Ready to process requests (0) Received Access-Request Id 227 from 10.2.103.4:40014 to 10.2.103.8:1812 length 158 (0) User-Name = "pierre" (0) NAS-Identifier = "44d9e7fc21c1" (0) NAS-Port = 0 (0) Called-Station-Id = "56-D9-E7-FE-21-C1:rad01" (0) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x02cf000b01706965727265 (0) Message-Authenticator = 0x1ff9a6a599dadec46b7d48157c55dd3b (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) policy rewrite_called_station_id { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 56-D9-E7-FE-21-C1 (0) &Called-Station-Id := 56-D9-E7-FE-21-C1 (0) } # update request = noop (0) if ("%{8}") { (0) EXPAND %{8} (0) --> rad01 (0) if ("%{8}") -> TRUE (0) if ("%{8}") { (0) update request { (0) EXPAND %{8} (0) --> rad01 (0) &Called-Station-SSID := rad01 (0) } # update request = noop (0) } # if ("%{8}") = noop (0) [updated] = updated (0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_called_station_id = updated (0) if (&Called-Station-SSID == "rad01") { (0) if (&Called-Station-SSID == "rad01") -> TRUE (0) if (&Called-Station-SSID == "rad01") { (0) update request { (0) NTLM-Group-Required := "GALAXY\rad01" (0) User-Name := "pierre" (0) } # update request = noop (0) } # if (&Called-Station-SSID == "rad01") = noop (0) ... skipping elsif: Preceding "if" was taken (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "pierre", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 207 length 11 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: Flushing SSL sessions (of #0) (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 208 length 6 (0) eap: EAP session adding &reply:State = 0xb35f3ca7b38f259c (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Sent Access-Challenge Id 227 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0 (0) EAP-Message = 0x01d000061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xb35f3ca7b38f259c2c1a966e4e8d8fb9 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 228 from 10.2.103.4:40014 to 10.2.103.8:1812 length 333 (1) User-Name = "pierre" (1) NAS-Identifier = "44d9e7fc21c1" (1) NAS-Port = 0 (1) Called-Station-Id = "56-D9-E7-FE-21-C1:rad01" (1) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x02d000a819800000009e16030100990100009503038732e549c9cb2ba64d9daf9fb679fd3a4cdcb07930744efd664f513dd3900e4e00003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff010000 (1) State = 0xb35f3ca7b38f259c2c1a966e4e8d8fb9 (1) Message-Authenticator = 0xdb5dc55b8e7445e26d2fb9693d4dbc54 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 56-D9-E7-FE-21-C1 (1) &Called-Station-Id := 56-D9-E7-FE-21-C1 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> rad01 (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> rad01 (1) &Called-Station-SSID := rad01 (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) if (&Called-Station-SSID == "rad01") { (1) if (&Called-Station-SSID == "rad01") -> TRUE (1) if (&Called-Station-SSID == "rad01") { (1) update request { (1) NTLM-Group-Required := "GALAXY\rad01" (1) User-Name := "pierre" (1) } # update request = noop (1) } # if (&Called-Station-SSID == "rad01") = noop (1) ... skipping elsif: Preceding "if" was taken (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "pierre", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 208 length 168 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xb35f3ca7b38f259c (1) eap: Finished EAP session with state 0xb35f3ca7b38f259c (1) eap: Previous EAP request found for state 0xb35f3ca7b38f259c, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 158 bytes (1) eap_peap: Got complete TLS record (158 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.2 [length 0099] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 0059] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 08d3] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 014d] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 0004] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 209 length 1004 (1) eap: EAP session adding &reply:State = 0xb35f3ca7b28e259c (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Sent Access-Challenge Id 228 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0 (1) EAP-Message = 0x01d103ec19c000000a9116030300590200005503032747dfd00ab4276a30db125f86919e2eeeca73193f140276200b3c4410da807b208b28f44d19a58e3ffeff69974ef14fa5e334ee8105936640efadc616e989ec09c03000000dff01000100000b00040300010216030308d30b0008cf0008cc0003de (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xb35f3ca7b28e259c2c1a966e4e8d8fb9 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 229 from 10.2.103.4:40014 to 10.2.103.8:1812 length 171 (2) User-Name = "pierre" (2) NAS-Identifier = "44d9e7fc21c1" (2) NAS-Port = 0 (2) Called-Station-Id = "56-D9-E7-FE-21-C1:rad01" (2) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x02d100061900 (2) State = 0xb35f3ca7b28e259c2c1a966e4e8d8fb9 (2) Message-Authenticator = 0xab46f30e16a4884c6ea6cf1b064a1896 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) policy rewrite_called_station_id { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 56-D9-E7-FE-21-C1 (2) &Called-Station-Id := 56-D9-E7-FE-21-C1 (2) } # update request = noop (2) if ("%{8}") { (2) EXPAND %{8} (2) --> rad01 (2) if ("%{8}") -> TRUE (2) if ("%{8}") { (2) update request { (2) EXPAND %{8} (2) --> rad01 (2) &Called-Station-SSID := rad01 (2) } # update request = noop (2) } # if ("%{8}") = noop (2) [updated] = updated (2) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_called_station_id = updated (2) if (&Called-Station-SSID == "rad01") { (2) if (&Called-Station-SSID == "rad01") -> TRUE (2) if (&Called-Station-SSID == "rad01") { (2) update request { (2) NTLM-Group-Required := "GALAXY\rad01" (2) User-Name := "pierre" (2) } # update request = noop (2) } # if (&Called-Station-SSID == "rad01") = noop (2) ... skipping elsif: Preceding "if" was taken (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "pierre", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 209 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xb35f3ca7b28e259c (2) eap: Finished EAP session with state 0xb35f3ca7b28e259c (2) eap: Previous EAP request found for state 0xb35f3ca7b28e259c, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 210 length 1000 (2) eap: EAP session adding &reply:State = 0xb35f3ca7b18d259c (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Sent Access-Challenge Id 229 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0 (2) EAP-Message = 0x01d203e8194032fb76abbff22167647943d7bad0c4180db5579da5942956cdf7c83f3d5c3d0a5b5f750a5d2254f6258d6675ad2a4fcbc9878d6e09aa89edd155a681a4c446addfc0753ef0de32a89a9eb4a0d45dc24a95bf6e1feeb45cc516dabb148b0464a12f827fc9efc390d5310004e8308204e430 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xb35f3ca7b18d259c2c1a966e4e8d8fb9 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 230 from 10.2.103.4:40014 to 10.2.103.8:1812 length 171 (3) User-Name = "pierre" (3) NAS-Identifier = "44d9e7fc21c1" (3) NAS-Port = 0 (3) Called-Station-Id = "56-D9-E7-FE-21-C1:rad01" (3) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x02d200061900 (3) State = 0xb35f3ca7b18d259c2c1a966e4e8d8fb9 (3) Message-Authenticator = 0x0df761451bd09c38e82561bc114d295b (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) policy rewrite_called_station_id { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> 56-D9-E7-FE-21-C1 (3) &Called-Station-Id := 56-D9-E7-FE-21-C1 (3) } # update request = noop (3) if ("%{8}") { (3) EXPAND %{8} (3) --> rad01 (3) if ("%{8}") -> TRUE (3) if ("%{8}") { (3) update request { (3) EXPAND %{8} (3) --> rad01 (3) &Called-Station-SSID := rad01 (3) } # update request = noop (3) } # if ("%{8}") = noop (3) [updated] = updated (3) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_called_station_id = updated (3) if (&Called-Station-SSID == "rad01") { (3) if (&Called-Station-SSID == "rad01") -> TRUE (3) if (&Called-Station-SSID == "rad01") { (3) update request { (3) NTLM-Group-Required := "GALAXY\rad01" (3) User-Name := "pierre" (3) } # update request = noop (3) } # if (&Called-Station-SSID == "rad01") = noop (3) ... skipping elsif: Preceding "if" was taken (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "pierre", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 210 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xb35f3ca7b18d259c (3) eap: Finished EAP session with state 0xb35f3ca7b18d259c (3) eap: Previous EAP request found for state 0xb35f3ca7b18d259c, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 211 length 723 (3) eap: EAP session adding &reply:State = 0xb35f3ca7b08c259c (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Sent Access-Challenge Id 230 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0 (3) EAP-Message = 0x01d302d3190020417574686f72697479820900b4d7ec4991844547300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xb35f3ca7b08c259c2c1a966e4e8d8fb9 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 231 from 10.2.103.4:40014 to 10.2.103.8:1812 length 301 (4) User-Name = "pierre" (4) NAS-Identifier = "44d9e7fc21c1" (4) NAS-Port = 0 (4) Called-Station-Id = "56-D9-E7-FE-21-C1:rad01" (4) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x02d3008819800000007e1603030046100000424104b38da94cf6b538e9a702d09a9dd9c42911885a7b8804d36b4acbbf4859c6741dd7cfda9e5c613511218ac6bd51309bfb4b8537b991be1d93bc3ab4a448db0d7f140303000101160303002800000000000000009fb82bcc00778730b2a3d352604c27 (4) State = 0xb35f3ca7b08c259c2c1a966e4e8d8fb9 (4) Message-Authenticator = 0x22d199b5de9b5599dbcceeb450b56113 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) policy rewrite_called_station_id { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> 56-D9-E7-FE-21-C1 (4) &Called-Station-Id := 56-D9-E7-FE-21-C1 (4) } # update request = noop (4) if ("%{8}") { (4) EXPAND %{8} (4) --> rad01 (4) if ("%{8}") -> TRUE (4) if ("%{8}") { (4) update request { (4) EXPAND %{8} (4) --> rad01 (4) &Called-Station-SSID := rad01 (4) } # update request = noop (4) } # if ("%{8}") = noop (4) [updated] = updated (4) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_called_station_id = updated (4) if (&Called-Station-SSID == "rad01") { (4) if (&Called-Station-SSID == "rad01") -> TRUE (4) if (&Called-Station-SSID == "rad01") { (4) update request { (4) NTLM-Group-Required := "GALAXY\rad01" (4) User-Name := "pierre" (4) } # update request = noop (4) } # if (&Called-Station-SSID == "rad01") = noop (4) ... skipping elsif: Preceding "if" was taken (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "pierre", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 211 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xb35f3ca7b08c259c (4) eap: Finished EAP session with state 0xb35f3ca7b08c259c (4) eap: Previous EAP request found for state 0xb35f3ca7b08c259c, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: TLS_accept: unknown state (4) eap_peap: <<< recv TLS 1.2 [length 0001] (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: TLS_accept: unknown state (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 212 length 57 (4) eap: EAP session adding &reply:State = 0xb35f3ca7b78b259c (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Sent Access-Challenge Id 231 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0 (4) EAP-Message = 0x01d4003919001403030001011603030028504d2dbb5c7fcbb8baf8b6de136307521de9e7c9a3ec098cf81fc4e7a952135397a86fd8da77edd6 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xb35f3ca7b78b259c2c1a966e4e8d8fb9 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 232 from 10.2.103.4:40014 to 10.2.103.8:1812 length 171 (5) User-Name = "pierre" (5) NAS-Identifier = "44d9e7fc21c1" (5) NAS-Port = 0 (5) Called-Station-Id = "56-D9-E7-FE-21-C1:rad01" (5) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x02d400061900 (5) State = 0xb35f3ca7b78b259c2c1a966e4e8d8fb9 (5) Message-Authenticator = 0xf59cebeaa4fbb32b1b887ae960bbe4be (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) policy rewrite_called_station_id { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> 56-D9-E7-FE-21-C1 (5) &Called-Station-Id := 56-D9-E7-FE-21-C1 (5) } # update request = noop (5) if ("%{8}") { (5) EXPAND %{8} (5) --> rad01 (5) if ("%{8}") -> TRUE (5) if ("%{8}") { (5) update request { (5) EXPAND %{8} (5) --> rad01 (5) &Called-Station-SSID := rad01 (5) } # update request = noop (5) } # if ("%{8}") = noop (5) [updated] = updated (5) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_called_station_id = updated (5) if (&Called-Station-SSID == "rad01") { (5) if (&Called-Station-SSID == "rad01") -> TRUE (5) if (&Called-Station-SSID == "rad01") { (5) update request { (5) NTLM-Group-Required := "GALAXY\rad01" (5) User-Name := "pierre" (5) } # update request = noop (5) } # if (&Called-Station-SSID == "rad01") = noop (5) ... skipping elsif: Preceding "if" was taken (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "pierre", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 212 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xb35f3ca7b78b259c (5) eap: Finished EAP session with state 0xb35f3ca7b78b259c (5) eap: Previous EAP request found for state 0xb35f3ca7b78b259c, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 213 length 40 (5) eap: EAP session adding &reply:State = 0xb35f3ca7b68a259c (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Sent Access-Challenge Id 232 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0 (5) EAP-Message = 0x01d500281900170303001d504d2dbb5c7fcbb9f7ff8f8e63a463592487f851520beba2e2b38792be (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xb35f3ca7b68a259c2c1a966e4e8d8fb9 (5) Finished request Waking up in 4.8 seconds. (6) Received Access-Request Id 233 from 10.2.103.4:40014 to 10.2.103.8:1812 length 207 (6) User-Name = "pierre" (6) NAS-Identifier = "44d9e7fc21c1" (6) NAS-Port = 0 (6) Called-Station-Id = "56-D9-E7-FE-21-C1:rad01" (6) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x02d5002a1900170303001f00000000000000011b13f5e2b9c4536d5e2345c972295ba64e13ef659e9962 (6) State = 0xb35f3ca7b68a259c2c1a966e4e8d8fb9 (6) Message-Authenticator = 0x4efe9ecef83e2f675000776d422c7e81 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 56-D9-E7-FE-21-C1 (6) &Called-Station-Id := 56-D9-E7-FE-21-C1 (6) } # update request = noop (6) if ("%{8}") { (6) EXPAND %{8} (6) --> rad01 (6) if ("%{8}") -> TRUE (6) if ("%{8}") { (6) update request { (6) EXPAND %{8} (6) --> rad01 (6) &Called-Station-SSID := rad01 (6) } # update request = noop (6) } # if ("%{8}") = noop (6) [updated] = updated (6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) if (&Called-Station-SSID == "rad01") { (6) if (&Called-Station-SSID == "rad01") -> TRUE (6) if (&Called-Station-SSID == "rad01") { (6) update request { (6) NTLM-Group-Required := "GALAXY\rad01" (6) User-Name := "pierre" (6) } # update request = noop (6) } # if (&Called-Station-SSID == "rad01") = noop (6) ... skipping elsif: Preceding "if" was taken (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "pierre", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 213 length 42 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xb35f3ca7b68a259c (6) eap: Finished EAP session with state 0xb35f3ca7b68a259c (6) eap: Previous EAP request found for state 0xb35f3ca7b68a259c, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - pierre (6) eap_peap: Got inner identity 'pierre' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x02d5000b01706965727265 (6) eap_peap: Setting User-Name to pierre (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x02d5000b01706965727265 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "pierre" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x02d5000b01706965727265 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "pierre" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy rewrite_called_station_id = noop (6) if (&Called-Station-SSID == "rad01") { (6) ERROR: Failed retrieving values required to evaluate condition (6) elsif (%Called-Station-SSID == "RAD02") { (6) elsif (%Called-Station-SSID == "RAD02") -> FALSE (6) else { (6) update request { (6) NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387" (6) } # update request = noop (6) } # else = noop (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "pierre", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 213 length 11 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 214 length 43 (6) eap: EAP session adding &reply:State = 0xbd54a3aabd82b9f3 (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x01d6002b1a01d60026109e3bdec9cbb411b67a164e86a272df16667265657261646975732d332e302e3132 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xbd54a3aabd82b9f3309aeb04bc239791 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x01d6002b1a01d60026109e3bdec9cbb411b67a164e86a272df16667265657261646975732d332e302e3132 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xbd54a3aabd82b9f3309aeb04bc239791 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x01d6002b1a01d60026109e3bdec9cbb411b67a164e86a272df16667265657261646975732d332e302e3132 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xbd54a3aabd82b9f3309aeb04bc239791 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 214 length 74 (6) eap: EAP session adding &reply:State = 0xb35f3ca7b589259c (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Sent Access-Challenge Id 233 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0 (6) EAP-Message = 0x01d6004a1900170303003f504d2dbb5c7fcbba03101f4ae013daecee83a3de971bdc706fdb3aca12772f98e15a5590649295556cc5c8cdc69ca64ff7d002ef2f97ee6091008d8bb84699 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xb35f3ca7b589259c2c1a966e4e8d8fb9 (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 234 from 10.2.103.4:40014 to 10.2.103.8:1812 length 261 (7) User-Name = "pierre" (7) NAS-Identifier = "44d9e7fc21c1" (7) NAS-Port = 0 (7) Called-Station-Id = "56-D9-E7-FE-21-C1:rad01" (7) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x02d600601900170303005500000000000000028e87cb590a701b47746c8016ce47b7f86b1fe6a45bc3acdcb316e82907eef552f0b955864689b57252686b22225ee49e5c8e8cb3402b58cea5ec49062bddcdc67d327e856106545e7af64dda90 (7) State = 0xb35f3ca7b589259c2c1a966e4e8d8fb9 (7) Message-Authenticator = 0x0573cf6c301fbbb191e4f3aefd62a2f8 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) policy rewrite_called_station_id { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 56-D9-E7-FE-21-C1 (7) &Called-Station-Id := 56-D9-E7-FE-21-C1 (7) } # update request = noop (7) if ("%{8}") { (7) EXPAND %{8} (7) --> rad01 (7) if ("%{8}") -> TRUE (7) if ("%{8}") { (7) update request { (7) EXPAND %{8} (7) --> rad01 (7) &Called-Station-SSID := rad01 (7) } # update request = noop (7) } # if ("%{8}") = noop (7) [updated] = updated (7) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_called_station_id = updated (7) if (&Called-Station-SSID == "rad01") { (7) if (&Called-Station-SSID == "rad01") -> TRUE (7) if (&Called-Station-SSID == "rad01") { (7) update request { (7) NTLM-Group-Required := "GALAXY\rad01" (7) User-Name := "pierre" (7) } # update request = noop (7) } # if (&Called-Station-SSID == "rad01") = noop (7) ... skipping elsif: Preceding "if" was taken (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "pierre", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 214 length 96 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xbd54a3aabd82b9f3 (7) eap: Finished EAP session with state 0xb35f3ca7b589259c (7) eap: Previous EAP request found for state 0xb35f3ca7b589259c, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02d600411a02d6003c31091ec4c1a3227e314c0297013f462fc40000000000000000654bb73f2e49fdb82e96e89138933e449f612efb76875d2900706965727265 (7) eap_peap: Setting User-Name to pierre (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02d600411a02d6003c31091ec4c1a3227e314c0297013f462fc40000000000000000654bb73f2e49fdb82e96e89138933e449f612efb76875d2900706965727265 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "pierre" (7) eap_peap: State = 0xbd54a3aabd82b9f3309aeb04bc239791 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02d600411a02d6003c31091ec4c1a3227e314c0297013f462fc40000000000000000654bb73f2e49fdb82e96e89138933e449f612efb76875d2900706965727265 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "pierre" (7) State = 0xbd54a3aabd82b9f3309aeb04bc239791 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) policy rewrite_called_station_id { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy rewrite_called_station_id = noop (7) if (&Called-Station-SSID == "rad01") { (7) ERROR: Failed retrieving values required to evaluate condition (7) elsif (%Called-Station-SSID == "RAD02") { (7) elsif (%Called-Station-SSID == "RAD02") -> FALSE (7) else { (7) update request { (7) NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387" (7) } # update request = noop (7) } # else = noop (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "pierre", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 214 length 65 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xbd54a3aabd82b9f3 (7) eap: Finished EAP session with state 0xbd54a3aabd82b9f3 (7) eap: Previous EAP request found for state 0xbd54a3aabd82b9f3, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Creating challenge hash with username: pierre (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --require-membership-of=%{NTLM-Group-Required} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --require-membership-of=%{NTLM-Group-Required} (7) mschap: --> --require-membership-of=S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387 (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=pierre (7) mschap: ERROR: No NT-Domain was found in the User-Name (7) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV} (7) mschap: --> --domain=GALAXY.PRIV (7) mschap: Creating challenge hash with username: pierre (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=a5aace215cfd7042 (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=654bb73f2e49fdb82e96e89138933e449f612efb76875d29 (7) mschap: ERROR: Program returned code (1) and output 'Unexpected information received (0xc000000d)' (7) mschap: External script failed (7) mschap: ERROR: External script says: Unexpected information received (0xc000000d) (7) mschap: ERROR: MS-CHAP2-Response is incorrect (7) [mschap] = reject (7) } # authenticate = reject (7) eap: Sending EAP Failure (code 4) ID 214 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Login incorrect (Failed retrieving values required to evaluate condition): [pierre/] (from client Galaxy.priv port 0 via TLS tunnel) (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> pierre (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'Failed retrieving values required to evaluate condition' (7) } # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) MS-CHAP-Error = "\326E=691 R=1 C=3085b775235144ea99ea6f7ac706b6d4 V=3 M=Authentication failed" (7) EAP-Message = 0x04d60004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply code 3 (7) eap_peap: MS-CHAP-Error = "\326E=691 R=1 C=3085b775235144ea99ea6f7ac706b6d4 V=3 M=Authentication failed" (7) eap_peap: EAP-Message = 0x04d60004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply RADIUS code 3 (7) eap_peap: MS-CHAP-Error = "\326E=691 R=1 C=3085b775235144ea99ea6f7ac706b6d4 V=3 M=Authentication failed" (7) eap_peap: EAP-Message = 0x04d60004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Tunneled authentication was rejected (7) eap_peap: FAILURE (7) eap: Sending EAP Request (code 1) ID 215 length 46 (7) eap: EAP session adding &reply:State = 0xb35f3ca7b488259c (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) session-state: Saving cached attributes (7) Module-Failure-Message := "Failed retrieving values required to evaluate condition" (7) Sent Access-Challenge Id 234 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0 (7) EAP-Message = 0x01d7002e19001703030023504d2dbb5c7fcbbbc5469324f1a95f9ea55a2fce82dea2e00473109a28619661ae8222 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb35f3ca7b488259c2c1a966e4e8d8fb9 (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 235 from 10.2.103.4:40014 to 10.2.103.8:1812 length 211 (8) User-Name = "pierre" (8) NAS-Identifier = "44d9e7fc21c1" (8) NAS-Port = 0 (8) Called-Station-Id = "56-D9-E7-FE-21-C1:rad01" (8) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) EAP-Message = 0x02d7002e19001703030023000000000000000320b22f60170206a92ede96e61c35df8cb165876aa4f581edad7701 (8) State = 0xb35f3ca7b488259c2c1a966e4e8d8fb9 (8) Message-Authenticator = 0xe4f48714798068aa684811266a444df0 (8) Restoring &session-state (8) &session-state:Module-Failure-Message := "Failed retrieving values required to evaluate condition" (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) policy rewrite_called_station_id { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 56-D9-E7-FE-21-C1 (8) &Called-Station-Id := 56-D9-E7-FE-21-C1 (8) } # update request = noop (8) if ("%{8}") { (8) EXPAND %{8} (8) --> rad01 (8) if ("%{8}") -> TRUE (8) if ("%{8}") { (8) update request { (8) EXPAND %{8} (8) --> rad01 (8) &Called-Station-SSID := rad01 (8) } # update request = noop (8) } # if ("%{8}") = noop (8) [updated] = updated (8) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_called_station_id = updated (8) if (&Called-Station-SSID == "rad01") { (8) if (&Called-Station-SSID == "rad01") -> TRUE (8) if (&Called-Station-SSID == "rad01") { (8) update request { (8) NTLM-Group-Required := "GALAXY\rad01" (8) User-Name := "pierre" (8) } # update request = noop (8) } # if (&Called-Station-SSID == "rad01") = noop (8) ... skipping elsif: Preceding "if" was taken (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "pierre", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 215 length 46 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb35f3ca7b488259c (8) eap: Finished EAP session with state 0xb35f3ca7b488259c (8) eap: Previous EAP request found for state 0xb35f3ca7b488259c, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv failure (8) eap_peap: Received EAP-TLV response (8) eap_peap: The users session was previously rejected: returning reject (again.) (8) eap_peap: This means you need to read the PREVIOUS messages in the debug output (8) eap_peap: to find out the reason why the user was rejected (8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (8) eap_peap: what went wrong, and how to fix the problem (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 215 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [pierre/] (from client Galaxy.priv port 0 cli C0-EE-FB-4B-FA-10) (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> pierre (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) [eap] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # Post-Auth-Type REJECT = updated (8) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (8) Sending delayed response (8) Sent Access-Reject Id 235 from 10.2.103.8:1812 to 10.2.103.4:40014 length 44 (8) EAP-Message = 0x04d70004 (8) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 227 with timestamp +5 (1) Cleaning up request packet ID 228 with timestamp +5 (2) Cleaning up request packet ID 229 with timestamp +5 (3) Cleaning up request packet ID 230 with timestamp +5 (4) Cleaning up request packet ID 231 with timestamp +5 (5) Cleaning up request packet ID 232 with timestamp +5 (6) Cleaning up request packet ID 233 with timestamp +5 (7) Cleaning up request packet ID 234 with timestamp +5 (8) Cleaning up request packet ID 235 with timestamp +5 Ready to process requests