Hi, When using FreeRADIUS v3.1 Windows devices fail to authenticate using PEAP. Other OS work fine but Windows fails. If I use a client cert and EAP-TLS windows succeeds. It appears the Windows devices stop responding after the establishment of the PEAP tunnel. Can anyone point out where I am going wrong: Ready to process requests (0) - Received Access-Request Id 248 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 316 (0) - User-Name = "anon@lboro.ac.uk" (0) - Chargeable-User-Identity = 0x00 (0) - Location-Capable = Civix-Location (0) - Calling-Station-Id = "18-cf-5e-12-75-c1" (0) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree" (0) - NAS-Port = 13 (0) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b" (0) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789" (0) - NAS-IP-Address = 10.53.253.14 (0) - NAS-IPv6-Address = 2001:630:301:9101::14 (0) - NAS-Identifier = "wism-sport-park-3" (0) - Airespace-Wlan-Id = 3 (0) - Service-Type = Framed-User (0) - Framed-MTU = 1300 (0) - NAS-Port-Type = Wireless-802.11 (0) - Tunnel-Type:0 = VLAN (0) - Tunnel-Medium-Type:0 = IEEE-802 (0) - Tunnel-Private-Group-Id:0 = "1112" (0) - EAP-Message = 0x0202001501616e6f6e406c626f726f2e61632e756b (0) - Message-Authenticator = 0x382df2f62c354bece72daa54ee2d5945 (0) - Running section authorize from file /etc/raddb/sites-enabled/lboro (0) - authorize { (0) - nagios_check { (0) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") { (0) - ... (0) - } (0) - } # nagios_check (notfound) (0) - wism_check { (0) - if (User-Name =~ /wism-check/ ) { (0) - ... (0) - } (0) - } # wism_check (notfound) (0) - filter_duff_realms { (0) - if (User-Name =~ /\\.ax\\.uk$/i ) { (0) - ... (0) - } (0) - elsif (User-Name =~ /\\.sc\\.uk$/i ) { (0) - ... (0) - } (0) - elsif (User-Name =~ /\\.ac\\.u$/i ) { (0) - ... (0) - } (0) - elsif (User-Name =~ /lboro$/i ) { (0) - ... (0) - } (0) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) { (0) - ... (0) - } (0) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) { (0) - ... (0) - } (0) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) { (0) - ... (0) - } (0) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) { (0) - ... (0) - } (0) - elsif (User-Name =~ /3gppnetwork\\.org$/i) { (0) - ... (0) - } (0) - elsif (User-Name =~ /myabc\\.com$/i) { (0) - ... (0) - } (0) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) { (0) - ... (0) - } (0) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) { (0) - ... (0) - } (0) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) { (0) - ... (0) - } (0) - } # filter_duff_realms (notfound) (0) - filter_username { (0) - if (!&User-Name) { (0) - ... (0) - } (0) - if (&User-Name =~ / /) { (0) - ... (0) - } (0) - if (&User-Name =~ /@.*@/ ) { (0) - ... (0) - } (0) - if (&User-Name =~ /\.\./ ) { (0) - ... (0) - } (0) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) - ... (0) - } (0) - if (&User-Name =~ /\.$/) { (0) - ... (0) - } (0) - if (&User-Name =~ /@\./) { (0) - ... (0) - } (0) - } # filter_username (notfound) (0) preprocess (ok) (0) operator-name.authorize { (0) if ("%{client:Operator-Name}") { (0) EXPAND %{client:Operator-Name} (0) --> (0) ... (0) } (0) } # operator-name.authorize (ok) (0) cui.authorize { (0) if ("%{client:add_cui}" == 'yes') { (0) EXPAND %{client:add_cui} (0) --> yes (0) update request { (0) &Chargeable-User-Identity := 0x00 (0) } # update request (noop) (0) } # if ("%{client:add_cui}" == 'yes') (noop) (0) } # cui.authorize (noop) (0) suffix - Checking for suffix after "@" (0) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon@lboro.ac.uk" (0) suffix - Found realm "lboro.ac.uk" (0) suffix - Adding Stripped-User-Name = "anon" (0) suffix - Adding Realm = "lboro.ac.uk" (0) suffix - Authentication realm is LOCAL (0) suffix (ok) (0) ntdomain - Request already has destination realm set. Ignoring (0) ntdomain (noop) (0) if ( Called-Station-Id =~ /:eduroam$/ ) { (0) ... (0) } (0) elsif ( Called-Station-Id =~ /.*:YST$/ ) { (0) ... (0) } (0) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) { (0) EXPAND %{client:group} (0) --> wireless (0) ... (0) } (0) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) { (0) ... (0) } (0) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) { (0) ... (0) } (0) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) { (0) ... (0) } (0) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) { (0) ... (0) } (0) elsif ( Realm == "lsu.co.uk" ) { (0) ... (0) } (0) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (0) ... (0) } (0) else { (0) update request { (0) &Realm := local (0) } # update request (noop) (0) } # else (noop) (0) eap - Peer sent EAP Response (code 2) ID 2 length 21 (0) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize (0) eap (ok) (0) } # authorize (ok) (0) Using 'Auth-Type = eap' for authenticate {...} (0) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro (0) authenticate { (0) eap - Peer sent packet with EAP method Identity (1) (0) eap - Calling submodule eap_tls to process data (0) eap_tls - Initiating new EAP-TLS session (0) eap_tls - Setting verify mode to require certificate from client (0) eap - Sending EAP Request (code 1) ID 3 length 6 (0) eap (handled) (0) } # authenticate (handled) (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro (0) Sent Access-Challenge Id 248 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0 (0) EAP-Message = 0x010300060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x01015100148ca6ec523c504e518c74e2 (0) Finished request Waking up in 1.9 seconds. (1) - Received Access-Request Id 249 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319 (1) - User-Name = "anon@lboro.ac.uk" (1) - Chargeable-User-Identity = 0x00 (1) - Location-Capable = Civix-Location (1) - Calling-Station-Id = "18-cf-5e-12-75-c1" (1) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree" (1) - NAS-Port = 13 (1) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b" (1) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789" (1) - NAS-IP-Address = 10.53.253.14 (1) - NAS-IPv6-Address = 2001:630:301:9101::14 (1) - NAS-Identifier = "wism-sport-park-3" (1) - Airespace-Wlan-Id = 3 (1) - Service-Type = Framed-User (1) - Framed-MTU = 1300 (1) - NAS-Port-Type = Wireless-802.11 (1) - Tunnel-Type:0 = VLAN (1) - Tunnel-Medium-Type:0 = IEEE-802 (1) - Tunnel-Private-Group-Id:0 = "1112" (1) - EAP-Message = 0x020300060319 (1) - State = 0x01015100148ca6ec523c504e518c74e2 (1) - Message-Authenticator = 0x87079937708aa02274b90e7892aa4815 (1) - Running section authorize from file /etc/raddb/sites-enabled/lboro (1) - authorize { (1) - nagios_check { (1) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") { (1) - ... (1) - } (1) - } # nagios_check (notfound) (1) - wism_check { (1) - if (User-Name =~ /wism-check/ ) { (1) - ... (1) - } (1) - } # wism_check (notfound) (1) - filter_duff_realms { (1) - if (User-Name =~ /\\.ax\\.uk$/i ) { (1) - ... (1) - } (1) - elsif (User-Name =~ /\\.sc\\.uk$/i ) { (1) - ... (1) - } (1) - elsif (User-Name =~ /\\.ac\\.u$/i ) { (1) - ... (1) - } (1) - elsif (User-Name =~ /lboro$/i ) { (1) - ... (1) - } (1) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) { (1) - ... (1) - } (1) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) { (1) - ... (1) - } (1) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) { (1) - ... (1) - } (1) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) { (1) - ... (1) - } (1) - elsif (User-Name =~ /3gppnetwork\\.org$/i) { (1) - ... (1) - } (1) - elsif (User-Name =~ /myabc\\.com$/i) { (1) - ... (1) - } (1) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) { (1) - ... (1) - } (1) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) { (1) - ... (1) - } (1) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) { (1) - ... (1) - } (1) - } # filter_duff_realms (notfound) (1) - filter_username { (1) - if (!&User-Name) { (1) - ... (1) - } (1) - if (&User-Name =~ / /) { (1) - ... (1) - } (1) - if (&User-Name =~ /@.*@/ ) { (1) - ... (1) - } (1) - if (&User-Name =~ /\.\./ ) { (1) - ... (1) - } (1) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) - ... (1) - } (1) - if (&User-Name =~ /\.$/) { (1) - ... (1) - } (1) - if (&User-Name =~ /@\./) { (1) - ... (1) - } (1) - } # filter_username (notfound) (1) preprocess (ok) (1) operator-name.authorize { (1) if ("%{client:Operator-Name}") { (1) EXPAND %{client:Operator-Name} (1) --> (1) ... (1) } (1) } # operator-name.authorize (ok) (1) cui.authorize { (1) if ("%{client:add_cui}" == 'yes') { (1) EXPAND %{client:add_cui} (1) --> yes (1) update request { (1) &Chargeable-User-Identity := 0x00 (1) } # update request (noop) (1) } # if ("%{client:add_cui}" == 'yes') (noop) (1) } # cui.authorize (noop) (1) suffix - Checking for suffix after "@" (1) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon@lboro.ac.uk" (1) suffix - Found realm "lboro.ac.uk" (1) suffix - Adding Stripped-User-Name = "anon" (1) suffix - Adding Realm = "lboro.ac.uk" (1) suffix - Authentication realm is LOCAL (1) suffix (ok) (1) ntdomain - Request already has destination realm set. Ignoring (1) ntdomain (noop) (1) if ( Called-Station-Id =~ /:eduroam$/ ) { (1) ... (1) } (1) elsif ( Called-Station-Id =~ /.*:YST$/ ) { (1) ... (1) } (1) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) { (1) EXPAND %{client:group} (1) --> wireless (1) ... (1) } (1) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) { (1) ... (1) } (1) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) { (1) ... (1) } (1) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) { (1) ... (1) } (1) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) { (1) ... (1) } (1) elsif ( Realm == "lsu.co.uk" ) { (1) ... (1) } (1) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (1) ... (1) } (1) else { (1) update request { (1) &Realm := local (1) } # update request (noop) (1) } # else (noop) (1) eap - Peer sent EAP Response (code 2) ID 3 length 6 (1) eap - Continuing on-going EAP conversation (1) eap (updated) (1) if (Realm != "SportPark") { (1) files (noop) (1) } # if (Realm != "SportPark") (noop) (1) } # authorize (updated) (1) Using 'Auth-Type = eap' for authenticate {...} (1) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro (1) authenticate { (1) eap - Peer sent packet with EAP method NAK (3) (1) eap - Found mutually acceptable type PEAP (25) (1) eap - Calling submodule eap_peap to process data (1) eap_peap - Initiating new EAP-TLS session (1) eap - Sending EAP Request (code 1) ID 4 length 6 (1) eap (handled) (1) } # authenticate (handled) (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro (1) Sent Access-Challenge Id 249 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0 (1) EAP-Message = 0x010400061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x020351002306bedc523c504e518c74e2 (1) Finished request Waking up in 1.9 seconds. (2) - Received Access-Request Id 250 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 491 (2) - User-Name = "anon@lboro.ac.uk" (2) - Chargeable-User-Identity = 0x00 (2) - Location-Capable = Civix-Location (2) - Calling-Station-Id = "18-cf-5e-12-75-c1" (2) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree" (2) - NAS-Port = 13 (2) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b" (2) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789" (2) - NAS-IP-Address = 10.53.253.14 (2) - NAS-IPv6-Address = 2001:630:301:9101::14 (2) - NAS-Identifier = "wism-sport-park-3" (2) - Airespace-Wlan-Id = 3 (2) - Service-Type = Framed-User (2) - Framed-MTU = 1300 (2) - NAS-Port-Type = Wireless-802.11 (2) - Tunnel-Type:0 = VLAN (2) - Tunnel-Medium-Type:0 = IEEE-802 (2) - Tunnel-Private-Group-Id:0 = "1112" (2) - EAP-Message = 0x020400b21980000000a816030300a30100009f030356d5a1d0b73b3ce7f8e814cc7bd174c70898c308769ae5cbf3b0a4fbd0895733000038c02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a006a0040003800320013000500040100003e000500 (2) - State = 0x020351002306bedc523c504e518c74e2 (2) - Message-Authenticator = 0x25df502901ee50b3554970e162bd935e (2) - Running section authorize from file /etc/raddb/sites-enabled/lboro (2) - authorize { (2) - nagios_check { (2) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") { (2) - ... (2) - } (2) - } # nagios_check (notfound) (2) - wism_check { (2) - if (User-Name =~ /wism-check/ ) { (2) - ... (2) - } (2) - } # wism_check (notfound) (2) - filter_duff_realms { (2) - if (User-Name =~ /\\.ax\\.uk$/i ) { (2) - ... (2) - } (2) - elsif (User-Name =~ /\\.sc\\.uk$/i ) { (2) - ... (2) - } (2) - elsif (User-Name =~ /\\.ac\\.u$/i ) { (2) - ... (2) - } (2) - elsif (User-Name =~ /lboro$/i ) { (2) - ... (2) - } (2) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) { (2) - ... (2) - } (2) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) { (2) - ... (2) - } (2) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) { (2) - ... (2) - } (2) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) { (2) - ... (2) - } (2) - elsif (User-Name =~ /3gppnetwork\\.org$/i) { (2) - ... (2) - } (2) - elsif (User-Name =~ /myabc\\.com$/i) { (2) - ... (2) - } (2) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) { (2) - ... (2) - } (2) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) { (2) - ... (2) - } (2) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) { (2) - ... (2) - } (2) - } # filter_duff_realms (notfound) (2) - filter_username { (2) - if (!&User-Name) { (2) - ... (2) - } (2) - if (&User-Name =~ / /) { (2) - ... (2) - } (2) - if (&User-Name =~ /@.*@/ ) { (2) - ... (2) - } (2) - if (&User-Name =~ /\.\./ ) { (2) - ... (2) - } (2) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) - ... (2) - } (2) - if (&User-Name =~ /\.$/) { (2) - ... (2) - } (2) - if (&User-Name =~ /@\./) { (2) - ... (2) - } (2) - } # filter_username (notfound) (2) preprocess (ok) (2) operator-name.authorize { (2) if ("%{client:Operator-Name}") { (2) EXPAND %{client:Operator-Name} (2) --> (2) ... (2) } (2) } # operator-name.authorize (ok) (2) cui.authorize { (2) if ("%{client:add_cui}" == 'yes') { (2) EXPAND %{client:add_cui} (2) --> yes (2) update request { (2) &Chargeable-User-Identity := 0x00 (2) } # update request (noop) (2) } # if ("%{client:add_cui}" == 'yes') (noop) (2) } # cui.authorize (noop) (2) suffix - Checking for suffix after "@" (2) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon@lboro.ac.uk" (2) suffix - Found realm "lboro.ac.uk" (2) suffix - Adding Stripped-User-Name = "anon" (2) suffix - Adding Realm = "lboro.ac.uk" (2) suffix - Authentication realm is LOCAL (2) suffix (ok) (2) ntdomain - Request already has destination realm set. Ignoring (2) ntdomain (noop) (2) if ( Called-Station-Id =~ /:eduroam$/ ) { (2) ... (2) } (2) elsif ( Called-Station-Id =~ /.*:YST$/ ) { (2) ... (2) } (2) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) { (2) EXPAND %{client:group} (2) --> wireless (2) ... (2) } (2) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) { (2) ... (2) } (2) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) { (2) ... (2) } (2) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) { (2) ... (2) } (2) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) { (2) ... (2) } (2) elsif ( Realm == "lsu.co.uk" ) { (2) ... (2) } (2) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (2) ... (2) } (2) else { (2) update request { (2) &Realm := local (2) } # update request (noop) (2) } # else (noop) (2) eap - Peer sent EAP Response (code 2) ID 4 length 178 (2) eap - Continuing tunnel setup (2) eap (ok) (2) } # authorize (ok) (2) Using 'Auth-Type = eap' for authenticate {...} (2) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro (2) authenticate { (2) eap - Peer sent packet with EAP method PEAP (25) (2) eap - Calling submodule eap_peap to process data (2) eap_peap - Continuing EAP-TLS (2) eap_peap - Peer indicated complete TLS record size will be 168 bytes (2) eap_peap - Got complete TLS record, with length field (168 bytes) (2) eap_peap - [eap-tls verify] = ok (2) eap_peap - before/accept initialization (2) eap_peap - TLS Accept: before/accept initialization (2) eap_peap - <<< recv handshake [length 163], client_hello (2) eap_peap - TLS Accept: SSLv3 read client hello A (2) eap_peap - >>> send handshake [length 89], server_hello (2) eap_peap - TLS Accept: SSLv3 write server hello A (2) eap_peap - >>> send handshake [length 2457], certificate (2) eap_peap - TLS Accept: SSLv3 write certificate A (2) eap_peap - >>> send handshake [length 331], server_key_exchange (2) eap_peap - TLS Accept: SSLv3 write key exchange A (2) eap_peap - >>> send handshake [length 4], server_hello_done (2) eap_peap - TLS Accept: SSLv3 write server done A (2) eap_peap - TLS Accept: SSLv3 flush data (2) eap_peap - TLS Accept: Need to read more data: SSLv3 read client certificate A (2) eap_peap - TLS Accept: Need to read more data: SSLv3 read client certificate A (2) eap_peap - In TLS handshake phase (2) eap_peap - In TLS accept mode (2) eap_peap - Complete TLS record (2901 bytes) larger than MTU (990 bytes), will fragment (2) eap_peap - Sending first TLS record fragment (990 bytes), 1911 bytes remaining (2) eap_peap - [eap-tls process] = handled (2) eap - Sending EAP Request (code 1) ID 5 length 1000 (2) eap (handled) (2) } # authenticate (handled) (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro (2) Sent Access-Challenge Id 250 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0 (2) EAP-Message = 0x010503e819c000000b55160302005902000055030256d5a18b0261059d716b941222cf3855ea00c34b5e728dc7be087afa7d75606d2076d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd65c01400000dff01000100000b00040300010216030209990b000995000992000427 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x03015100148ca6ec523c504e518c74e2 (2) Finished request Waking up in 1.9 seconds. (3) - Received Access-Request Id 251 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319 (3) - User-Name = "anon@lboro.ac.uk" (3) - Chargeable-User-Identity = 0x00 (3) - Location-Capable = Civix-Location (3) - Calling-Station-Id = "18-cf-5e-12-75-c1" (3) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree" (3) - NAS-Port = 13 (3) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b" (3) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789" (3) - NAS-IP-Address = 10.53.253.14 (3) - NAS-IPv6-Address = 2001:630:301:9101::14 (3) - NAS-Identifier = "wism-sport-park-3" (3) - Airespace-Wlan-Id = 3 (3) - Service-Type = Framed-User (3) - Framed-MTU = 1300 (3) - NAS-Port-Type = Wireless-802.11 (3) - Tunnel-Type:0 = VLAN (3) - Tunnel-Medium-Type:0 = IEEE-802 (3) - Tunnel-Private-Group-Id:0 = "1112" (3) - EAP-Message = 0x020500061900 (3) - State = 0x03015100148ca6ec523c504e518c74e2 (3) - Message-Authenticator = 0xc2308e039d2d27171a1a80d5fa914f3e (3) - Running section authorize from file /etc/raddb/sites-enabled/lboro (3) - authorize { (3) - nagios_check { (3) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") { (3) - ... (3) - } (3) - } # nagios_check (notfound) (3) - wism_check { (3) - if (User-Name =~ /wism-check/ ) { (3) - ... (3) - } (3) - } # wism_check (notfound) (3) - filter_duff_realms { (3) - if (User-Name =~ /\\.ax\\.uk$/i ) { (3) - ... (3) - } (3) - elsif (User-Name =~ /\\.sc\\.uk$/i ) { (3) - ... (3) - } (3) - elsif (User-Name =~ /\\.ac\\.u$/i ) { (3) - ... (3) - } (3) - elsif (User-Name =~ /lboro$/i ) { (3) - ... (3) - } (3) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) { (3) - ... (3) - } (3) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) { (3) - ... (3) - } (3) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) { (3) - ... (3) - } (3) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) { (3) - ... (3) - } (3) - elsif (User-Name =~ /3gppnetwork\\.org$/i) { (3) - ... (3) - } (3) - elsif (User-Name =~ /myabc\\.com$/i) { (3) - ... (3) - } (3) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) { (3) - ... (3) - } (3) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) { (3) - ... (3) - } (3) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) { (3) - ... (3) - } (3) - } # filter_duff_realms (notfound) (3) - filter_username { (3) - if (!&User-Name) { (3) - ... (3) - } (3) - if (&User-Name =~ / /) { (3) - ... (3) - } (3) - if (&User-Name =~ /@.*@/ ) { (3) - ... (3) - } (3) - if (&User-Name =~ /\.\./ ) { (3) - ... (3) - } (3) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) - ... (3) - } (3) - if (&User-Name =~ /\.$/) { (3) - ... (3) - } (3) - if (&User-Name =~ /@\./) { (3) - ... (3) - } (3) - } # filter_username (notfound) (3) preprocess (ok) (3) operator-name.authorize { (3) if ("%{client:Operator-Name}") { (3) EXPAND %{client:Operator-Name} (3) --> (3) ... (3) } (3) } # operator-name.authorize (ok) (3) cui.authorize { (3) if ("%{client:add_cui}" == 'yes') { (3) EXPAND %{client:add_cui} (3) --> yes (3) update request { (3) &Chargeable-User-Identity := 0x00 (3) } # update request (noop) (3) } # if ("%{client:add_cui}" == 'yes') (noop) (3) } # cui.authorize (noop) (3) suffix - Checking for suffix after "@" (3) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon@lboro.ac.uk" (3) suffix - Found realm "lboro.ac.uk" (3) suffix - Adding Stripped-User-Name = "anon" (3) suffix - Adding Realm = "lboro.ac.uk" (3) suffix - Authentication realm is LOCAL (3) suffix (ok) (3) ntdomain - Request already has destination realm set. Ignoring (3) ntdomain (noop) (3) if ( Called-Station-Id =~ /:eduroam$/ ) { (3) ... (3) } (3) elsif ( Called-Station-Id =~ /.*:YST$/ ) { (3) ... (3) } (3) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) { (3) EXPAND %{client:group} (3) --> wireless (3) ... (3) } (3) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) { (3) ... (3) } (3) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) { (3) ... (3) } (3) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) { (3) ... (3) } (3) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) { (3) ... (3) } (3) elsif ( Realm == "lsu.co.uk" ) { (3) ... (3) } (3) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (3) ... (3) } (3) else { (3) update request { (3) &Realm := local (3) } # update request (noop) (3) } # else (noop) (3) eap - Peer sent EAP Response (code 2) ID 5 length 6 (3) eap - Continuing tunnel setup (3) eap (ok) (3) } # authorize (ok) (3) Using 'Auth-Type = eap' for authenticate {...} (3) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro (3) authenticate { (3) eap - Peer sent packet with EAP method PEAP (25) (3) eap - Calling submodule eap_peap to process data (3) eap_peap - Continuing EAP-TLS (3) eap_peap - Peer ACKed our handshake fragment (3) eap_peap - [eap-tls verify] = request (3) eap_peap - Sending additional TLS record fragment (994 bytes), 917 bytes remaining (3) eap_peap - [eap-tls process] = handled (3) eap - Sending EAP Request (code 1) ID 6 length 1000 (3) eap (handled) (3) } # authenticate (handled) (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro (3) Sent Access-Challenge Id 251 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0 (3) EAP-Message = 0x010603e81940c11f90d2b74ee65a1109bc0009cc59bb16b11c4d981df09929ef3b97d4d9c5040db5321c087b14c214be61a7ff6eb953828ff106bb4180f20d7ba5a7781ef72b286dbe7d9b98dd2c43a67d4e87108d1d22a3253b103f2b5daf5115457e670fcc117461e793aef0eb01f72340aa8042b007 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x040751002306bedc523c504e518c74e2 (3) Finished request Waking up in 1.9 seconds. (4) - Received Access-Request Id 252 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319 (4) - User-Name = "anon@lboro.ac.uk" (4) - Chargeable-User-Identity = 0x00 (4) - Location-Capable = Civix-Location (4) - Calling-Station-Id = "18-cf-5e-12-75-c1" (4) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree" (4) - NAS-Port = 13 (4) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b" (4) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789" (4) - NAS-IP-Address = 10.53.253.14 (4) - NAS-IPv6-Address = 2001:630:301:9101::14 (4) - NAS-Identifier = "wism-sport-park-3" (4) - Airespace-Wlan-Id = 3 (4) - Service-Type = Framed-User (4) - Framed-MTU = 1300 (4) - NAS-Port-Type = Wireless-802.11 (4) - Tunnel-Type:0 = VLAN (4) - Tunnel-Medium-Type:0 = IEEE-802 (4) - Tunnel-Private-Group-Id:0 = "1112" (4) - EAP-Message = 0x020600061900 (4) - State = 0x040751002306bedc523c504e518c74e2 (4) - Message-Authenticator = 0x9e01e0203a757d408a33b0e6da2d6371 (4) - Running section authorize from file /etc/raddb/sites-enabled/lboro (4) - authorize { (4) - nagios_check { (4) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") { (4) - ... (4) - } (4) - } # nagios_check (notfound) (4) - wism_check { (4) - if (User-Name =~ /wism-check/ ) { (4) - ... (4) - } (4) - } # wism_check (notfound) (4) - filter_duff_realms { (4) - if (User-Name =~ /\\.ax\\.uk$/i ) { (4) - ... (4) - } (4) - elsif (User-Name =~ /\\.sc\\.uk$/i ) { (4) - ... (4) - } (4) - elsif (User-Name =~ /\\.ac\\.u$/i ) { (4) - ... (4) - } (4) - elsif (User-Name =~ /lboro$/i ) { (4) - ... (4) - } (4) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) { (4) - ... (4) - } (4) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) { (4) - ... (4) - } (4) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) { (4) - ... (4) - } (4) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) { (4) - ... (4) - } (4) - elsif (User-Name =~ /3gppnetwork\\.org$/i) { (4) - ... (4) - } (4) - elsif (User-Name =~ /myabc\\.com$/i) { (4) - ... (4) - } (4) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) { (4) - ... (4) - } (4) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) { (4) - ... (4) - } (4) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) { (4) - ... (4) - } (4) - } # filter_duff_realms (notfound) (4) - filter_username { (4) - if (!&User-Name) { (4) - ... (4) - } (4) - if (&User-Name =~ / /) { (4) - ... (4) - } (4) - if (&User-Name =~ /@.*@/ ) { (4) - ... (4) - } (4) - if (&User-Name =~ /\.\./ ) { (4) - ... (4) - } (4) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) - ... (4) - } (4) - if (&User-Name =~ /\.$/) { (4) - ... (4) - } (4) - if (&User-Name =~ /@\./) { (4) - ... (4) - } (4) - } # filter_username (notfound) (4) preprocess (ok) (4) operator-name.authorize { (4) if ("%{client:Operator-Name}") { (4) EXPAND %{client:Operator-Name} (4) --> (4) ... (4) } (4) } # operator-name.authorize (ok) (4) cui.authorize { (4) if ("%{client:add_cui}" == 'yes') { (4) EXPAND %{client:add_cui} (4) --> yes (4) update request { (4) &Chargeable-User-Identity := 0x00 (4) } # update request (noop) (4) } # if ("%{client:add_cui}" == 'yes') (noop) (4) } # cui.authorize (noop) (4) suffix - Checking for suffix after "@" (4) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon@lboro.ac.uk" (4) suffix - Found realm "lboro.ac.uk" (4) suffix - Adding Stripped-User-Name = "anon" (4) suffix - Adding Realm = "lboro.ac.uk" (4) suffix - Authentication realm is LOCAL (4) suffix (ok) (4) ntdomain - Request already has destination realm set. Ignoring (4) ntdomain (noop) (4) if ( Called-Station-Id =~ /:eduroam$/ ) { (4) ... (4) } (4) elsif ( Called-Station-Id =~ /.*:YST$/ ) { (4) ... (4) } (4) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) { (4) EXPAND %{client:group} (4) --> wireless (4) ... (4) } (4) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) { (4) ... (4) } (4) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) { (4) ... (4) } (4) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) { (4) ... (4) } (4) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) { (4) ... (4) } (4) elsif ( Realm == "lsu.co.uk" ) { (4) ... (4) } (4) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (4) ... (4) } (4) else { (4) update request { (4) &Realm := local (4) } # update request (noop) (4) } # else (noop) (4) eap - Peer sent EAP Response (code 2) ID 6 length 6 (4) eap - Continuing tunnel setup (4) eap (ok) (4) } # authorize (ok) (4) Using 'Auth-Type = eap' for authenticate {...} (4) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro (4) authenticate { (4) eap - Peer sent packet with EAP method PEAP (25) (4) eap - Calling submodule eap_peap to process data (4) eap_peap - Continuing EAP-TLS (4) eap_peap - Peer ACKed our handshake fragment (4) eap_peap - [eap-tls verify] = request (4) eap_peap - Sending final TLS record fragment (917 bytes) (4) eap_peap - [eap-tls process] = handled (4) eap - Sending EAP Request (code 1) ID 7 length 923 (4) eap (handled) (4) } # authenticate (handled) (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro (4) Sent Access-Challenge Id 252 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0 (4) EAP-Message = 0x0107039b19007d6e67ce70384eded3ef06352db77da33a308201050603551d230481fd3081fa80140cf5aa7d6e67ce70384eded3ef06352db77da33aa181d6a481d33081d0310b3009060355040613024742311730150603550408130e4c65696365737465727368697265311530130603550407130c4c (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x05015100148ca6ec523c504e518c74e2 (4) Finished request Waking up in 1.9 seconds. (5) - Received Access-Request Id 253 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 473 (5) - User-Name = "anon@lboro.ac.uk" (5) - Chargeable-User-Identity = 0x00 (5) - Location-Capable = Civix-Location (5) - Calling-Station-Id = "18-cf-5e-12-75-c1" (5) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree" (5) - NAS-Port = 13 (5) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b" (5) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789" (5) - NAS-IP-Address = 10.53.253.14 (5) - NAS-IPv6-Address = 2001:630:301:9101::14 (5) - NAS-Identifier = "wism-sport-park-3" (5) - Airespace-Wlan-Id = 3 (5) - Service-Type = Framed-User (5) - Framed-MTU = 1300 (5) - NAS-Port-Type = Wireless-802.11 (5) - Tunnel-Type:0 = VLAN (5) - Tunnel-Medium-Type:0 = IEEE-802 (5) - Tunnel-Private-Group-Id:0 = "1112" (5) - EAP-Message = 0x020700a01980000000961603020046100000424104a1568ed754dd3f72a95e77cd1df1c55abf297742c6079bb39cdecf1f53cf855797776f56e08eacd682c5125da973f5f90ae119460d913d6b4757b78f288010651403020001011603020040fda3db9fe7afd24c7177fcafd292f1419d55de5910015b (5) - State = 0x05015100148ca6ec523c504e518c74e2 (5) - Message-Authenticator = 0xe49aaca6ee4e0e1119ed3410ae02cb7d (5) - Running section authorize from file /etc/raddb/sites-enabled/lboro (5) - authorize { (5) - nagios_check { (5) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") { (5) - ... (5) - } (5) - } # nagios_check (notfound) (5) - wism_check { (5) - if (User-Name =~ /wism-check/ ) { (5) - ... (5) - } (5) - } # wism_check (notfound) (5) - filter_duff_realms { (5) - if (User-Name =~ /\\.ax\\.uk$/i ) { (5) - ... (5) - } (5) - elsif (User-Name =~ /\\.sc\\.uk$/i ) { (5) - ... (5) - } (5) - elsif (User-Name =~ /\\.ac\\.u$/i ) { (5) - ... (5) - } (5) - elsif (User-Name =~ /lboro$/i ) { (5) - ... (5) - } (5) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) { (5) - ... (5) - } (5) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) { (5) - ... (5) - } (5) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) { (5) - ... (5) - } (5) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) { (5) - ... (5) - } (5) - elsif (User-Name =~ /3gppnetwork\\.org$/i) { (5) - ... (5) - } (5) - elsif (User-Name =~ /myabc\\.com$/i) { (5) - ... (5) - } (5) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) { (5) - ... (5) - } (5) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) { (5) - ... (5) - } (5) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) { (5) - ... (5) - } (5) - } # filter_duff_realms (notfound) (5) - filter_username { (5) - if (!&User-Name) { (5) - ... (5) - } (5) - if (&User-Name =~ / /) { (5) - ... (5) - } (5) - if (&User-Name =~ /@.*@/ ) { (5) - ... (5) - } (5) - if (&User-Name =~ /\.\./ ) { (5) - ... (5) - } (5) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) - ... (5) - } (5) - if (&User-Name =~ /\.$/) { (5) - ... (5) - } (5) - if (&User-Name =~ /@\./) { (5) - ... (5) - } (5) - } # filter_username (notfound) (5) preprocess (ok) (5) operator-name.authorize { (5) if ("%{client:Operator-Name}") { (5) EXPAND %{client:Operator-Name} (5) --> (5) ... (5) } (5) } # operator-name.authorize (ok) (5) cui.authorize { (5) if ("%{client:add_cui}" == 'yes') { (5) EXPAND %{client:add_cui} (5) --> yes (5) update request { (5) &Chargeable-User-Identity := 0x00 (5) } # update request (noop) (5) } # if ("%{client:add_cui}" == 'yes') (noop) (5) } # cui.authorize (noop) (5) suffix - Checking for suffix after "@" (5) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon@lboro.ac.uk" (5) suffix - Found realm "lboro.ac.uk" (5) suffix - Adding Stripped-User-Name = "anon" (5) suffix - Adding Realm = "lboro.ac.uk" (5) suffix - Authentication realm is LOCAL (5) suffix (ok) (5) ntdomain - Request already has destination realm set. Ignoring (5) ntdomain (noop) (5) if ( Called-Station-Id =~ /:eduroam$/ ) { (5) ... (5) } (5) elsif ( Called-Station-Id =~ /.*:YST$/ ) { (5) ... (5) } (5) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) { (5) EXPAND %{client:group} (5) --> wireless (5) ... (5) } (5) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) { (5) ... (5) } (5) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) { (5) ... (5) } (5) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) { (5) ... (5) } (5) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) { (5) ... (5) } (5) elsif ( Realm == "lsu.co.uk" ) { (5) ... (5) } (5) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (5) ... (5) } (5) else { (5) update request { (5) &Realm := local (5) } # update request (noop) (5) } # else (noop) (5) eap - Peer sent EAP Response (code 2) ID 7 length 160 (5) eap - Continuing tunnel setup (5) eap (ok) (5) } # authorize (ok) (5) Using 'Auth-Type = eap' for authenticate {...} (5) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro (5) authenticate { (5) eap - Peer sent packet with EAP method PEAP (25) (5) eap - Calling submodule eap_peap to process data (5) eap_peap - Continuing EAP-TLS (5) eap_peap - Peer indicated complete TLS record size will be 150 bytes (5) eap_peap - Got complete TLS record, with length field (150 bytes) (5) eap_peap - [eap-tls verify] = ok (5) eap_peap - <<< recv handshake [length 70], client_key_exchange (5) eap_peap - TLS Accept: SSLv3 read client key exchange A (5) eap_peap - <<< recv change_cipher_spec [length 1] (5) eap_peap - <<< recv handshake [length 16], finished (5) eap_peap - TLS Accept: SSLv3 read finished A (5) eap_peap - >>> send change_cipher_spec [length 1] (5) eap_peap - TLS Accept: SSLv3 write change cipher spec A (5) eap_peap - >>> send handshake [length 16], finished (5) eap_peap - TLS Accept: SSLv3 write finished A (5) eap_peap - TLS Accept: SSLv3 flush data (5) eap_peap - &TLS-Session-Id = 0x76d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd65 (5) eap_peap - &config:TLS-Session-Cache-Action = Write (5) eap_peap - &session-state:TLS-Session-Data = 0x308181020101020203020402c014042076d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd650430c180225ce975cca326ffd8557be08a6827c3c8b8f1010231e9160c29a7e8b14285cdd2956228049c70c3494a7d0ed6bda106020456d5a18ba2040202012ca412041046 (5) Running Autz-Type Session-Cache-Write from file /etc/raddb/sites-enabled/tls-cache (5) Autz-Type Session-Cache-Write { (5) update control { (5) &control:Cache-TTL := 0 (5) } # update control (noop) (5) cache_tls_session - Key "v\325T\233\374.T\216s\321\027k\276\235\2526\334\r\n\035\026\334F~\212Q\264\230\232\004\375e" -> slot 6093 (5) cache_tls_session - Reserved connection (0) (5) cache_tls_session - [3] >>> Sending command(s) to 158.125.160.61:6379 (5) cache_tls_session - [3] <<< Returned: success (5) cache_tls_session - Released connection (0) (5) cache_tls_session - No cache entry found for "v\325T\233\374.T\216s\321\027k\276\235\2526\334\r\n\035\026\334F~\212Q\264\230\232\004\375e" (5) cache_tls_session - Creating new cache entry (5) cache_tls_session - &session-state:TLS-Session-Data := &session-state:TLS-Session-Data -> 0x308181020101020203020402c014042076d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd650430c180225ce975cca326ffd8557be08a6827c3c8b8f1010231e9160c29a7e8b14285cdd2956228049c70c3494a7d0ed6bda106020456d5a18ba2040202012ca412041046522065617020307832386434353130 (5) cache_tls_session - Key "v\325T\233\374.T\216s\321\027k\276\235\2526\334\r\n\035\026\334F~\212Q\264\230\232\004\375e" -> slot 6093 (5) cache_tls_session - Reserved connection (1) (5) cache_tls_session - [3] >>> Sending command(s) to 158.125.160.61:6379 (5) cache_tls_session - [3] <<< Returned: success (5) cache_tls_session - Released connection (1) (5) cache_tls_session - Committed entry, TTL 3600 seconds (5) cache_tls_session - Removing &control:Cache-TTL (5) cache_tls_session (ok) (5) } # Autz-Type Session-Cache-Write (ok) (5) eap_peap - SSL negotiation finished successfully (5) eap_peap - TLS established with cipher suite: ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 (5) eap_peap - Sending complete TLS record (75 bytes) (5) eap_peap - [eap-tls process] = handled (5) eap - Sending EAP Request (code 1) ID 8 length 85 (5) eap (handled) (5) } # authenticate (handled) (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro (5) Sent Access-Challenge Id 253 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0 (5) EAP-Message = 0x0108005519800000004b1403020001011603020040c4d3afd74b9a05f561d6b102b9650cfbedd82c0fbec9829aedc29f7522df2d1eaf21e1521aee2dbea62ed8ccfd75b59c28289fddff69b2a7b403ed50e789fec1 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x060351002306bedc523c504e518c74e2 (5) Finished request Waking up in 1.9 seconds. (6) - Received Accounting-Request Id 72 from 10.51.2.44:1646 to 158.125.161.128:1813 via ens160 length 127 (6) - Acct-Session-Id = "00001ED6" (6) - Calling-Station-Id = "E8-94-F6-E3-73-EC" (6) - Acct-Authentic = Local (6) - Acct-Status-Type = Start (6) - NAS-Port-Type = Ethernet (6) - NAS-Port = 50002 (6) - NAS-Port-Id = "FastEthernet0/2" (6) - Called-Station-Id = "00-1B-8F-1A-17-82" (6) - Service-Type = Framed-User (6) - NAS-IP-Address = 10.51.2.44 (6) - Acct-Delay-Time = 20 (6) - Running section preacct from file /etc/raddb/sites-enabled/lboro (6) - preacct { (6) preprocess (ok) (6) acct_counters64.preacct { (6) update request { (6) EXPAND %{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets} (6) WARNING: Can't find &Acct-Input-Gigawords. Using 0 as operand value (6) WARNING: Can't find &Acct-Input-Octets. Using 0 as operand value (6) --> 0 (6) &Acct-Input-Octets64 = 0 (6) EXPAND %{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets} (6) WARNING: Can't find &Acct-Output-Gigawords. Using 0 as operand value (6) WARNING: Can't find &Acct-Output-Octets. Using 0 as operand value (6) --> 0 (6) &Acct-Output-Octets64 = 0 (6) } # update request (noop) (6) } # acct_counters64.preacct (noop) (6) update request { (6) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} (6) --> 1456841080 (6) &FreeRADIUS-Acct-Session-Start-Time = Mar 1 2016 14:04:40 GMT (6) } # update request (noop) (6) acct_unique { (6) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) { (6) EXPAND %{string:Class} (6) --> (6) ... (6) } (6) else { (6) update request { (6) EXPAND %{md5:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (6) --> 0da3dd9e2370ee8eb568667ef3bea757 (6) &Acct-Unique-Session-Id := 0da3dd9e2370ee8eb568667ef3bea757 (6) } # update request (noop) (6) } # else (noop) (6) } # acct_unique (noop) (6) suffix (noop) (6) ntdomain (noop) (6) files (noop) (6) } # preacct (ok) (6) Running section accounting from file /etc/raddb/sites-enabled/lboro (6) accounting { (6) if (Acct-Session-Time != 0) { (6) ERROR: Condition evaluation failed because the value of an operand could not be determined (6) ... (6) } (6) sql - EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query} (6) sql - --> type.start.query (6) sql - Using query template 'query' (6) sql - Reserved connection (0) (6) sql - EXPAND %{User-Name} (6) sql - --> (6) sql - SQL-User-Name set to '' (6) sql - EXPAND INSERT INTO staffbaseschema.radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet) (6) sql - --> INSERT INTO staffbaseschema.radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('00001ED6', '0da3dd9e2370ee8eb568667ef3bea757', '', NULLIF('', ''), '10.51.2.44', NULLIF('FastEthernet0/2', ''), 'Ethernet', TO_TIMESTAMP(1456841080), TO_TIMESTAMP(1456841080), NULL, 0, 'Local', '', NULL, 0, 0, '00-1B-8F-1A-17-82', 'E8-94-F6-E3-73-EC', NULL, 'Framed-User', '', NULLIF('', '')::inet) (6) sql - Executing query: INSERT INTO staffbaseschema.radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('00001ED6', '0da3dd9e2370ee8eb568667ef3bea757', '', NULLIF('', ''), '10.51.2.44', NULLIF('FastEthernet0/2', ''), 'Ethernet', TO_TIMESTAMP(1456841080), TO_TIMESTAMP(1456841080), NULL, 0, 'Local', '', NULL, 0, 0, '00-1B-8F-1A-17-82', 'E8-94-F6-E3-73-EC', NULL, 'Framed-User', '', NULLIF('', '')::inet) rlm_sql_postgresql - Status: PGRES_COMMAND_OK rlm_sql_postgresql - query affected rows = 1 (6) sql - SQL query returned: success (6) sql - 1 record(s) updated (6) sql - Released connection (0) (6) sql (ok) (6) if (noop) { (6) ... (6) } (6) attr_filter.accounting_response - EXPAND %{User-Name} (6) attr_filter.accounting_response - --> (6) attr_filter.accounting_response - Matched entry DEFAULT at line 12 (6) attr_filter.accounting_response (updated) (6) } # accounting (updated) (6) Sent Accounting-Response Id 72 from 158.125.161.128:1813 to 10.51.2.44:1646 via ens160 length 0 (6) Finished request (6) Cleaning up request packet ID 72 with timestamp +4 Waking up in 1.6 seconds. (7) - Received Access-Request Id 254 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319 (7) - User-Name = "anon@lboro.ac.uk" (7) - Chargeable-User-Identity = 0x00 (7) - Location-Capable = Civix-Location (7) - Calling-Station-Id = "18-cf-5e-12-75-c1" (7) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree" (7) - NAS-Port = 13 (7) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b" (7) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789" (7) - NAS-IP-Address = 10.53.253.14 (7) - NAS-IPv6-Address = 2001:630:301:9101::14 (7) - NAS-Identifier = "wism-sport-park-3" (7) - Airespace-Wlan-Id = 3 (7) - Service-Type = Framed-User (7) - Framed-MTU = 1300 (7) - NAS-Port-Type = Wireless-802.11 (7) - Tunnel-Type:0 = VLAN (7) - Tunnel-Medium-Type:0 = IEEE-802 (7) - Tunnel-Private-Group-Id:0 = "1112" (7) - EAP-Message = 0x020800061900 (7) - State = 0x060351002306bedc523c504e518c74e2 (7) - Message-Authenticator = 0xf70d79e724c5206f4b6e87dbae453927 (7) - Running section authorize from file /etc/raddb/sites-enabled/lboro (7) - authorize { (7) - nagios_check { (7) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") { (7) - ... (7) - } (7) - } # nagios_check (notfound) (7) - wism_check { (7) - if (User-Name =~ /wism-check/ ) { (7) - ... (7) - } (7) - } # wism_check (notfound) (7) - filter_duff_realms { (7) - if (User-Name =~ /\\.ax\\.uk$/i ) { (7) - ... (7) - } (7) - elsif (User-Name =~ /\\.sc\\.uk$/i ) { (7) - ... (7) - } (7) - elsif (User-Name =~ /\\.ac\\.u$/i ) { (7) - ... (7) - } (7) - elsif (User-Name =~ /lboro$/i ) { (7) - ... (7) - } (7) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) { (7) - ... (7) - } (7) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) { (7) - ... (7) - } (7) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) { (7) - ... (7) - } (7) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) { (7) - ... (7) - } (7) - elsif (User-Name =~ /3gppnetwork\\.org$/i) { (7) - ... (7) - } (7) - elsif (User-Name =~ /myabc\\.com$/i) { (7) - ... (7) - } (7) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) { (7) - ... (7) - } (7) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) { (7) - ... (7) - } (7) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) { (7) - ... (7) - } (7) - } # filter_duff_realms (notfound) (7) - filter_username { (7) - if (!&User-Name) { (7) - ... (7) - } (7) - if (&User-Name =~ / /) { (7) - ... (7) - } (7) - if (&User-Name =~ /@.*@/ ) { (7) - ... (7) - } (7) - if (&User-Name =~ /\.\./ ) { (7) - ... (7) - } (7) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) - ... (7) - } (7) - if (&User-Name =~ /\.$/) { (7) - ... (7) - } (7) - if (&User-Name =~ /@\./) { (7) - ... (7) - } (7) - } # filter_username (notfound) (7) preprocess (ok) (7) operator-name.authorize { (7) if ("%{client:Operator-Name}") { (7) EXPAND %{client:Operator-Name} (7) --> (7) ... (7) } (7) } # operator-name.authorize (ok) (7) cui.authorize { (7) if ("%{client:add_cui}" == 'yes') { (7) EXPAND %{client:add_cui} (7) --> yes (7) update request { (7) &Chargeable-User-Identity := 0x00 (7) } # update request (noop) (7) } # if ("%{client:add_cui}" == 'yes') (noop) (7) } # cui.authorize (noop) (7) suffix - Checking for suffix after "@" (7) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon@lboro.ac.uk" (7) suffix - Found realm "lboro.ac.uk" (7) suffix - Adding Stripped-User-Name = "anon" (7) suffix - Adding Realm = "lboro.ac.uk" (7) suffix - Authentication realm is LOCAL (7) suffix (ok) (7) ntdomain - Request already has destination realm set. Ignoring (7) ntdomain (noop) (7) if ( Called-Station-Id =~ /:eduroam$/ ) { (7) ... (7) } (7) elsif ( Called-Station-Id =~ /.*:YST$/ ) { (7) ... (7) } (7) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) { (7) EXPAND %{client:group} (7) --> wireless (7) ... (7) } (7) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) { (7) ... (7) } (7) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) { (7) ... (7) } (7) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) { (7) ... (7) } (7) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) { (7) ... (7) } (7) elsif ( Realm == "lsu.co.uk" ) { (7) ... (7) } (7) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (7) ... (7) } (7) else { (7) update request { (7) &Realm := local (7) } # update request (noop) (7) } # else (noop) (7) eap - Peer sent EAP Response (code 2) ID 8 length 6 (7) eap - Continuing tunnel setup (7) eap (ok) (7) } # authorize (ok) (7) Using 'Auth-Type = eap' for authenticate {...} (7) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro (7) authenticate { (7) eap - Peer sent packet with EAP method PEAP (25) (7) eap - Calling submodule eap_peap to process data (7) eap_peap - Continuing EAP-TLS (7) eap_peap - Peer ACKed our handshake fragment. handshake is finished (7) eap_peap - [eap-tls verify] = success (7) eap_peap - [eap-tls process] = success (7) eap_peap - Session established. Decoding tunneled data (7) eap_peap - PEAP state TUNNEL ESTABLISHED (7) eap_peap - Sending complete TLS record (53 bytes) (7) eap - Sending EAP Request (code 1) ID 9 length 63 (7) eap (handled) (7) } # authenticate (handled) (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro (7) Sent Access-Challenge Id 254 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0 (7) EAP-Message = 0x0109003f198000000035170302003094eda224ed5bd67356b6b9e5e9cb3f4e402a8774515ad7ff767acd2a8960e9fa58e5020503986828312b7c8b944a0e61 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x07015100148ca6ec523c504e518c74e2 (7) Finished request Waking up in 0.8 seconds. (0) Cleaning up request packet ID 248 with timestamp +3 (1) Cleaning up request packet ID 249 with timestamp +3 (2) Cleaning up request packet ID 250 with timestamp +3 (3) Cleaning up request packet ID 251 with timestamp +3 (4) Cleaning up request packet ID 252 with timestamp +3 (5) Cleaning up request packet ID 253 with timestamp +3 Waking up in 1.0 seconds. (7) Cleaning up request packet ID 254 with timestamp +5 Ready to process requests