rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=1, length=269 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x2bafb9882f81a08ccbabe59552860502 EAP-Message = 0x022e003b190017030100301b1d23ec7c475712d321906f4554221342046b9a27e55d492f8c10dea2219313ade73651fa364deeee474afd66e9f164 Message-Authenticator = 0x2bea7562c96aa353a523691a3d75a516 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 46 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - as1558@york.ac.uk [peap] Got inner identity 'as1558@york.ac.uk' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x022e00160161733135353840796f726b2e61632e756b server { [peap] Setting User-Name to as1558@york.ac.uk Sending tunneled request EAP-Message = 0x022e00160161733135353840796f726b2e61632e756b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "as1558@york.ac.uk" Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] Looking up realm "york.ac.uk" for User-Name = "as1558@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "as1558" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[chap] returns noop ++[mschap] returns noop ++[control] returns noop [eap] EAP packet type response id 46 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[york_passwd] returns notfound ++? if (Packet-Type == Access-Accept) ? Evaluating (Packet-Type == Access-Accept) -> FALSE ++? if (Packet-Type == Access-Accept) -> FALSE ++? if (request:Aruba-Location-Id) ? Evaluating (request:Aruba-Location-Id) -> FALSE ++? if (request:Aruba-Location-Id) -> FALSE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) ) {...} expand: %{NAS-Identifier} -> xb1sw1 expand: %{NAS-Port-Id} -> 29 expand: %{Calling-Station-Id} -> 40-6c-8f-58-fd-89 +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) ) returns notfound ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ?? Evaluating (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ? Converting !FALSE -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) {...} +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) returns notfound ++? if (reply:Tunnel-Private-Group-ID) ? Evaluating (reply:Tunnel-Private-Group-ID) -> FALSE ++? if (reply:Tunnel-Private-Group-ID) -> FALSE ++[expiration] returns noop ++[pap] returns noop [reply_log] expand: /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 -> /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 expands to /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] expand: %{Packet-Src-IP-Address} = %t -> 144.32.226.191 = Wed Mar 13 11:28:14 2013 ++[reply_log] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" EAP-Message = 0x012f002b1a012f00261056b62cb396094f2329e845c3b9805f2f61733135353840796f726b2e61632e756b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b8cf8991ba3e25bc093f700b9ee0014 [peap] Got tunneled reply RADIUS code 11 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" EAP-Message = 0x012f002b1a012f00261056b62cb396094f2329e845c3b9805f2f61733135353840796f726b2e61632e756b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b8cf8991ba3e25bc093f700b9ee0014 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 1 to 144.32.226.191 port 4747 EAP-Message = 0x012f004b19001703010040e132dc323bb9c460cde3050b7928af25f7076fae9fd7fb2d550ee9e2816c03e14238ade63d6c50b102b3712c13b79dfbe231ea56592256619c5b0ef6627d181c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2bafb9882e80a08ccbabe59552860502 Finished request 46. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=2, length=317 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x2bafb9882e80a08ccbabe59552860502 EAP-Message = 0x022f006b190017030100609e932e1c7da1c2691bc078c2de3c6a757c3c58828bb00dc8613c6f284cd574de31a9a08207d6cdbc9aa1582106fd15bfbbe8b9373130126daa9ff54679dedc053f99812c6ef963f2718779822e4ba6e61cb9e009833447ad2e3ff7de9772ef3e Message-Authenticator = 0xc7fd713f7c11dc2f6b230ea2c9e525e0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 47 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x022f004c1a022f0047318bbd37db855f75f61eb0b1055a2e0d480000000000000000f072273b36e92291ff335f2813dae99991aababe1c9a1bf90061733135353840796f726b2e61632e756b server { [peap] Setting User-Name to as1558@york.ac.uk Sending tunneled request EAP-Message = 0x022f004c1a022f0047318bbd37db855f75f61eb0b1055a2e0d480000000000000000f072273b36e92291ff335f2813dae99991aababe1c9a1bf90061733135353840796f726b2e61632e756b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "as1558@york.ac.uk" State = 0x1b8cf8991ba3e25bc093f700b9ee0014 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] Looking up realm "york.ac.uk" for User-Name = "as1558@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "as1558" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[chap] returns noop ++[mschap] returns noop ++[control] returns noop [eap] EAP packet type response id 47 length 76 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[york_passwd] returns notfound ++? if (Packet-Type == Access-Accept) ? Evaluating (Packet-Type == Access-Accept) -> FALSE ++? if (Packet-Type == Access-Accept) -> FALSE ++? if (request:Aruba-Location-Id) ? Evaluating (request:Aruba-Location-Id) -> FALSE ++? if (request:Aruba-Location-Id) -> FALSE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) ) {...} expand: %{NAS-Identifier} -> xb1sw1 expand: %{NAS-Port-Id} -> 29 expand: %{Calling-Station-Id} -> 40-6c-8f-58-fd-89 +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) ) returns notfound ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ?? Evaluating (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ? Converting !FALSE -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) {...} +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) returns notfound ++? if (reply:Tunnel-Private-Group-ID) ? Evaluating (reply:Tunnel-Private-Group-ID) -> FALSE ++? if (reply:Tunnel-Private-Group-ID) -> FALSE ++[expiration] returns noop ++[pap] returns noop [reply_log] expand: /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 -> /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 expands to /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] expand: %{Packet-Src-IP-Address} = %t -> 144.32.226.191 = Wed Mar 13 11:28:14 2013 ++[reply_log] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) [mschapv2] ?? Evaluating (EAP-Type == 1) -> FALSE [mschapv2] ?? Evaluating (EAP-Message =~ /^0x02..00061a..$/) -> FALSE [mschapv2] ++? if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) -> FALSE [mschapv2] ++- entering else else {...} [mschap] Creating challenge hash with username: as1558@york.ac.uk [mschap] Client is using MS-CHAPv2 for as1558@york.ac.uk, we need NT-Password [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-ITS.YORK.AC.UK} -> --domain=ITS.YORK.AC.UK [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=as1558 [mschap] Creating challenge hash with username: as1558@york.ac.uk [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=613397158d4b0df7 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=f072273b36e92291ff335f2813dae99991aababe1c9a1bf9 Exec-Program output: NT_KEY: 49505FEEF88C08EB15376B7B4313BF9A Exec-Program-Wait: plaintext: NT_KEY: 49505FEEF88C08EB15376B7B4313BF9A Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys +++[mschap] returns ok +++? if (reject) ? Evaluating (reject) -> FALSE +++? if (reject) -> FALSE ++- else else returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" EAP-Message = 0x013000331a032f002e533d43424132424641434641423731334646433942393335333641343943423844303836333345453531 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b8cf8991abce25bc093f700b9ee0014 [peap] Got tunneled reply RADIUS code 11 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" EAP-Message = 0x013000331a032f002e533d43424132424641434641423731334646433942393335333641343943423844303836333345453531 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b8cf8991abce25bc093f700b9ee0014 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 2 to 144.32.226.191 port 4747 EAP-Message = 0x0130005b19001703010050157eed983a613178b48a60f2bd83a0f42e816b01ad4867a91ce3de454ec005020035d619ecb241dfbb47047d55a47937fe86f669a4fb950c6f413969554ddbfd75bbec618192dad325b6ba408abe05c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2bafb9882d9fa08ccbabe59552860502 Finished request 47. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=3, length=253 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x2bafb9882d9fa08ccbabe59552860502 EAP-Message = 0x0230002b190017030100209006aff20d8cf6ac65e27aae6e331896628a4a364f08d7be137235646c46ce3d Message-Authenticator = 0x24b76ef8188b5e3f6594976fbdf3b486 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 48 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x023000061a03 server { [peap] Setting User-Name to as1558@york.ac.uk Sending tunneled request EAP-Message = 0x023000061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "as1558@york.ac.uk" State = 0x1b8cf8991abce25bc093f700b9ee0014 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] Looking up realm "york.ac.uk" for User-Name = "as1558@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "as1558" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[chap] returns noop ++[mschap] returns noop ++[control] returns noop [eap] EAP packet type response id 48 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[york_passwd] returns notfound ++? if (Packet-Type == Access-Accept) ? Evaluating (Packet-Type == Access-Accept) -> FALSE ++? if (Packet-Type == Access-Accept) -> FALSE ++? if (request:Aruba-Location-Id) ? Evaluating (request:Aruba-Location-Id) -> FALSE ++? if (request:Aruba-Location-Id) -> FALSE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) ) {...} expand: %{NAS-Identifier} -> xb1sw1 expand: %{NAS-Port-Id} -> 29 expand: %{Calling-Station-Id} -> 40-6c-8f-58-fd-89 +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) ) returns notfound ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ?? Evaluating (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ? Converting !FALSE -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) {...} +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) returns notfound ++? if (reply:Tunnel-Private-Group-ID) ? Evaluating (reply:Tunnel-Private-Group-ID) -> FALSE ++? if (reply:Tunnel-Private-Group-ID) -> FALSE ++[expiration] returns noop ++[pap] returns noop [reply_log] expand: /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 -> /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 expands to /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] expand: %{Packet-Src-IP-Address} = %t -> 144.32.226.191 = Wed Mar 13 11:28:14 2013 ++[reply_log] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [as1558@york.ac.uk] (from client xb1sw1 port 29 cli 40-6c-8f-58-fd-89 via TLS tunnel) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group post-auth {...} expand: %{User-Name} -> as1558@york.ac.uk ++[reply] returns noop [sql_log] Processing sql_log_postauth [sql_log] expand: %{Stripped-User-Name} -> as1558 [sql_log] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> as1558 [sql_log] sql_set_user escaped user --> 'as1558' [sql_log] expand: INSERT INTO radpostauth (username,reply, authdate, radiusserverip, radiusserver, sessiontimeout, yorkauthtype, yorkauthdevice, yorkcallingstationid, yorkvlan, yorkauthdeviceport) VALUES ( '%{SQL-User-Name}','%{reply:Packet-Type}','%S', '144.32.126.139', INET_ATON('144.32.126.139'), '%{reply:Session-Timeout}', '%{reply:York-Auth-Type}','%{reply:York-Auth-Device}', UPPER('%{reply:York-Calling-Station-Id}'),'%{reply:Tunnel-Private-Group-ID}' ,'%{reply:York-Auth-Device-Port}'); -> INSERT INTO radpostauth (username,reply, authdate, radiusserverip, radiusserver, sessiontimeout, yorkauthtype, yorkauthdevice, yorkcallingstationid, yorkvlan, yorkauthdeviceport) VALUES ( 'as1558','Access-Accept','2013-03-13 11:28:14', '144.32.126.139', INET_ATON('144.32.126.139'), '', 'dot1x','xb1sw1', UPPER('40-6c-8f-58-fd-89'),'' ,'29'); [sql_log] expand: /var/log/freeradius/radacct/sql-relay -> /var/log/freeradius/radacct/sql-relay ++[sql_log] returns ok [reply_log] expand: /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 -> /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 expands to /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] expand: %{Packet-Src-IP-Address} = %t -> 144.32.226.191 = Wed Mar 13 11:28:14 2013 ++[reply_log] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x5ac089adb00a0265080d1767d25d498b MS-MPPE-Recv-Key = 0x6ea726f64612cf473c8c7b42b3836a8f EAP-Message = 0x03300004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "as1558@york.ac.uk" [peap] Got tunneled reply RADIUS code 2 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x5ac089adb00a0265080d1767d25d498b MS-MPPE-Recv-Key = 0x6ea726f64612cf473c8c7b42b3836a8f EAP-Message = 0x03300004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "as1558@york.ac.uk" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 3 to 144.32.226.191 port 4747 EAP-Message = 0x0131002b190017030100202c573649472782354adaacf5e7e5d1c4f97bd4ca783c6b42dd7e24da83540829 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2bafb9882c9ea08ccbabe59552860502 Finished request 48. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=4, length=253 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x2bafb9882c9ea08ccbabe59552860502 EAP-Message = 0x0231002b19001703010020ba93082e374875aab7ebb2096397f017a9c7514778ce96a983afa374a49f9270 Message-Authenticator = 0x2b0c63e0a93d31ad3a3e8f4d6e7d0e12 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE