rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=11, length=208 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x023300100140796f726b2e61632e756b Message-Authenticator = 0x27783cac9b4dacba6125f11078f4589c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 51 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[york_passwd] returns notfound ++? if (Packet-Type == Access-Accept) ? Evaluating (Packet-Type == Access-Accept) -> FALSE ++? if (Packet-Type == Access-Accept) -> FALSE ++? if ("%{reply:Reply-Message}" == "quarantined") expand: %{reply:Reply-Message} -> ? Evaluating ("%{reply:Reply-Message}" == "quarantined") -> FALSE ++? if ("%{reply:Reply-Message}" == "quarantined") -> FALSE ++? if ((!((User-Name =~ /^[0-9]{4}conf$/) || (User-Name =~ /^[0-9]{4}public$/))) && (Aruba-Essid-Name == "York Conferences")) ???? Evaluating (User-Name =~ /^[0-9]{4}conf$/) -> FALSE ???? Evaluating (User-Name =~ /^[0-9]{4}public$/) -> FALSE ?? Converting !FALSE -> TRUE (Attribute Aruba-Essid-Name was not found) ?? Evaluating (Aruba-Essid-Name == "York Conferences") -> FALSE ++? if ((!((User-Name =~ /^[0-9]{4}conf$/) || (User-Name =~ /^[0-9]{4}public$/))) && (Aruba-Essid-Name == "York Conferences")) -> FALSE ++? if ((NAS-IP-Address == 10.33.0.10) && (!("%{control:York-VPN-Group}" == "vpn_yes"))) ?? Evaluating (NAS-IP-Address == 10.33.0.10) -> FALSE ??? Skipping ("%{control:York-VPN-Group}" == "vpn_yes") ++? if ((NAS-IP-Address == 10.33.0.10) && (!("%{control:York-VPN-Group}" == "vpn_yes"))) -> FALSE ++? if ((NAS-IP-Address == 10.33.0.10) && ("%{control:York-User-Dept-Codes}" =~ /0087$/)) ?? Evaluating (NAS-IP-Address == 10.33.0.10) -> FALSE ?? Skipping ("%{control:York-User-Dept-Codes}" =~ /0087$/) ++? if ((NAS-IP-Address == 10.33.0.10) && ("%{control:York-User-Dept-Codes}" =~ /0087$/)) -> FALSE ++? if ((NAS-IP-Address == 10.33.0.10) && ("%{control:York-User-Dept-Codes}" == "0291,0281,0088")) ?? Evaluating (NAS-IP-Address == 10.33.0.10) -> FALSE ?? Skipping ("%{control:York-User-Dept-Codes}" == "0291,0281,0088") ++? if ((NAS-IP-Address == 10.33.0.10) && ("%{control:York-User-Dept-Codes}" == "0291,0281,0088")) -> FALSE ++? if ((NAS-IP-Address == 144.32.64.22) && (!("%{control:York-User-Dept-Codes}" =~ /0087$/))) ?? Evaluating (NAS-IP-Address == 144.32.64.22) -> FALSE ??? Skipping ("%{control:York-User-Dept-Codes}" =~ /0087$/) ++? if ((NAS-IP-Address == 144.32.64.22) && (!("%{control:York-User-Dept-Codes}" =~ /0087$/))) -> FALSE ++? if (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ? Evaluating (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ++? if (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ++? if (((User-Name =~ /^[0-9]{4}conf$/) || (User-Name =~ /^[0-9]{4}public$/)) && (Aruba-Essid-Name == "eduroam")) ??? Evaluating (User-Name =~ /^[0-9]{4}conf$/) -> FALSE ??? Evaluating (User-Name =~ /^[0-9]{4}public$/) -> FALSE ?? Skipping (Aruba-Essid-Name == "eduroam") ++? if (((User-Name =~ /^[0-9]{4}conf$/) || (User-Name =~ /^[0-9]{4}public$/)) && (Aruba-Essid-Name == "eduroam")) -> FALSE ++? if ((Calling-Station-Id =~ /^1C-DF-0F-E4-F0-[0-9A-F][0-9A-F]$/) && (Aruba-Essid-Name == "eduroam")) ?? Evaluating (Calling-Station-Id =~ /^1C-DF-0F-E4-F0-[0-9A-F][0-9A-F]$/) -> FALSE ?? Skipping (Aruba-Essid-Name == "eduroam") ++? if ((Calling-Station-Id =~ /^1C-DF-0F-E4-F0-[0-9A-F][0-9A-F]$/) && (Aruba-Essid-Name == "eduroam")) -> FALSE ++? if (request:Aruba-Location-Id) ? Evaluating (request:Aruba-Location-Id) -> FALSE ++? if (request:Aruba-Location-Id) -> FALSE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) ) {...} expand: %{NAS-Identifier} -> xb1sw1 expand: %{NAS-Port-Id} -> 29 expand: %{Calling-Station-Id} -> 40-6c-8f-58-fd-89 +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) ) returns notfound ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ?? Evaluating (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ? Converting !FALSE -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) {...} +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) returns notfound ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ?? Evaluating (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) -> FALSE ++? if (reply:Tunnel-Private-Group-ID) ? Evaluating (reply:Tunnel-Private-Group-ID) -> FALSE ++? if (reply:Tunnel-Private-Group-ID) -> FALSE ++? if ((Service-Type == 7) && ( (User-Name =~ /^skc520$/) || (User-Name =~ /^as1558$/) || (User-Name =~ /^emm502$/) || (User-Name =~ /^jrm13$/) || (User-Name =~ /^gb710$/) ||(User-Name =~ /^pnt1$/) || (User-Name =~ /^ga9$/) || (User-Name =~ /^dam6$/) || (User-Name =~ /^md540$/))) ?? Evaluating (Service-Type == 7) -> FALSE ??? Skipping (User-Name =~ /^skc520$/) ??? Skipping (User-Name =~ /^as1558$/) ??? Skipping (User-Name =~ /^emm502$/) ??? Skipping (User-Name =~ /^jrm13$/) ??? Skipping (User-Name =~ /^gb710$/) ??? Skipping (User-Name =~ /^pnt1$/) ??? Skipping (User-Name =~ /^ga9$/) ??? Skipping (User-Name =~ /^dam6$/) ??? Skipping (User-Name =~ /^md540$/) ++? if ((Service-Type == 7) && ( (User-Name =~ /^skc520$/) || (User-Name =~ /^as1558$/) || (User-Name =~ /^emm502$/) || (User-Name =~ /^jrm13$/) || (User-Name =~ /^gb710$/) ||(User-Name =~ /^pnt1$/) || (User-Name =~ /^ga9$/) || (User-Name =~ /^dam6$/) || (User-Name =~ /^md540$/))) -> FALSE ++- entering policy ntlm_auth.authorize {...} +++? if (!control:Auth-Type && User-Password && !User-Name =~ /nagios$/) ? Evaluating !(control:Auth-Type ) -> FALSE ? Skipping (User-Password ) ? Skipping (User-Name =~ /nagios$/) +++? if (!control:Auth-Type && User-Password && !User-Name =~ /nagios$/) -> FALSE ++- policy ntlm_auth.authorize returns notfound ++[expiration] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 11 to 144.32.226.191 port 4747 EAP-Message = 0x013400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0fba531b0f8e4a7cef68f442188811df Finished request 22. Going to the next request Waking up in 2.4 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=12, length=338 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0fba531b0f8e4a7cef68f442188811df EAP-Message = 0x0234008019800000007616030100710100006d0301514063be494dfab5706267c698f08056b6309296ea918462e9a818a9a067063400003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100 Message-Authenticator = 0x899246cf9afc98eec59bce7d698297a9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 52 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 118 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0071], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0673], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 12 to 144.32.226.191 port 4747 EAP-Message = 0x0135040019c00000078f1603010039020000350301514063be62629f85ed3309d4ec49ae4c9a1eb158248be972ea215b1a6f4d449e00c01400000dff01000100000b00040300010216030106730b00066f00066c0003423082033e308202a7a00302010202030c6b64300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479301e170d3039303831333137323932365a170d3135303831343131303035395a3081c8310b3009060355040613024742311b301906 EAP-Message = 0x0355040a13126e6173616161312e796f726b2e61632e756b31133011060355040b130a475438363332363635363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707320286329303931373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c205072656d69756d285229311b3019060355040313126e6173616161312e796f726b2e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100c6c3d37fe2d0c1ef203734a7c5f73b37f3dce39881492c98ed891070e002d899b7ea40ba8e248874048e EAP-Message = 0xad666bc5445953f62b0e618d898a0b2a08428adbd1ab3ba622fd56710f5eb49db47b5a78299533a423b03fef230f90f5dfff3c7c02fa9893bda31477219744ec832c76b1c5271f46e1983ba32632031a10d568a3c8670203010001a381ae3081ab300e0603551d0f0101ff0404030204f0301d0603551d0e041604147c85a6b78b860d3264a7f4010a019f4d6260c8d2303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d250416301406082b0601 EAP-Message = 0x050507030106082b06010505070302300d06092a864886f70d010105050003818100a54e8716f3c204f3406c917bce830f68171c056a7c397be0f23d9e710844aaa134ca0f361040ab4b796a181c030c2bc645282df174fd83693939406a4b20cae4e78e9f9f0f7816d058a04d6ff4c4e5011351c4baebd81aea259d0d327072af6cd6b8b89fe1a5f30e7f3b5e748498b20bfec38055b655161440f7e0fa260d171b0003243082032030820289a003020102020435def4cf300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b132445717569666178205365 EAP-Message = 0x637572652043657274696669 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0fba531b0e8f4a7cef68f442188811df Finished request 23. Going to the next request Waking up in 2.4 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=13, length=216 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0fba531b0e8f4a7cef68f442188811df EAP-Message = 0x023500061900 Message-Authenticator = 0xdb2aa5542df9b824673b9f66e1dea6fa # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 53 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 13 to 144.32.226.191 port 4747 EAP-Message = 0x0136039f19006361746520417574686f72697479301e170d3938303832323136343135315a170d3138303832323136343135315a304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c15db158670862eea09a2d1f086d911468980a1efeda046f13846221c3d17cce9f05e0b801f04e34ece28a950464acf16b535f05b3cb6780bf42028efedd0109ece100144ffcfbf00cdd43ba5b2be11f80709915579316f10f976ab7 EAP-Message = 0xc268231ccc4d5930ac511e3baf2bd6ee63457bc5d95f50d2e3500f3a88e7bf14fde0c7b90203010001a38201093082010530700603551d1f046930673065a063a061a45f305d310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479310d300b0603550403130443524c31301a0603551d1004133011810f32303138303832323136343135315a300b0603551d0f040403020106301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d0e0416041448e668f92b EAP-Message = 0xd2b295d747d82320104f3398909fd4300c0603551d13040530030101ff301a06092a864886f67d074100040d300b1b0556332e3063030206c0300d06092a864886f70d01010505000381810058ce29eafcf7deb5ce02b917b585d1b9e3e095cc25310d00a6926e7fb692639e5095d19a6fe411de63856e98eea8ff5ac8d355b2667157dec021eb3d2aa72349010486427bfcee7fa21652b56767d340db3b2658b228773dae147761d6fa2a6627a00dfaa7735cea70f1942165445ffafcef2968a9a28779ef79ef4fac07773816030100cb0c0000c7030017410421f0ca2be17a913c9bad6591bb3751a59778cc3e69a1e4b466ce8fddabb39aa36521a7 EAP-Message = 0xb4a3ddf939e32ad5d1783398c4661242124d22a3c4062628ea61d7f2fd008048ba1ce6198f7c6a6078d9e42e8186ebabca0c4d081cdf66800ddfce18213497e71cc67835c340a144f99af681ac20e66a456346cce55ca66c08da98d17d38a27f058ec22375f233f1ccf562b66a3177b4b07172ca395dbd1615714953d07f58b590d2c6beb328e171086393dbc6fe644ce148a1d79ef76a1ec5525d56a3879316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0fba531b0d8c4a7cef68f442188811df Finished request 24. Going to the next request Waking up in 2.4 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=14, length=354 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0fba531b0d8c4a7cef68f442188811df EAP-Message = 0x02360090198000000086160301004610000042410443c6818c0c2c808958e245799b4e98cca85155999acd440be40c097f90097b470b982ff8e6e77cee5acb1abe631f3cf60df5126884ec80b7d5584257c36828fb14030100010116030100305db8b6398c18bac4ff57167d161e1cafbdca09e923ed51577a03f935d3289a90729f7419a4024ad26f66c1c64d99a30d Message-Authenticator = 0x69ee5a47c1f96b14a1913d5d508cc7ed # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 54 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 14 to 144.32.226.191 port 4747 EAP-Message = 0x01370041190014030100010116030100307875f79cad88fdef43c5a733ca3de23d302a7a6eb1e5ed5544385316768b5079de8f6246e2b3fc08639577a802ab8e3b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0fba531b0c8d4a7cef68f442188811df Finished request 25. Going to the next request Waking up in 2.3 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=15, length=216 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0fba531b0c8d4a7cef68f442188811df EAP-Message = 0x023700061900 Message-Authenticator = 0x2cf02c7d3830e4c97b88c191e6f65ff7 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 55 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 15 to 144.32.226.191 port 4747 EAP-Message = 0x0138002b190017030100206b82dd9fe7c36d96ff9d8fa20a49ed93a8d07d500be49d8c68c74c076ae29492 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0fba531b0b824a7cef68f442188811df Finished request 26. Going to the next request Waking up in 2.3 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=16, length=269 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0fba531b0b824a7cef68f442188811df EAP-Message = 0x0238003b19001703010030be24122fd2937babb6d4959d2a6945c1ba9dae3b8ea1a188ef5a7284e5cba1e91f1f04eea9d423dc1180cdf8f355999f Message-Authenticator = 0xe05e0454d0b48932d701e039e59e8e40 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 56 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - as1558@york.ac.uk [peap] Got inner identity 'as1558@york.ac.uk' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x023800160161733135353840796f726b2e61632e756b server { [peap] Setting User-Name to as1558@york.ac.uk Sending tunneled request EAP-Message = 0x023800160161733135353840796f726b2e61632e756b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "as1558@york.ac.uk" Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] Looking up realm "york.ac.uk" for User-Name = "as1558@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "as1558" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[chap] returns noop ++[mschap] returns noop ++[control] returns noop [eap] EAP packet type response id 56 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[york_passwd] returns notfound ++? if (Packet-Type == Access-Accept) ? Evaluating (Packet-Type == Access-Accept) -> FALSE ++? if (Packet-Type == Access-Accept) -> FALSE ++? if (request:Aruba-Location-Id) ? Evaluating (request:Aruba-Location-Id) -> FALSE ++? if (request:Aruba-Location-Id) -> FALSE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) ) {...} expand: %{NAS-Identifier} -> xb1sw1 expand: %{NAS-Port-Id} -> 29 expand: %{Calling-Station-Id} -> 40-6c-8f-58-fd-89 +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) ) returns notfound ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ?? Evaluating (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ? Converting !FALSE -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) {...} +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) returns notfound ++? if (reply:Tunnel-Private-Group-ID) ? Evaluating (reply:Tunnel-Private-Group-ID) -> FALSE ++? if (reply:Tunnel-Private-Group-ID) -> FALSE ++[expiration] returns noop ++[pap] returns noop [reply_log] expand: /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 -> /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 expands to /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] expand: %{Packet-Src-IP-Address} = %t -> 144.32.226.191 = Wed Mar 13 11:32:14 2013 ++[reply_log] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" EAP-Message = 0x0139002b1a013900261088451b4b0b9730c931984f2e7ef9700f61733135353840796f726b2e61632e756b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x31d5e80c31ecf2b96efd4e329dc2f91c [peap] Got tunneled reply RADIUS code 11 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" EAP-Message = 0x0139002b1a013900261088451b4b0b9730c931984f2e7ef9700f61733135353840796f726b2e61632e756b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x31d5e80c31ecf2b96efd4e329dc2f91c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 16 to 144.32.226.191 port 4747 EAP-Message = 0x0139004b19001703010040c8350355303940baf104c9268f3167c436a03911adb7fa5cf75f603757cfe07b7a2234a9e1ba895d4f100fc551f44cc87e2fc2dd4aa088b2c6c14372b222135c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0fba531b0a834a7cef68f442188811df Finished request 27. Going to the next request Waking up in 2.3 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=17, length=317 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0fba531b0a834a7cef68f442188811df EAP-Message = 0x0239006b190017030100600ffcf31775306c3a7d899efa40a0a7ca5d048b84b3fdb02aad0dd048f3f7a97acc3ba11f4be27ac6e8f480c83e0ce3038997f99ca050bbdd43e210fbad02a1f943246c56589f36cdf474398980be226cf65b5eab7443ea5f6991a0d54719f4b7 Message-Authenticator = 0xfbc79d0326bd195dd53d2e9dbee5a11b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 57 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0239004c1a02390047312d64caceed4ebce2f4eb69222bf5535f0000000000000000de8a260ad78dbf0f734bb405f398aa33690b4f78d87dd7860061733135353840796f726b2e61632e756b server { [peap] Setting User-Name to as1558@york.ac.uk Sending tunneled request EAP-Message = 0x0239004c1a02390047312d64caceed4ebce2f4eb69222bf5535f0000000000000000de8a260ad78dbf0f734bb405f398aa33690b4f78d87dd7860061733135353840796f726b2e61632e756b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "as1558@york.ac.uk" State = 0x31d5e80c31ecf2b96efd4e329dc2f91c Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] Looking up realm "york.ac.uk" for User-Name = "as1558@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "as1558" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[chap] returns noop ++[mschap] returns noop ++[control] returns noop [eap] EAP packet type response id 57 length 76 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[york_passwd] returns notfound ++? if (Packet-Type == Access-Accept) ? Evaluating (Packet-Type == Access-Accept) -> FALSE ++? if (Packet-Type == Access-Accept) -> FALSE ++? if (request:Aruba-Location-Id) ? Evaluating (request:Aruba-Location-Id) -> FALSE ++? if (request:Aruba-Location-Id) -> FALSE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) ) {...} expand: %{NAS-Identifier} -> xb1sw1 expand: %{NAS-Port-Id} -> 29 expand: %{Calling-Station-Id} -> 40-6c-8f-58-fd-89 +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) ) returns notfound ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ?? Evaluating (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ? Converting !FALSE -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) {...} +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) returns notfound ++? if (reply:Tunnel-Private-Group-ID) ? Evaluating (reply:Tunnel-Private-Group-ID) -> FALSE ++? if (reply:Tunnel-Private-Group-ID) -> FALSE ++[expiration] returns noop ++[pap] returns noop [reply_log] expand: /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 -> /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 expands to /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] expand: %{Packet-Src-IP-Address} = %t -> 144.32.226.191 = Wed Mar 13 11:32:14 2013 ++[reply_log] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) [mschapv2] ?? Evaluating (EAP-Type == 1) -> FALSE [mschapv2] ?? Evaluating (EAP-Message =~ /^0x02..00061a..$/) -> FALSE [mschapv2] ++? if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) -> FALSE [mschapv2] ++- entering else else {...} [mschap] Creating challenge hash with username: as1558@york.ac.uk [mschap] Client is using MS-CHAPv2 for as1558@york.ac.uk, we need NT-Password [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-ITS.YORK.AC.UK} -> --domain=ITS.YORK.AC.UK [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=as1558 [mschap] Creating challenge hash with username: as1558@york.ac.uk [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=868506c18365b683 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=de8a260ad78dbf0f734bb405f398aa33690b4f78d87dd786 Exec-Program output: NT_KEY: 49505FEEF88C08EB15376B7B4313BF9A Exec-Program-Wait: plaintext: NT_KEY: 49505FEEF88C08EB15376B7B4313BF9A Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys +++[mschap] returns ok +++? if (reject) ? Evaluating (reject) -> FALSE +++? if (reject) -> FALSE ++- else else returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" EAP-Message = 0x013a00331a0339002e533d41423945394533443139313936304538394538394136374144413444454241443136303645364143 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x31d5e80c30eff2b96efd4e329dc2f91c [peap] Got tunneled reply RADIUS code 11 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" EAP-Message = 0x013a00331a0339002e533d41423945394533443139313936304538394538394136374144413444454241443136303645364143 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x31d5e80c30eff2b96efd4e329dc2f91c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 17 to 144.32.226.191 port 4747 EAP-Message = 0x013a005b1900170301005013bc0bcde511c8708e36293b6392ed76f234547392bec11d9bc2a398d847a46a6f2ba2f9af49c4570cbbf7bb1559968c27183a6e31af1b9bf9295f38cce2b71cec5857f29c83acd60a2ca5d332c5af6e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0fba531b09804a7cef68f442188811df Finished request 28. Going to the next request Waking up in 2.3 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=18, length=253 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0fba531b09804a7cef68f442188811df EAP-Message = 0x023a002b190017030100203085fe686291655d4f052d9b9af6310d2c4845e69b7f09440e0487fdafd951a9 Message-Authenticator = 0xa34b8717f5f17f273163adc00ae0281a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 58 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x023a00061a03 server { [peap] Setting User-Name to as1558@york.ac.uk Sending tunneled request EAP-Message = 0x023a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "as1558@york.ac.uk" State = 0x31d5e80c30eff2b96efd4e329dc2f91c Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] Looking up realm "york.ac.uk" for User-Name = "as1558@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "as1558" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[chap] returns noop ++[mschap] returns noop ++[control] returns noop [eap] EAP packet type response id 58 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[york_passwd] returns notfound ++? if (Packet-Type == Access-Accept) ? Evaluating (Packet-Type == Access-Accept) -> FALSE ++? if (Packet-Type == Access-Accept) -> FALSE ++? if (request:Aruba-Location-Id) ? Evaluating (request:Aruba-Location-Id) -> FALSE ++? if (request:Aruba-Location-Id) -> FALSE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) ) {...} expand: %{NAS-Identifier} -> xb1sw1 expand: %{NAS-Port-Id} -> 29 expand: %{Calling-Station-Id} -> 40-6c-8f-58-fd-89 +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) ) returns notfound ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) ?? Evaluating (request:NAS-Port-Type =~ /^Ethernet$/) -> TRUE ?? Evaluating (User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) -> FALSE ? Converting !FALSE -> TRUE ++? if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) -> TRUE ++- entering if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) {...} +++[reply] returns notfound ++- if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]-[0-9A-F][0-9A-F]$/) ) returns notfound ++? if (reply:Tunnel-Private-Group-ID) ? Evaluating (reply:Tunnel-Private-Group-ID) -> FALSE ++? if (reply:Tunnel-Private-Group-ID) -> FALSE ++[expiration] returns noop ++[pap] returns noop [reply_log] expand: /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 -> /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] /var/log/freeradius/radacct/%Y%m%d/reply-detail-%H:00 expands to /var/log/freeradius/radacct/20130313/reply-detail-11:00 [reply_log] expand: %{Packet-Src-IP-Address} = %t -> 144.32.226.191 = Wed Mar 13 11:32:14 2013 ++[reply_log] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [as1558@york.ac.uk] (from client xb1sw1 port 29 cli 40-6c-8f-58-fd-89 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0xf312d196bbc31ff28426ac73de93d409 MS-MPPE-Recv-Key = 0xd56acc1594e2d40530da1e6bced914c3 EAP-Message = 0x033a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "as1558" [peap] Got tunneled reply RADIUS code 2 York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0xf312d196bbc31ff28426ac73de93d409 MS-MPPE-Recv-Key = 0xd56acc1594e2d40530da1e6bced914c3 EAP-Message = 0x033a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "as1558" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 18 to 144.32.226.191 port 4747 EAP-Message = 0x013b002b19001703010020995f296be4f956870659a81d2023061385f2367cbbf74fe84840408711ed5314 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0fba531b08814a7cef68f442188811df Finished request 29. Going to the next request Waking up in 2.3 seconds. rad_recv: Access-Request packet from host 144.32.226.191 port 4747, id=19, length=253 Framed-MTU = 1480 NAS-IP-Address = 144.32.226.191 NAS-Identifier = "xb1sw1" User-Name = "@york.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 NAS-Port-Type = Ethernet NAS-Port-Id = "29" Called-Station-Id = "00-30-6e-86-f2-00" Calling-Station-Id = "40-6c-8f-58-fd-89" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0fba531b08814a7cef68f442188811df EAP-Message = 0x023b002b190017030100201f1307cf768dd58be9e7320b214381d1083412988f8323046f7bbf050c002e79 Message-Authenticator = 0xe0943b45ed1063fbf4d77b14dadc4976 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "york.ac.uk" for User-Name = "@york.ac.uk" [suffix] Found realm "york.ac.uk" [suffix] Adding Stripped-User-Name = "" [suffix] Adding Realm = "york.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++- entering policy realm_checks {...} +++? if (User-Name =~ /@$/) ? Evaluating (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@$/) -> FALSE +++? if (User-Name =~ /@.+?@/) ? Evaluating (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?@/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) ? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) ? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@[\\.-]/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) ? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) ? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@[^\\.]+$/) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) ? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@.+?\\.\\./) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) ? Evaluating (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE +++? if (User-Name =~ /@york\\.ax\\.uk$/i) -> FALSE ++- policy realm_checks returns ok ++- entering policy realm_blacklist {...} +++? if (User-Name =~ /@myabc\\.com$/i) ? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) ? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE +++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE ++- policy realm_blacklist returns ok ++[chap] returns noop ++[mschap_default] returns noop [eap] EAP packet type response id 59 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept York-Auth-Device = "xb1sw1" York-Auth-Device-Port = "29" York-Calling-Station-Id = "40-6c-8f-58-fd-89" York-Auth-Type = "dot1x" User-Name = "as1558" [eap] Freeing handler ++[eap] returns ok Login OK: [@york.ac.uk] (from client xb1sw1 port 29 cli 40-6c-8f-58-fd-89) # Executing section post-auth from file /etc/freeradius/sites-enabled/default