I have tried today with simualtaneous-Use with gidnumber, here are what I did. Added in /etc/raddb/ldap.attrmap checkItem gidNumber gidnumber I also had to add in /etc/raddb/dictionary ATTRIBUTE gidnumber 3003 integer commented these two lines in users file #DEFAULT Simultaneous-Use := 2 # Fall-Through = 1 in /etc/raddb/sites-enables/default right ldap section, I added these #DEFAULT Simultaneous-Use := 2 # Fall-Through = 1 Reject if users is not in LDAP ldap if (notfound){ reject } # check gid for simultaneous use if ("%{gidnumber}" < 200){ update request { Simultaneous-Use := 1 } else{ update request { Simultaneous-Use := 2 } } } the regex checking returns true for user testsim who has gid less than 200 but testsim still able to login 2nd and 3rd login. can anyone see what I am missing ? here is the debug output Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=221, length=143 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x02aa50ca6938abf111e98eb999837890 EAP-Message = 0x02020012016e656d616e64694068692e6973 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 0: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 2 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapserver:389, authentication 0 [ldap] bind as cn=ldapusername,ou=user,dc=example,dc=com/Wum8dili to ldapserver:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++? if ("%{gidnumber}" < 200) expand: %{gidnumber} -> ? Evaluating ("%{gidnumber}" < 200) -> TRUE ++? if ("%{gidnumber}" < 200) -> TRUE ++if ("%{gidnumber}" < 200) { +++update request { +++} # update request = noop +++ ... skipping else for request 0: No preceding "if" ++} # if ("%{gidnumber}" < 200) = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 221 to 10.128.5.1 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a2bb2612134a7040a4f7c7f0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=222, length=250 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xfd419fe8a45bd6e0774f49ec6275fb5b EAP-Message = 0x0203006b198000000061160301005c0100005803015523f1cc76277ea93a499680dff35585086bd083bf539087c3d3ca6d0053824b000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a2bb2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 1: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 3 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 97 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005c], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 222 to 10.128.5.1 port 1645 EAP-Message = 0x0104040019c0000008a216030100310200002d03015523f1c91bc5f2eea2a5dbdd0698cb42a8a48c9fccdcc1e9d91e5e8c7c541b57000035000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3134313130353231353435345a170d3135303130343231353435345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d257278bcb3d80351c6c39a144f9ee55accaf13aa2bdc5e78c1191b6126542cdb0b8edf81f72bc80e905d30fe95d9f54200778bff7e808 EAP-Message = 0xd3008941f8b7da00b5d9cf77bed1c1d2accd8f2aac95f6c4c549a0e64d0fffb372ee90b5e1752c7450c1fc302fcd9122cbb63e3d2f8400a5a2071690238d5133b80e96eaac6fa15e185dd390c51255309adac0be363f5e626ae745f05eeed35f3997c05377c2291ea6df65a6d6cc56ab9880776317cc9894557344f92eb982673e07ed5c027687eb46d2167c0cd7756404587c37319482497afd9bffe114ef64a2b0640add64df47d92e37f32d94720451964ce39276ae8fb94fdf2f3fba10b51ab2e84fb2804986a30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100359a EAP-Message = 0xd6555994880868e54137c4d487acaeccded09ea5d265a1b2faa142dc0e8214b112cea1077f91d8e77a0516ad66524e964fc108774fa3538f4d8de1cbd41a08d4f356ccebb3a1fabcfd2b40d3ab12ff487995b42176e9201c165c4e00ac79be6379578bfa1109299015652b9c9160abff3ab2b87027590f6f46bd817cac00b168a06203959212727cec0bcb8555ff7c47e05bf459bee769989ba4c15619ab4256ed025b5c93e2f4316ad86167b1186e71aa407ad5e3e283ab0d3637b189f0ab5a0c9cbf73446230f511cc2b60da090f6c46842b61437c8e841f44b32d01b6d4e676cb23c7b5c9bfd20e6df238342e7de3596789f62dd5b3fd77f76654b2 EAP-Message = 0x3f0004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a3bc2612134a7040a4f7c7f0 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=223, length=149 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xcdf001eb09d55ebe49a413ac8258de09 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a3bc2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 2: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 223 to 10.128.5.1 port 1645 EAP-Message = 0x010503fc1940a003020102020900ebf6479ecc13e59d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134313130353231353435345a170d3135303130343231353435345a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b88d97967839058840e9074fde6afe5d23f7b77bb5d4c6c062c222f085626de7db03eed8672e37d56e7c7bbfbd1e68481bc526f5a0a0c88fb66eca809822cdd8cf6af8ca055f8a68f5ef4564d02f3bf64cf993ac3c3d295892f6307e88c7be325f8e295ec12610e3 EAP-Message = 0xf442768063f2c53a36a82ce16bca9bbdf35bdba6b20073d159543d7e179817db0a67737df59b88add8091a8bb44c3278e74c08f81d1a24c45a1707d09c76cd190460958b62197f8a1bf548f5f9aeb57f7ad52761f4716ab4c0dfb2afd6c80fd90fc437e6c0db15bc2b6cdfcde709b7b1c6e9759e1e7fd546d0d271e0f8b1ff825aac83857fa1ea7e4b8f5faa691751067923655c88964fcb0203010001a381fb3081f8301d0603551d0e0416041465a61d270505d0f4781e56c2ebf2d1ddc92a82063081c80603551d230481c03081bd801465a61d270505d0f4781e56c2ebf2d1ddc92a8206a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ebf6479ecc13e59d300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004c80773db9ef6312a280163ccfb62080bed265fd1d611fa2a065c5943f1db7ca42e4191f219277ad506c7c3d30f35a190cc5bd1ccbb67022488c049d79f4e8202e11678b49ee69dd76bee6 EAP-Message = 0x0419550efe88be07 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a0bd2612134a7040a4f7c7f0 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=224, length=149 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xbacc4317b1136b351cc1cc6039e0d89d EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a0bd2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 3: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 224 to 10.128.5.1 port 1645 EAP-Message = 0x010600bc190041272a2350e3d6c24837dc0dbeb6e38b25a4ef6a30dd86b675003ab0caf1e67a8fd59bf978b5a7a7cfd80884010333063b092a16ba58e339ddaffe55a835f75524219202ab6440731dafebb7c70dc3c4a49fe5302bf993adefb6e23a00619553a65807db09b4c3ca67d12fa32d6dc1f307ab4b39ac8a7b3bb4dc7a20d43d08feef956d5f96c50612ad5b7e90e305b2d42d29305e7a4c8ee180574730b0baa1fff7ddaa8ea5cf2d7abda4972f1f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a1be2612134a7040a4f7c7f0 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=225, length=481 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x1b6a04acc1ac9f7562cc21cdd235b803 EAP-Message = 0x020601501980000001461603010106100001020100952dc780436e3543fa58f8d6dda32342595018adde4558631e13b2364c04dc5d9ad70a7d6f913570452a35324131e4598e24d6c5a9055bab78a70ea7a05d71dbe0fde7ae5bf96e11fb931f87173edbdf05b274924cea338cf6485546b3c5e22619ac8c9b6250f2837c0aef6751df11aadd2f1c1fb6af38a3f0674eab82e3a3bb0a0be74feed8298c1260b9828869e5038814a9e0aed1b7478660f4d886482fd0e638ff66772b7b7b47d4797706e7c7eaea05bd4a1e35972e12826358116e9399e352d8e1d5404d1b9311946275b2e5a1a0e016ca338194c4bf926741aa98d211841ded4878e6e456 EAP-Message = 0xd2c542547236d0816e9c2087ef8ff3d200948c9c0d9072cc1403010001011603010030e8f84acc73fa965b426e046f4ce672449970041f141f5a8a863abde5ee84ff7b74608693bc6dd24f992f88995d3359a8 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a1be2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 4: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 225 to 10.128.5.1 port 1645 EAP-Message = 0x01070041190014030100010116030100308b7010b2ebd53202917c6c335fd911d59440f1ff7f0e4b0111af3f6ea07f618a346ee62af231d63642ddaf85fb80366c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a6bf2612134a7040a4f7c7f0 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=226, length=149 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xd5e9682a9907090b414098c537246c61 EAP-Message = 0x020700061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a6bf2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 5: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 226 to 10.128.5.1 port 1645 EAP-Message = 0x0108002b1900170301002048607d38300123d55551449d7188425122d57218a0f0625d7ae1ab21816151ef Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a7b02612134a7040a4f7c7f0 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=227, length=202 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x6d9a70ff8d3c93157f29870a4b997e71 EAP-Message = 0x0208003b190017030100301daac43e2727962799048843bab2749321d10f3e23964b80fec66c95e835965505f86b4c2e99f396b384d04ef3793804 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a7b02612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 6: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 8 length 59 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testsim@example.com [peap] Got inner identity 'testsim@example.com' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02080012016e656d616e64694068692e6973 server { [peap] Setting User-Name to testsim@example.com Sending tunneled request EAP-Message = 0x02080012016e656d616e64694068692e6973 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 6: Preceding "if" was taken ++} # else else = noop ++[chap] = noop ++[mschap] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900271a01090022100ee31f36566c997c191098769afa79246e656d616e64694068692e6973 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4dae11ad4da70b1e038f24cf8612d4dc [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900271a01090022100ee31f36566c997c191098769afa79246e656d616e64694068692e6973 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4dae11ad4da70b1e038f24cf8612d4dc [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 227 to 10.128.5.1 port 1645 EAP-Message = 0x0109004b1900170301004021a9ac287e38573ff649fa0fc5592eefbfcf61a411d757f1a5be38136975a2d725a5b953fcd4b3c9c8e61a7d4176235314a8f7d9c68402b6a8646c5428d8f8dc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a4b12612134a7040a4f7c7f0 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=228, length=250 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xd30b4ca2d8985460f35e371c5525ebf8 EAP-Message = 0x0209006b1900170301006057219e51b1c64730179efd42c63c537a6bcb10b316ab72fd3a06c1097a05197962444babc5c393f3ff253b393ae185a64aaaf6f0b1b2bb5b8284664dc6b15c94b2a733cd82a84d8693cd9307ca900fea86362c300c8535fa5c15a49ea1bf1109 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a4b12612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 7: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 9 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900481a02090043311447d092a75d7e42efccd07a8d1ba65c00000000000000006db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b006e656d616e64694068692e6973 server { [peap] Setting User-Name to testsim@example.com Sending tunneled request EAP-Message = 0x020900481a02090043311447d092a75d7e42efccd07a8d1ba65c00000000000000006db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b006e656d616e64694068692e6973 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testsim@example.com" State = 0x4dae11ad4da70b1e038f24cf8612d4dc Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 7: Preceding "if" was taken ++} # else else = noop ++[chap] = noop ++[mschap] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 72 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: testsim@example.com [mschap] Client is using MS-CHAPv2 for testsim@example.com, we need NT-Password [mschap] expand: %{Stripped-User-Name} -> testsim [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=testsim [mschap] Creating challenge hash with username: testsim@example.com [mschap] expand: %{mschap:Challenge} -> fd1acc5e260d5490 [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=fd1acc5e260d5490 [mschap] expand: %{mschap:NT-Response} -> 6db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=6db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b Exec output: NT_KEY: 04066C8C6B0E8CFCABBB0AB6760971F7 Exec plaintext: NT_KEY: 04066C8C6B0E8CFCABBB0AB6760971F7 [mschap] Exec: program returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d41324338374637394630463542313436334446373932463543423134323631463038344238313446 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4dae11ad4ca40b1e038f24cf8612d4dc [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d41324338374637394630463542313436334446373932463543423134323631463038344238313446 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4dae11ad4ca40b1e038f24cf8612d4dc [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 228 to 10.128.5.1 port 1645 EAP-Message = 0x010a005b19001703010050c419eda1954c1ed1e82d748c94d1a63753c1ac8edfc3b66232ca1887f954a98a630e93e27a38eb5daad0b6e3cea181f8595504a8d23574b3427bd9f2b23763e92477b382be6ae942f9ecf49915c14076 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a5b22612134a7040a4f7c7f0 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=229, length=186 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x51ae9679910cecd0d58916829fb30ba0 EAP-Message = 0x020a002b19001703010020d06b0b26fb835b35cec729cc1f8251ce14ccb043b4b12d08d9407fa39c033675 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a5b22612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 8: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00061a03 server { [peap] Setting User-Name to testsim@example.com Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testsim@example.com" State = 0x4dae11ad4ca40b1e038f24cf8612d4dc Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 8: Preceding "if" was taken ++} # else else = noop ++[chap] = noop ++[mschap] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [testsim@example.com] (from client nas1.example.com port 7524 cli 0021.5c5b.8ef3 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x95cb302970f87e49cfdda581f5f2003e MS-MPPE-Recv-Key = 0xd386b1496936c2393ec7852e420b419d EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testsim" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x95cb302970f87e49cfdda581f5f2003e MS-MPPE-Recv-Key = 0xd386b1496936c2393ec7852e420b419d EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testsim" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 229 to 10.128.5.1 port 1645 EAP-Message = 0x010b002b19001703010020363e2a4cd330a0c844f2214030ef8221a42c61ed1c69b43ccbdd225b62bf6a63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5aab32612134a7040a4f7c7f0 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=230, length=186 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xa7197dffc2a77251f453e7369cee4c78 EAP-Message = 0x020b002b1900170301002016250e0ba43693e71a364e24e63acf17627766966ff911935cdf1b35606c5e71 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5aab32612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 9: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "testsim" [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [testsim@example.com] (from client nas1.example.com port 7524 cli 0021.5c5b.8ef3) # Executing section post-auth from file /etc/raddb/sites-enabled/default +group post-auth { [reply_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [reply_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/reply-detail-20150407 [reply_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/reply-detail-20150407 [reply_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[reply_log] = ok +} # group post-auth = ok Sending Access-Accept of id 230 to 10.128.5.1 port 1645 User-Name = "testsim" MS-MPPE-Recv-Key = 0x32be352f485e290265607f4ffff0e8d5ee25ea070d5344a615826c46e69a32df MS-MPPE-Send-Key = 0x47d8439137a5e8b35b3e50583b7cd72b78a6a7568c491cc6d3ab2016bb3d3222 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 10.128.5.1 port 1646, id=244, length=113 Acct-Session-Id = "00001D42" Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" User-Name = "testsim" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 Service-Type = Framed-User NAS-IP-Address = 10.128.5.1 Acct-Delay-Time = 0 # Executing section preacct from file /etc/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 7524,,NAS-IP-Address = 10.128.5.1,Acct-Session-Id = "00001D42",User-Name = "testsim"' [acct_unique] Acct-Unique-Session-ID = "74d9ace36de7e57c". ++[acct_unique] = ok ++[files] = noop +} # group preacct = ok # Executing section accounting from file /etc/raddb/sites-enabled/default +group accounting { [detail] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/detail-20150407 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/detail-20150407 [detail] expand: %t -> Tue Apr 7 15:03:37 2015 ++[detail] = ok [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> testsim [sql] expand: %{%{User-Name}:-DEFAULT} -> testsim [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim [sql] sql_set_user escaped user --> 'testsim' [sql] expand: %{Acct-Delay-Time} -> 0 [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 31 rlm_sql (sql): Released sql socket id: 31 ++[sql] = ok [attr_filter.accounting_response] expand: %{User-Name} -> testsim attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Res On Wed, Mar 18, 2015 at 1:06 PM, Khapare Joshi <khapare77@gmail.com> wrote:
Thanks Alan,
It looks Simualtaneous-use seem to be working in my test environment.
I set DEFAULT Simultaneous-Use := 2 in users file and perform the test with the configuration. This works what it should be :
++[eap] = ok +} # group authenticate = ok # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel +group session { [sql] expand: %{Stripped-User-Name} -> khapare [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> khapare [sql] sql_set_user escaped user --> 'khapare' [sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'khapare' AND acctstoptime IS NULL rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): Released sql socket id: 3 ++[sql] = ok +} # group session = ok Multiple logins (max 2) : [khapare@realm.com] (from client nas1.realm.com port 7348 cli 2002.afd1.523e via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> khapare@realm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 Reply-Message := "\r\nYou are already logged in 2 times - access denied\r\n\n" [peap] Got tunneled reply RADIUS code 3 Reply-Message := "\r\nYou are already logged in 2 times - access denied\r\n\n" [peap] Tunneled authentication was rejected. [peap] FAILURE
This is good. Now I want to search users in ldap for their group membership and set the simulataneous-use
if users is a student simualtaneous-use :=2 if uses is a staff Simualtaneous-Use :=5 rest others = 7
On Thu, Mar 5, 2015 at 12:56 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 5, 2015, at 4:16 AM, Khapare Joshi <khapare77@gmail.com> wrote:
My NAS was bad - it was not sending accounting data. Now NAS is sending data and radacct been populated.
That’s usually the problem.
Could it be when radius is exectuing the session section it is looking for khapare@realm.com but in the database username is only the username i.e khapare ?
Yes. If you run the server in debugging mode, you’ll see what it’s doing.
1. Once I set INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1"); do I still have to define in /etc/raddb/users file as :
No. The server doesn’t care where an attribute comes from.
2. or I am doing stupid here ?
No.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html