4:63606 to 130.92.10.33:1812 length 570 (23) User-Name = anonymous@unibe.ch (23) Service-Type = Framed-User (23) Cisco-AVPair = "service-type=Framed" (23) Framed-MTU = 1485 (23) EAP-Message = 0x020a0072190017030300673667ef69fc7200855481c10f1f4a4302825d6e8e053a95b0043c86a557ab14b7cff518ef0e171c44cf1611aa60a6c005975617ce937379fa7458eb80d9295d9eec138d40cce24f5c736bc8763e2ef3ed83500c10663e2db0027b9bccb0657050e251766881076a (23) Message-Authenticator = 0xbae882ea47144349739d08cdc2273497 (23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (23) Cisco-AVPair = "method=dot1x" (23) Cisco-AVPair = "client-iif-id=2818574557" (23) Cisco-AVPair = "vlan-id=1000" (23) NAS-IP-Address = 1.2.3.4 (23) NAS-Port-Id = "capwap_9000000c" (23) NAS-Port-Type = Wireless-802.11 (23) NAS-Port = 4211 (23) State = 0x1a0c7e771206675279b57cf47df95d07 (23) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (23) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (23) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (23) Airespace-Wlan-Id = 97 (23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) WLAN-Group-Cipher = 1027076 (23) WLAN-Pairwise-Cipher = 1027076 (23) WLAN-AKM-Suite = 1027075 (23) WLAN-Group-Mgmt-Cipher = 1027078 (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/sites-enabled/default (23) authorize { (23) policy rewrite_called_station_id { (23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (23) update request { (23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (23) --> 2C-E3-8E-ED-31-E0 (23) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (23) } # update request = noop (23) if ("%{8}") { (23) EXPAND %{8} (23) --> eduroam (23) if ("%{8}") -> TRUE (23) if ("%{8}") { (23) update request { (23) EXPAND %{8} (23) --> eduroam (23) &Called-Station-SSID := eduroam (23) EXPAND %{Called-Station-Id}:%{8} (23) --> 2C-E3-8E-ED-31-E0:eduroam (23) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (23) } # update request = noop (23) } # if ("%{8}") = noop (23) [updated] = updated (23) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (23) ... skipping else: Preceding "if" was taken (23) } # policy rewrite_called_station_id = updated (23) policy rewrite_calling_station_id { (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (23) update request { (23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (23) --> AC-DF-A1-B1-F1-5A (23) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (23) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (23) --> AC:DF:A1:B1:F1:5A (23) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (23) } # update request = noop (23) [updated] = updated (23) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (23) ... skipping else: Preceding "if" was taken (23) } # policy rewrite_calling_station_id = updated (23) if (Service-Type == Call-Check) { (23) if (Service-Type == Call-Check) -> FALSE (23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (23) EXPAND Packet-Src-IP-Address (23) --> 1.2.3.4 (23) EXPAND Packet-Src-IP-Address (23) --> 1.2.3.4 (23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (23) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (23) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (23) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (23) if (EAP-Message) { (23) if (EAP-Message) -> TRUE (23) if (EAP-Message) { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = updated (23) } # policy filter_username = updated (23) suffix: Checking for suffix after "@" (23) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (23) suffix: Found realm "UNIBE.CH" (23) suffix: Adding Realm = "UNIBE.CH" (23) suffix: Authentication realm is LOCAL (23) [suffix] = ok (23) policy deny_no_realm { (23) if (User-Name && (User-Name !~ /@/)) { (23) if (User-Name && (User-Name !~ /@/)) -> FALSE (23) } # policy deny_no_realm = updated (23) update request { (23) EXPAND %{toupper:%{Realm}} (23) --> UNIBE.CH (23) Realm := UNIBE.CH (23) } # update request = noop (23) eap: Peer sent EAP Response (code 2) ID 10 length 114 (23) eap: Continuing tunnel setup (23) [eap] = ok (23) } # if (EAP-Message) = ok (23) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (23) } # authorize = updated (23) Found Auth-Type = eap (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Auth-Type eap { (23) eap: Removing EAP session with state 0x1a0c7e7712066752 (23) eap: Previous EAP request found for state 0x1a0c7e7712066752, released from the list (23) eap: Peer sent packet with method EAP PEAP (25) (23) eap: Calling submodule eap_peap to process data (23) eap_peap: (TLS) EAP Done initial handshake (23) eap_peap: Session established. Decoding tunneled attributes (23) eap_peap: PEAP state phase2 (23) eap_peap: EAP method MSCHAPv2 (26) (23) eap_peap: Got tunneled request (23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) eap_peap: Setting User-Name to jon.doe@unibe.ch (23) eap_peap: Sending tunneled request to proxy-inner-tunnel (23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (23) eap_peap: User-Name = jon.doe@unibe.ch (23) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) eap_peap: Service-Type = Framed-User (23) eap_peap: Cisco-AVPair = "service-type=Framed" (23) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (23) eap_peap: Cisco-AVPair = "method=dot1x" (23) eap_peap: Cisco-AVPair = "client-iif-id=2818574557" (23) eap_peap: Cisco-AVPair = "vlan-id=1000" (23) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (23) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (23) eap_peap: Framed-MTU = 1485 (23) eap_peap: NAS-IP-Address = 1.2.3.4 (23) eap_peap: NAS-Port-Id = "capwap_9000000c" (23) eap_peap: NAS-Port-Type = Wireless-802.11 (23) eap_peap: NAS-Port = 4211 (23) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (23) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (23) eap_peap: Airespace-Wlan-Id = 97 (23) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) eap_peap: WLAN-Group-Cipher = 1027076 (23) eap_peap: WLAN-Pairwise-Cipher = 1027076 (23) eap_peap: WLAN-AKM-Suite = 1027075 (23) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078 (23) Virtual server proxy-inner-tunnel received request (23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) FreeRADIUS-Proxied-To = 127.0.0.1 (23) User-Name = jon.doe@unibe.ch (23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) Service-Type = Framed-User (23) Cisco-AVPair = "service-type=Framed" (23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (23) Cisco-AVPair = "method=dot1x" (23) Cisco-AVPair = "client-iif-id=2818574557" (23) Cisco-AVPair = "vlan-id=1000" (23) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (23) Framed-MTU = 1485 (23) NAS-IP-Address = 1.2.3.4 (23) NAS-Port-Id = "capwap_9000000c" (23) NAS-Port-Type = Wireless-802.11 (23) NAS-Port = 4211 (23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (23) Airespace-Wlan-Id = 97 (23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) WLAN-Group-Cipher = 1027076 (23) WLAN-Pairwise-Cipher = 1027076 (23) WLAN-AKM-Suite = 1027075 (23) WLAN-Group-Mgmt-Cipher = 1027078 (23) server proxy-inner-tunnel { (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (23) authorize { (23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (23) if (!NAS-Port-Type){ (23) if (!NAS-Port-Type) -> FALSE (23) update control { (23) &Proxy-To-Realm := REALM-NPS-DEV (23) } # update control = noop (23) } # authorize = noop (23) } # server proxy-inner-tunnel (23) Virtual server sending reply (23) eap_peap: Got tunneled reply code 0 (23) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (23) eap: WARNING: Tunneled session will be proxied. Not doing EAP (23) [eap] = handled (23) if (handled && (Response-Packet-Type == Access-Challenge)) { (23) EXPAND Response-Packet-Type (23) --> (23) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (23) } # Auth-Type eap = handled (23) Starting proxy to home server 9.9.9.9 port 1812 (23) server default { (23) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (23) pre-proxy { (23) attr_filter.pre-proxy: EXPAND %{Realm} (23) attr_filter.pre-proxy: --> UNIBE.CH (23) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (23) [attr_filter.pre-proxy] = updated (23) } # pre-proxy = updated (23) } (23) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000 (23) Sent Access-Request Id 23 from 0.0.0.0:57225 to 9.9.9.9:1812 length 288 (23) Operator-Name := "1unibe.ch" (23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) User-Name = jon.doe@unibe.ch (23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) NAS-IP-Address = 1.2.3.4 (23) NAS-Port-Type = Wireless-802.11 (23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) Message-Authenticator = 0x (23) Proxy-State = 0x313730 (23) Clearing existing &reply: attributes (23) Received Access-Challenge Id 23 from 9.9.9.9:1812 to 130.92.10.33:57225 length 140 (23) Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a (23) Proxy-State = 0x313730 (23) Session-Timeout = 60 (23) EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943 (23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) server default { (23) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (23) post-proxy { (23) attr_filter.post-proxy: EXPAND %{Realm} (23) attr_filter.post-proxy: --> UNIBE.CH (23) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (23) [attr_filter.post-proxy] = updated (23) eap: Doing post-proxy callback (23) eap: Passing reply from proxy back into the tunnel (23) eap: Got tunneled reply RADIUS code 11 (23) eap: Tunnel-Type := VLAN (23) eap: Tunnel-Medium-Type := IEEE-802 (23) eap: Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a (23) eap: Proxy-State = 0x313730 (23) eap: EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943 (23) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) eap: Got tunneled Access-Challenge (23) eap: Reply was handled (23) eap: Sending EAP Request (code 1) ID 11 length 82 (23) eap: EAP session adding &reply:State = 0x1a0c7e7713076752 (23) [eap] = ok (23) } # post-proxy = updated (23) } (23) Using Post-Auth-Type Challenge (23) Post-Auth-Type sub-section not found. Ignoring. (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Sent Access-Challenge Id 170 from 130.92.10.33:1812 to 1.2.3.4:63606 length 140 (23) EAP-Message = 0x010b00521900170303004769cd9549766a5c08877f9dcc3d5bbb0c7718563cf3286f690c07a08da31ea6540f21eb3c1933d7d92dbe22551b18a7d5e2cbf116856b2a68d3fff389ebdb8926e8d42e50522ca4 (23) Message-Authenticator = 0x00000000000000000000000000000000 (23) State = 0x1a0c7e771307675279b57cf47df95d07 (23) Finished request (24) Received Access-Request Id 171 from 1.2.3.4:63606 to 130.92.10.33:1812 length 493 (24) User-Name = anonymous@unibe.ch (24) Service-Type = Framed-User (24) Cisco-AVPair = "service-type=Framed" (24) Framed-MTU = 1485 (24) EAP-Message = 0x020b00251900170303001a3667ef69fc7200864f7f9410f449a59651d6a1975df235030608 (24) Message-Authenticator = 0x9b70bdd088abd8b737cf77c71d3ba2c0 (24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (24) Cisco-AVPair = "method=dot1x" (24) Cisco-AVPair = "client-iif-id=2818574557" (24) Cisco-AVPair = "vlan-id=1000" (24) NAS-IP-Address = 1.2.3.4 (24) NAS-Port-Id = "capwap_9000000c" (24) NAS-Port-Type = Wireless-802.11 (24) NAS-Port = 4211 (24) State = 0x1a0c7e771307675279b57cf47df95d07 (24) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (24) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (24) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (24) Airespace-Wlan-Id = 97 (24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) WLAN-Group-Cipher = 1027076 (24) WLAN-Pairwise-Cipher = 1027076 (24) WLAN-AKM-Suite = 1027075 (24) WLAN-Group-Mgmt-Cipher = 1027078 (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/sites-enabled/default (24) authorize { (24) policy rewrite_called_station_id { (24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (24) update request { (24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (24) --> 2C-E3-8E-ED-31-E0 (24) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (24) } # update request = noop (24) if ("%{8}") { (24) EXPAND %{8} (24) --> eduroam (24) if ("%{8}") -> TRUE (24) if ("%{8}") { (24) update request { (24) EXPAND %{8} (24) --> eduroam (24) &Called-Station-SSID := eduroam (24) EXPAND %{Called-Station-Id}:%{8} (24) --> 2C-E3-8E-ED-31-E0:eduroam (24) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (24) } # update request = noop (24) } # if ("%{8}") = noop (24) [updated] = updated (24) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (24) ... skipping else: Preceding "if" was taken (24) } # policy rewrite_called_station_id = updated (24) policy rewrite_calling_station_id { (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (24) update request { (24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (24) --> AC-DF-A1-B1-F1-5A (24) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (24) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (24) --> AC:DF:A1:B1:F1:5A (24) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (24) } # update request = noop (24) [updated] = updated (24) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (24) ... skipping else: Preceding "if" was taken (24) } # policy rewrite_calling_station_id = updated (24) if (Service-Type == Call-Check) { (24) if (Service-Type == Call-Check) -> FALSE (24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (24) EXPAND Packet-Src-IP-Address (24) --> 1.2.3.4 (24) EXPAND Packet-Src-IP-Address (24) --> 1.2.3.4 (24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (24) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (24) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (24) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (24) if (EAP-Message) { (24) if (EAP-Message) -> TRUE (24) if (EAP-Message) { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = updated (24) } # policy filter_username = updated (24) suffix: Checking for suffix after "@" (24) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (24) suffix: Found realm "UNIBE.CH" (24) suffix: Adding Realm = "UNIBE.CH" (24) suffix: Authentication realm is LOCAL (24) [suffix] = ok (24) policy deny_no_realm { (24) if (User-Name && (User-Name !~ /@/)) { (24) if (User-Name && (User-Name !~ /@/)) -> FALSE (24) } # policy deny_no_realm = updated (24) update request { (24) EXPAND %{toupper:%{Realm}} (24) --> UNIBE.CH (24) Realm := UNIBE.CH (24) } # update request = noop (24) eap: Peer sent EAP Response (code 2) ID 11 length 37 (24) eap: Continuing tunnel setup (24) [eap] = ok (24) } # if (EAP-Message) = ok (24) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (24) } # authorize = updated (24) Found Auth-Type = eap (24) # Executing group from file /etc/freeradius/sites-enabled/default (24) Auth-Type eap { (24) eap: Removing EAP session with state 0x1a0c7e7713076752 (24) eap: Previous EAP request found for state 0x1a0c7e7713076752, released from the list (24) eap: Peer sent packet with method EAP PEAP (25) (24) eap: Calling submodule eap_peap to process data (24) eap_peap: (TLS) EAP Done initial handshake (24) eap_peap: Session established. Decoding tunneled attributes (24) eap_peap: PEAP state phase2 (24) eap_peap: EAP method MSCHAPv2 (26) (24) eap_peap: Got tunneled request (24) eap_peap: EAP-Message = 0x020b00061a03 (24) eap_peap: Setting User-Name to jon.doe@unibe.ch (24) eap_peap: Sending tunneled request to proxy-inner-tunnel (24) eap_peap: EAP-Message = 0x020b00061a03 (24) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (24) eap_peap: User-Name = jon.doe@unibe.ch (24) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (24) eap_peap: Service-Type = Framed-User (24) eap_peap: Cisco-AVPair = "service-type=Framed" (24) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (24) eap_peap: Cisco-AVPair = "method=dot1x" (24) eap_peap: Cisco-AVPair = "client-iif-id=2818574557" (24) eap_peap: Cisco-AVPair = "vlan-id=1000" (24) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (24) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (24) eap_peap: Framed-MTU = 1485 (24) eap_peap: NAS-IP-Address = 1.2.3.4 (24) eap_peap: NAS-Port-Id = "capwap_9000000c" (24) eap_peap: NAS-Port-Type = Wireless-802.11 (24) eap_peap: NAS-Port = 4211 (24) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (24) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (24) eap_peap: Airespace-Wlan-Id = 97 (24) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) eap_peap: WLAN-Group-Cipher = 1027076 (24) eap_peap: WLAN-Pairwise-Cipher = 1027076 (24) eap_peap: WLAN-AKM-Suite = 1027075 (24) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078 (24) Virtual server proxy-inner-tunnel received request (24) EAP-Message = 0x020b00061a03 (24) FreeRADIUS-Proxied-To = 127.0.0.1 (24) User-Name = jon.doe@unibe.ch (24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (24) Service-Type = Framed-User (24) Cisco-AVPair = "service-type=Framed" (24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (24) Cisco-AVPair = "method=dot1x" (24) Cisco-AVPair = "client-iif-id=2818574557" (24) Cisco-AVPair = "vlan-id=1000" (24) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (24) Framed-MTU = 1485 (24) NAS-IP-Address = 1.2.3.4 (24) NAS-Port-Id = "capwap_9000000c" (24) NAS-Port-Type = Wireless-802.11 (24) NAS-Port = 4211 (24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (24) Airespace-Wlan-Id = 97 (24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) WLAN-Group-Cipher = 1027076 (24) WLAN-Pairwise-Cipher = 1027076 (24) WLAN-AKM-Suite = 1027075 (24) WLAN-Group-Mgmt-Cipher = 1027078 (24) server proxy-inner-tunnel { (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (24) authorize { (24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (24) if (!NAS-Port-Type){ (24) if (!NAS-Port-Type) -> FALSE (24) update control { (24) &Proxy-To-Realm := REALM-NPS-DEV (24) } # update control = noop (24) } # authorize = noop (24) } # server proxy-inner-tunnel (24) Virtual server sending reply (24) eap_peap: Got tunneled reply code 0 (24) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (24) eap: WARNING: Tunneled session will be proxied. Not doing EAP (24) [eap] = handled (24) if (handled && (Response-Packet-Type == Access-Challenge)) { (24) EXPAND Response-Packet-Type (24) --> (24) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (24) } # Auth-Type eap = handled (24) Starting proxy to home server 9.9.9.9 port 1812 (24) server default { (24) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (24) pre-proxy { (24) attr_filter.pre-proxy: EXPAND %{Realm} (24) attr_filter.pre-proxy: --> UNIBE.CH (24) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (24) [attr_filter.pre-proxy] = updated (24) } # pre-proxy = updated (24) } (24) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000 (24) Sent Access-Request Id 24 from 0.0.0.0:57225 to 9.9.9.9:1812 length 211 (24) Operator-Name := "1unibe.ch" (24) EAP-Message = 0x020b00061a03 (24) User-Name = jon.doe@unibe.ch (24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (24) NAS-IP-Address = 1.2.3.4 (24) NAS-Port-Type = Wireless-802.11 (24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) Message-Authenticator = 0x (24) Proxy-State = 0x313731 Thread 3 waiting to be assigned a request Waking up in 0.1 seconds. Thread 5 got semaphore Thread 5 handling request 24, (7 handled so far) (24) Clearing existing &reply: attributes (24) Received Access-Accept Id 24 from 9.9.9.9:1812 to 130.92.10.33:57225 length 289 (24) Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56 (24) Proxy-State = 0x313731 (24) Class = 0x7374616666 (24) Filter-Id = "staff" (24) Framed-Protocol = PPP (24) Service-Type = Framed-User (24) Tunnel-Medium-Type:0 = IEEE-802 (24) Tunnel-Private-Group-Id:0 = "2000" (24) Tunnel-Type:0 = VLAN (24) EAP-Message = 0x030b0004 (24) Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe (24) MS-CHAP-Domain = "\001CAMPUS" (24) MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f (24) MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0 (24) MS-CHAP2-Success = 0x01533d42374430413432353333434331463134413332324334454333354443333837434632353343383943 (24) server default { (24) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (24) post-proxy { (24) attr_filter.post-proxy: EXPAND %{Realm} (24) attr_filter.post-proxy: --> UNIBE.CH (24) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (24) [attr_filter.post-proxy] = updated (24) eap: Doing post-proxy callback (24) eap: Passing reply from proxy back into the tunnel (24) eap: Got tunneled reply RADIUS code 2 (24) eap: Tunnel-Type := VLAN (24) eap: Tunnel-Medium-Type := IEEE-802 (24) eap: Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56 (24) eap: Proxy-State = 0x313731 (24) eap: Class = 0x7374616666 (24) eap: Filter-Id = "staff" (24) eap: Tunnel-Private-Group-Id:0 = "2000" (24) eap: EAP-Message = 0x030b0004 (24) eap: Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe (24) eap: MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f (24) eap: MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0 (24) eap: Tunneled authentication was successful (24) eap: SUCCESS (24) eap: Saving tunneled attributes for later (24) eap: Reply was handled (24) eap: Sending EAP Request (code 1) ID 12 length 46 (24) eap: EAP session adding &reply:State = 0x1a0c7e7710006752 (24) [eap] = ok (24) } # post-proxy = updated (24) } (24) Using Post-Auth-Type Challenge (24) Post-Auth-Type sub-section not found. Ignoring. (24) # Executing group from file /etc/freeradius/sites-enabled/default (24) Sent Access-Challenge Id 171 from 130.92.10.33:1812 to 1.2.3.4:63606 length 104 (24) EAP-Message = 0x010c002e1900170303002369cd9549766a5c096f1e1c66977ad4a91fd857608710d39bf55e09ca568c703d98ec8f (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) State = 0x1a0c7e771000675279b57cf47df95d07 (24) Finished request