Thank you Alan for your response, After I changed to 3.0.9 I am not getting a pass change window on my laptop anymore... it just tells me that the username or password is incorrect. I still can authenticate succesfully with a different user that has no expired password.. (0) Received Access-Request Id 239 from 10.70.1.1:32770 to 10.10.10.3:1812 length 234 (0) User-Name = 'vdiuser001' (0) Calling-Station-Id = '00-c0-a8-c6-d7-79' (0) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (0) NAS-Port = 13 (0) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (0) NAS-IP-Address = 10.70.1.1 (0) NAS-Identifier = 'Cisco-WLC-5508' (0) Airespace-Wlan-Id = 9 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = '212' (0) EAP-Message = 0x0202000f0176646975736572303031 (0) Message-Authenticator = 0x188f999c1ff661dbdf631889c89f601b (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent code Response (2) ID 2 length 15 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent method Identity (1) (0) eap: Calling eap_peap to process EAP data (0) eap_peap: Flushing SSL sessions (of #0) (0) eap_peap: Initiate (0) eap_peap: Start returned 1 (0) eap: EAP session adding &reply:State = 0xfcd853a7fcdb4aaf (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 239 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xfcd853a7fcdb4aafb400e9d91b88b168 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 240 from 10.70.1.1:32770 to 10.10.10.3:1812 length 378 (1) User-Name = 'vdiuser001' (1) Calling-Station-Id = '00-c0-a8-c6-d7-79' (1) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (1) NAS-Port = 13 (1) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (1) NAS-IP-Address = 10.70.1.1 (1) NAS-Identifier = 'Cisco-WLC-5508' (1) Airespace-Wlan-Id = 9 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = '212' (1) EAP-Message = 0x0203008d198000000083160301007e0100007a0301556f007139e2ef5fa810877430d9d30e669ea446efcc04237015dc29d6f6e88f20b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab270018c014c0130035002fc00ac00900380032000a00130005000401000019ff0100 (1) State = 0xfcd853a7fcdb4aafb400e9d91b88b168 (1) Message-Authenticator = 0xc71382cba8adc5f62dd1d52c1f94eabd (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent code Response (2) ID 3 length 141 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xfcd853a7fcdb4aaf (1) eap: Finished EAP session with state 0xfcd853a7fcdb4aaf (1) eap: Previous EAP request found for state 0xfcd853a7fcdb4aaf, released from the list (1) eap: Peer sent method PEAP (25) (1) eap: EAP PEAP (25) (1) eap: Calling eap_peap to process EAP data (1) eap_peap: processing EAP-TLS (1) eap_peap: TLS Length 131 (1) eap_peap: Length Included (1) eap_peap: eaptls_verify returned 11 (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< TLS 1.0 Handshake [length 007e], ClientHello SSL: Client requested cached session b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab27 (1) eap_peap: TLS_accept: SSLv3 read client hello A (1) eap_peap:>>> TLS 1.0 Handshake [length 0059], ServerHello (1) eap_peap: TLS_accept: SSLv3 write server hello A (1) eap_peap:>>> TLS 1.0 Handshake [length 08d0], Certificate (1) eap_peap: TLS_accept: SSLv3 write certificate A (1) eap_peap:>>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_peap: TLS_accept: SSLv3 write key exchange A (1) eap_peap:>>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: SSLv3 write server done A (1) eap_peap: TLS_accept: SSLv3 flush data (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap: eaptls_process returned 13 (1) eap_peap: FR_TLS_HANDLED (1) eap: EAP session adding &reply:State = 0xfcd853a7fddc4aaf (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 240 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (1) EAP-Message = 0x010403ec19c000000a8c1603010059020000550301e33481638ab50505fd243d5f28281a03744290725fad8dda8caa9a4759feff2d20e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xfcd853a7fddc4aafb400e9d91b88b168 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 241 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243 (2) User-Name = 'vdiuser001' (2) Calling-Station-Id = '00-c0-a8-c6-d7-79' (2) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (2) NAS-Port = 13 (2) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (2) NAS-IP-Address = 10.70.1.1 (2) NAS-Identifier = 'Cisco-WLC-5508' (2) Airespace-Wlan-Id = 9 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = '212' (2) EAP-Message = 0x020400061900 (2) State = 0xfcd853a7fddc4aafb400e9d91b88b168 (2) Message-Authenticator = 0x69d10acc80d82e3a9c5aac64c3728ec0 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (!&User-Name) { (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) { (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent code Response (2) ID 4 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xfcd853a7fddc4aaf (2) eap: Finished EAP session with state 0xfcd853a7fddc4aaf (2) eap: Previous EAP request found for state 0xfcd853a7fddc4aaf, released from the list (2) eap: Peer sent method PEAP (25) (2) eap: EAP PEAP (25) (2) eap: Calling eap_peap to process EAP data (2) eap_peap: processing EAP-TLS (2) eap_peap: Received TLS ACK (2) eap_peap: Received TLS ACK (2) eap_peap: ACK handshake fragment handler (2) eap_peap: eaptls_verify returned 1 (2) eap_peap: eaptls_process returned 13 (2) eap_peap: FR_TLS_HANDLED (2) eap: EAP session adding &reply:State = 0xfcd853a7fedd4aaf (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 241 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (2) EAP-Message = 0x010503e8194087d363ae51e9fa919a6062082c2ab782a717d7fede947271bcbe38ea3b9d04ee4cef44da92b58dfea437ba6764fd97950d4f99cb8e1b38b721f29b087ce94f71868ec5554e72d8d3a6f9a11c4108d6c8a7945c60f03a9991d841074df483c1574367aee17dbd11aaab0004e5308204e130 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xfcd853a7fedd4aafb400e9d91b88b168 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 242 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243 (3) User-Name = 'vdiuser001' (3) Calling-Station-Id = '00-c0-a8-c6-d7-79' (3) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (3) NAS-Port = 13 (3) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (3) NAS-IP-Address = 10.70.1.1 (3) NAS-Identifier = 'Cisco-WLC-5508' (3) Airespace-Wlan-Id = 9 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) Tunnel-Type:0 = VLAN (3) Tunnel-Medium-Type:0 = IEEE-802 (3) Tunnel-Private-Group-Id:0 = '212' (3) EAP-Message = 0x020500061900 (3) State = 0xfcd853a7fedd4aafb400e9d91b88b168 (3) Message-Authenticator = 0x0adea1512f939350fd4ac3a6ab9f2460 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (!&User-Name) { (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) { (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent code Response (2) ID 5 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xfcd853a7fedd4aaf (3) eap: Finished EAP session with state 0xfcd853a7fedd4aaf (3) eap: Previous EAP request found for state 0xfcd853a7fedd4aaf, released from the list (3) eap: Peer sent method PEAP (25) (3) eap: EAP PEAP (25) (3) eap: Calling eap_peap to process EAP data (3) eap_peap: processing EAP-TLS (3) eap_peap: Received TLS ACK (3) eap_peap: Received TLS ACK (3) eap_peap: ACK handshake fragment handler (3) eap_peap: eaptls_verify returned 1 (3) eap_peap: eaptls_process returned 13 (3) eap_peap: FR_TLS_HANDLED (3) eap: EAP session adding &reply:State = 0xfcd853a7ffde4aaf (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 242 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (3) EAP-Message = 0x010602ce190020417574686f72697479820900cf57e5d1f44e11e4300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101001a21 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xfcd853a7ffde4aafb400e9d91b88b168 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 243 from 10.70.1.1:32770 to 10.10.10.3:1812 length 381 (4) User-Name = 'vdiuser001' (4) Calling-Station-Id = '00-c0-a8-c6-d7-79' (4) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (4) NAS-Port = 13 (4) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (4) NAS-IP-Address = 10.70.1.1 (4) NAS-Identifier = 'Cisco-WLC-5508' (4) Airespace-Wlan-Id = 9 (4) Service-Type = Framed-User (4) Framed-MTU = 1300 (4) NAS-Port-Type = Wireless-802.11 (4) Tunnel-Type:0 = VLAN (4) Tunnel-Medium-Type:0 = IEEE-802 (4) Tunnel-Private-Group-Id:0 = '212' (4) EAP-Message = 0x020600901980000000861603010046100000424104659013060486276c41b5734d0c4799ba9d6cb700dabbbc6bfa68a9b3b0c3b237b6f7ee8c9a194b8a20645279d3c7e05b5a7ee14383257f83eadf85aab1fc7d0d140301000101160301003042a06361b3cb896ea1b0476e10371b8eed883122419379 (4) State = 0xfcd853a7ffde4aafb400e9d91b88b168 (4) Message-Authenticator = 0x3674700353af1563ff78522ff0bf447d (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (!&User-Name) { (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) { (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent code Response (2) ID 6 length 144 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xfcd853a7ffde4aaf (4) eap: Finished EAP session with state 0xfcd853a7ffde4aaf (4) eap: Previous EAP request found for state 0xfcd853a7ffde4aaf, released from the list (4) eap: Peer sent method PEAP (25) (4) eap: EAP PEAP (25) (4) eap: Calling eap_peap to process EAP data (4) eap_peap: processing EAP-TLS (4) eap_peap: TLS Length 134 (4) eap_peap: Length Included (4) eap_peap: eaptls_verify returned 11 (4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (4) eap_peap: TLS_accept: SSLv3 read client key exchange A (4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 read finished A (4) eap_peap:>>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A (4) eap_peap:>>> TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 write finished A (4) eap_peap: TLS_accept: SSLv3 flush data TLS: adding session e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9 to cache (4) eap_peap: (other): SSL negotiation finished successfully SSL Connection Established (4) eap_peap: eaptls_process returned 13 (4) eap_peap: FR_TLS_HANDLED (4) eap: EAP session adding &reply:State = 0xfcd853a7f8df4aaf (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 243 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (4) EAP-Message = 0x0107004119001403010001011603010030805396c196ecd0cfbcdf4262de648ff5c61404e719706e413e8c67f9169d03f6075a93a6402c6cb3df2681c909c13ca5 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xfcd853a7f8df4aafb400e9d91b88b168 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 244 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243 (5) User-Name = 'vdiuser001' (5) Calling-Station-Id = '00-c0-a8-c6-d7-79' (5) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (5) NAS-Port = 13 (5) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (5) NAS-IP-Address = 10.70.1.1 (5) NAS-Identifier = 'Cisco-WLC-5508' (5) Airespace-Wlan-Id = 9 (5) Service-Type = Framed-User (5) Framed-MTU = 1300 (5) NAS-Port-Type = Wireless-802.11 (5) Tunnel-Type:0 = VLAN (5) Tunnel-Medium-Type:0 = IEEE-802 (5) Tunnel-Private-Group-Id:0 = '212' (5) EAP-Message = 0x020700061900 (5) State = 0xfcd853a7f8df4aafb400e9d91b88b168 (5) Message-Authenticator = 0x75def782b74b9f6aaae4b726602f9eae (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (!&User-Name) { (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) { (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent code Response (2) ID 7 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xfcd853a7f8df4aaf (5) eap: Finished EAP session with state 0xfcd853a7f8df4aaf (5) eap: Previous EAP request found for state 0xfcd853a7f8df4aaf, released from the list (5) eap: Peer sent method PEAP (25) (5) eap: EAP PEAP (25) (5) eap: Calling eap_peap to process EAP data (5) eap_peap: processing EAP-TLS (5) eap_peap: Received TLS ACK (5) eap_peap: Received TLS ACK (5) eap_peap: ACK handshake is finished (5) eap_peap: eaptls_verify returned 3 (5) eap_peap: eaptls_process returned 3 (5) eap_peap: FR_TLS_SUCCESS (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: EAP session adding &reply:State = 0xfcd853a7f9d04aaf (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Sent Access-Challenge Id 244 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (5) EAP-Message = 0x0108002b19001703010020e9acf4878f2cf9c9c79de729087ad3e19b253b8c0e50b1c26443853c5c984637 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xfcd853a7f9d04aafb400e9d91b88b168 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 245 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280 (6) User-Name = 'vdiuser001' (6) Calling-Station-Id = '00-c0-a8-c6-d7-79' (6) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (6) NAS-Port = 13 (6) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (6) NAS-IP-Address = 10.70.1.1 (6) NAS-Identifier = 'Cisco-WLC-5508' (6) Airespace-Wlan-Id = 9 (6) Service-Type = Framed-User (6) Framed-MTU = 1300 (6) NAS-Port-Type = Wireless-802.11 (6) Tunnel-Type:0 = VLAN (6) Tunnel-Medium-Type:0 = IEEE-802 (6) Tunnel-Private-Group-Id:0 = '212' (6) EAP-Message = 0x0208002b190017030100204283191b2685faf2b92c873c8c3972380e81ab3a78cc797b6518e8af45963138 (6) State = 0xfcd853a7f9d04aafb400e9d91b88b168 (6) Message-Authenticator = 0x36d173beae56175a27434016ac0a82cb (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (!&User-Name) { (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) { (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent code Response (2) ID 8 length 43 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xfcd853a7f9d04aaf (6) eap: Finished EAP session with state 0xfcd853a7f9d04aaf (6) eap: Previous EAP request found for state 0xfcd853a7f9d04aaf, released from the list (6) eap: Peer sent method PEAP (25) (6) eap: EAP PEAP (25) (6) eap: Calling eap_peap to process EAP data (6) eap_peap: processing EAP-TLS (6) eap_peap: eaptls_verify returned 7 (6) eap_peap: Done initial handshake (6) eap_peap: eaptls_process returned 7 (6) eap_peap: FR_TLS_OK (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - vdiuser001 (6) eap_peap: Got inner identity 'vdiuser001' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031 (6) eap_peap: Setting User-Name to vdiuser001 (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = 'vdiuser001' (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0208000f0176646975736572303031 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = 'vdiuser001' (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent code Response (2) ID 8 length 15 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent method Identity (1) (6) eap: Calling eap_mschapv2 to process EAP data (6) eap_mschapv2: Issuing Challenge (6) eap: EAP session adding &reply:State = 0x6a2b492e6a22538f (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x6a2b492e6a22538fe503884f9d44e7ff (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff (6) eap_peap: Got tunneled Access-Challenge (6) eap: EAP session adding &reply:State = 0xfcd853a7fad14aaf (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Sent Access-Challenge Id 245 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (6) EAP-Message = 0x0109004b190017030100406a3b46095fb10b93a11e13b5e74fc5eac154270b5a9ef8fdfb482c1dab2a759a4872e47dec1beaf306303e2a07d5e762b3381999cc96604175fe9c6adf84eab2 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xfcd853a7fad14aafb400e9d91b88b168 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 246 from 10.70.1.1:32770 to 10.10.10.3:1812 length 344 (7) User-Name = 'vdiuser001' (7) Calling-Station-Id = '00-c0-a8-c6-d7-79' (7) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (7) NAS-Port = 13 (7) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (7) NAS-IP-Address = 10.70.1.1 (7) NAS-Identifier = 'Cisco-WLC-5508' (7) Airespace-Wlan-Id = 9 (7) Service-Type = Framed-User (7) Framed-MTU = 1300 (7) NAS-Port-Type = Wireless-802.11 (7) Tunnel-Type:0 = VLAN (7) Tunnel-Medium-Type:0 = IEEE-802 (7) Tunnel-Private-Group-Id:0 = '212' (7) EAP-Message = 0x0209006b19001703010060e3ebfd336d1c0bb5d36d68ac263e5e6d7f80e8a1e28be6bc752c0d06555b63f06367b0ca1803b17f092d89c35ce418ecce8b1425853a3dd6ccd16a292e80e46a1ecc98ba53222a0c1cccc827075993197807413d5778b2712ce2ad3eae35d7ce (7) State = 0xfcd853a7fad14aafb400e9d91b88b168 (7) Message-Authenticator = 0x4c9a2819e43b37c8eadf9473681308a2 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (!&User-Name) { (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) { (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent code Response (2) ID 9 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x6a2b492e6a22538f (7) eap: Finished EAP session with state 0xfcd853a7fad14aaf (7) eap: Previous EAP request found for state 0xfcd853a7fad14aaf, released from the list (7) eap: Peer sent method PEAP (25) (7) eap: EAP PEAP (25) (7) eap: Calling eap_peap to process EAP data (7) eap_peap: processing EAP-TLS (7) eap_peap: eaptls_verify returned 7 (7) eap_peap: Done initial handshake (7) eap_peap: eaptls_process returned 7 (7) eap_peap: FR_TLS_OK (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP type MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031 (7) eap_peap: Setting User-Name to vdiuser001 (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = 'vdiuser001' (7) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = 'vdiuser001' (7) State = 0x6a2b492e6a22538fe503884f9d44e7ff (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent code Response (2) ID 9 length 69 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) sql: EXPAND %{User-Name} (7) sql: --> vdiuser001 (7) sql: SQL-User-Name set to 'vdiuser001' rlm_sql (sql): Reserved connection (0) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (0) rlm_sql (sql): Closing connection (1), from 1 unused connections rlm_sql_mysql: Socket destructor called, closing socket (7) [sql] = notfound rlm_ldap (ldap): Reserved connection (0) (7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (sAMAccountName=vdiuser001) (7) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local" (7) ldap: Processing user attributes (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Closing connection (1), from 1 unused connections (7) [ldap] = ok (7) if (control:Ldap-UserDn =~ /OU=EDU/) { (7) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) { (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) { (7) update control { (7) Simultaneous-Use := 3 (7) } # update control = noop (7) update outer.session-state { (7) Tunnel-type = VLAN (7) Tunnel-medium-type = IEEE-802 (7) Tunnel-Private-Group-Id = PRS-WIFI-Client (7) } # update outer.session-state = noop (7) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop (7) ... skipping elsif for request 7: Preceding "if" was taken (7) ... skipping else for request 7: Preceding "if" was taken (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x6a2b492e6a22538f (7) eap: Finished EAP session with state 0x6a2b492e6a22538f (7) eap: Previous EAP request found for state 0x6a2b492e6a22538f, released from the list (7) eap: Peer sent method MSCHAPv2 (26) (7) eap: EAP MSCHAPv2 (26) (7) eap: Calling eap_mschapv2 to process EAP data (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2: Auth-Type MS-CHAP { (7) mschap: Creating challenge hash with username: vdiuser001 (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=vdiuser001 (7) mschap: Creating challenge hash with username: vdiuser001 (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=9f432e6abc4ec74e (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=bcae7bc9d2c22a1291791a130d422a537209282de03718a0 (7) mschap: ERROR: Program returned code (1) and output 'Must change password (0xc0000224)' (7) mschap: ERROR: Must change password (0xc0000224) (7) mschap: Password has expired. The user should retry authentication (7) [mschap] = reject (7) } # Auth-Type MS-CHAP = reject (7) MSCHAP-Error: E=648 R=1 C=00063b49e7c084b7016b35ab4336020d V=3 M=Password Expired (7) Found new challenge from MS-CHAP-Error: err=648 retry=1 challenge=00063b49e7c084b7016b35ab4336020d (7) ERROR: MSCHAP Failure (7) eap: EAP session adding &reply:State = 0x6a2b492e6b21538f (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x6a2b492e6b21538fe503884f9d44e7ff (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff (7) eap_peap: Got tunneled Access-Challenge (7) eap: EAP session adding &reply:State = 0xfcd853a7fbd24aaf (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/raddb/sites-enabled/default (7) session-state: Saving cached attributes (7) Tunnel-Type = VLAN (7) Tunnel-Medium-Type = IEEE-802 (7) Tunnel-Private-Group-Id = 'PRS-WIFI-Client' (7) Sent Access-Challenge Id 246 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (7) EAP-Message = 0x010a006b19001703010060b3897a1c79b4063ee3eea85ec0eb5b1ffef302d6c90c1819ac828808598205d33c2dbad5a1af49ff0f8add5f0cb05a598bdae558b2e839b44204ac2b0fbc80437323b4f46871add958ea20f13a19e66bb6c2402389e445ba3305ffea4be0b16b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xfcd853a7fbd24aafb400e9d91b88b168 (7) Finished request ----------------------------------------
From: richardvanderveen@outlook.com To: a.l.m.buxey@lboro.ac.uk Subject: RE: Pass change/expiry problem Date: Wed, 3 Jun 2015 15:34:45 +0200
Thank you Alan for your response,
After I changed to 3.0.9 I am not getting a pass change window on my laptop anymore... it just tells me that the username or password is incorrect. I still can authenticate succesfully with a different user that has no expired password..
(0) Received Access-Request Id 239 from 10.70.1.1:32770 to 10.10.10.3:1812 length 234 (0) User-Name = 'vdiuser001' (0) Calling-Station-Id = '00-c0-a8-c6-d7-79' (0) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (0) NAS-Port = 13 (0) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (0) NAS-IP-Address = 10.70.1.1 (0) NAS-Identifier = 'Cisco-WLC-5508' (0) Airespace-Wlan-Id = 9 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = '212' (0) EAP-Message = 0x0202000f0176646975736572303031 (0) Message-Authenticator = 0x188f999c1ff661dbdf631889c89f601b (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent code Response (2) ID 2 length 15 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent method Identity (1) (0) eap: Calling eap_peap to process EAP data (0) eap_peap: Flushing SSL sessions (of #0) (0) eap_peap: Initiate (0) eap_peap: Start returned 1 (0) eap: EAP session adding &reply:State = 0xfcd853a7fcdb4aaf (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 239 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xfcd853a7fcdb4aafb400e9d91b88b168 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 240 from 10.70.1.1:32770 to 10.10.10.3:1812 length 378 (1) User-Name = 'vdiuser001' (1) Calling-Station-Id = '00-c0-a8-c6-d7-79' (1) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (1) NAS-Port = 13 (1) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (1) NAS-IP-Address = 10.70.1.1 (1) NAS-Identifier = 'Cisco-WLC-5508' (1) Airespace-Wlan-Id = 9 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = '212' (1) EAP-Message = 0x0203008d198000000083160301007e0100007a0301556f007139e2ef5fa810877430d9d30e669ea446efcc04237015dc29d6f6e88f20b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab270018c014c0130035002fc00ac00900380032000a00130005000401000019ff0100 (1) State = 0xfcd853a7fcdb4aafb400e9d91b88b168 (1) Message-Authenticator = 0xc71382cba8adc5f62dd1d52c1f94eabd (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent code Response (2) ID 3 length 141 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xfcd853a7fcdb4aaf (1) eap: Finished EAP session with state 0xfcd853a7fcdb4aaf (1) eap: Previous EAP request found for state 0xfcd853a7fcdb4aaf, released from the list (1) eap: Peer sent method PEAP (25) (1) eap: EAP PEAP (25) (1) eap: Calling eap_peap to process EAP data (1) eap_peap: processing EAP-TLS (1) eap_peap: TLS Length 131 (1) eap_peap: Length Included (1) eap_peap: eaptls_verify returned 11 (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< TLS 1.0 Handshake [length 007e], ClientHello SSL: Client requested cached session b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab27 (1) eap_peap: TLS_accept: SSLv3 read client hello A (1) eap_peap:>>> TLS 1.0 Handshake [length 0059], ServerHello (1) eap_peap: TLS_accept: SSLv3 write server hello A (1) eap_peap:>>> TLS 1.0 Handshake [length 08d0], Certificate (1) eap_peap: TLS_accept: SSLv3 write certificate A (1) eap_peap:>>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_peap: TLS_accept: SSLv3 write key exchange A (1) eap_peap:>>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: SSLv3 write server done A (1) eap_peap: TLS_accept: SSLv3 flush data (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap: eaptls_process returned 13 (1) eap_peap: FR_TLS_HANDLED (1) eap: EAP session adding &reply:State = 0xfcd853a7fddc4aaf (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 240 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (1) EAP-Message = 0x010403ec19c000000a8c1603010059020000550301e33481638ab50505fd243d5f28281a03744290725fad8dda8caa9a4759feff2d20e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xfcd853a7fddc4aafb400e9d91b88b168 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 241 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243 (2) User-Name = 'vdiuser001' (2) Calling-Station-Id = '00-c0-a8-c6-d7-79' (2) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (2) NAS-Port = 13 (2) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (2) NAS-IP-Address = 10.70.1.1 (2) NAS-Identifier = 'Cisco-WLC-5508' (2) Airespace-Wlan-Id = 9 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = '212' (2) EAP-Message = 0x020400061900 (2) State = 0xfcd853a7fddc4aafb400e9d91b88b168 (2) Message-Authenticator = 0x69d10acc80d82e3a9c5aac64c3728ec0 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (!&User-Name) { (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) { (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent code Response (2) ID 4 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xfcd853a7fddc4aaf (2) eap: Finished EAP session with state 0xfcd853a7fddc4aaf (2) eap: Previous EAP request found for state 0xfcd853a7fddc4aaf, released from the list (2) eap: Peer sent method PEAP (25) (2) eap: EAP PEAP (25) (2) eap: Calling eap_peap to process EAP data (2) eap_peap: processing EAP-TLS (2) eap_peap: Received TLS ACK (2) eap_peap: Received TLS ACK (2) eap_peap: ACK handshake fragment handler (2) eap_peap: eaptls_verify returned 1 (2) eap_peap: eaptls_process returned 13 (2) eap_peap: FR_TLS_HANDLED (2) eap: EAP session adding &reply:State = 0xfcd853a7fedd4aaf (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 241 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (2) EAP-Message = 0x010503e8194087d363ae51e9fa919a6062082c2ab782a717d7fede947271bcbe38ea3b9d04ee4cef44da92b58dfea437ba6764fd97950d4f99cb8e1b38b721f29b087ce94f71868ec5554e72d8d3a6f9a11c4108d6c8a7945c60f03a9991d841074df483c1574367aee17dbd11aaab0004e5308204e130 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xfcd853a7fedd4aafb400e9d91b88b168 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 242 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243 (3) User-Name = 'vdiuser001' (3) Calling-Station-Id = '00-c0-a8-c6-d7-79' (3) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (3) NAS-Port = 13 (3) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (3) NAS-IP-Address = 10.70.1.1 (3) NAS-Identifier = 'Cisco-WLC-5508' (3) Airespace-Wlan-Id = 9 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) Tunnel-Type:0 = VLAN (3) Tunnel-Medium-Type:0 = IEEE-802 (3) Tunnel-Private-Group-Id:0 = '212' (3) EAP-Message = 0x020500061900 (3) State = 0xfcd853a7fedd4aafb400e9d91b88b168 (3) Message-Authenticator = 0x0adea1512f939350fd4ac3a6ab9f2460 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (!&User-Name) { (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) { (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent code Response (2) ID 5 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xfcd853a7fedd4aaf (3) eap: Finished EAP session with state 0xfcd853a7fedd4aaf (3) eap: Previous EAP request found for state 0xfcd853a7fedd4aaf, released from the list (3) eap: Peer sent method PEAP (25) (3) eap: EAP PEAP (25) (3) eap: Calling eap_peap to process EAP data (3) eap_peap: processing EAP-TLS (3) eap_peap: Received TLS ACK (3) eap_peap: Received TLS ACK (3) eap_peap: ACK handshake fragment handler (3) eap_peap: eaptls_verify returned 1 (3) eap_peap: eaptls_process returned 13 (3) eap_peap: FR_TLS_HANDLED (3) eap: EAP session adding &reply:State = 0xfcd853a7ffde4aaf (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 242 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (3) EAP-Message = 0x010602ce190020417574686f72697479820900cf57e5d1f44e11e4300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101001a21 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xfcd853a7ffde4aafb400e9d91b88b168 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 243 from 10.70.1.1:32770 to 10.10.10.3:1812 length 381 (4) User-Name = 'vdiuser001' (4) Calling-Station-Id = '00-c0-a8-c6-d7-79' (4) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (4) NAS-Port = 13 (4) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (4) NAS-IP-Address = 10.70.1.1 (4) NAS-Identifier = 'Cisco-WLC-5508' (4) Airespace-Wlan-Id = 9 (4) Service-Type = Framed-User (4) Framed-MTU = 1300 (4) NAS-Port-Type = Wireless-802.11 (4) Tunnel-Type:0 = VLAN (4) Tunnel-Medium-Type:0 = IEEE-802 (4) Tunnel-Private-Group-Id:0 = '212' (4) EAP-Message = 0x020600901980000000861603010046100000424104659013060486276c41b5734d0c4799ba9d6cb700dabbbc6bfa68a9b3b0c3b237b6f7ee8c9a194b8a20645279d3c7e05b5a7ee14383257f83eadf85aab1fc7d0d140301000101160301003042a06361b3cb896ea1b0476e10371b8eed883122419379 (4) State = 0xfcd853a7ffde4aafb400e9d91b88b168 (4) Message-Authenticator = 0x3674700353af1563ff78522ff0bf447d (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (!&User-Name) { (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) { (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent code Response (2) ID 6 length 144 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xfcd853a7ffde4aaf (4) eap: Finished EAP session with state 0xfcd853a7ffde4aaf (4) eap: Previous EAP request found for state 0xfcd853a7ffde4aaf, released from the list (4) eap: Peer sent method PEAP (25) (4) eap: EAP PEAP (25) (4) eap: Calling eap_peap to process EAP data (4) eap_peap: processing EAP-TLS (4) eap_peap: TLS Length 134 (4) eap_peap: Length Included (4) eap_peap: eaptls_verify returned 11 (4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (4) eap_peap: TLS_accept: SSLv3 read client key exchange A (4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 read finished A (4) eap_peap:>>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A (4) eap_peap:>>> TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 write finished A (4) eap_peap: TLS_accept: SSLv3 flush data TLS: adding session e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9 to cache (4) eap_peap: (other): SSL negotiation finished successfully SSL Connection Established (4) eap_peap: eaptls_process returned 13 (4) eap_peap: FR_TLS_HANDLED (4) eap: EAP session adding &reply:State = 0xfcd853a7f8df4aaf (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 243 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (4) EAP-Message = 0x0107004119001403010001011603010030805396c196ecd0cfbcdf4262de648ff5c61404e719706e413e8c67f9169d03f6075a93a6402c6cb3df2681c909c13ca5 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xfcd853a7f8df4aafb400e9d91b88b168 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 244 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243 (5) User-Name = 'vdiuser001' (5) Calling-Station-Id = '00-c0-a8-c6-d7-79' (5) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (5) NAS-Port = 13 (5) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (5) NAS-IP-Address = 10.70.1.1 (5) NAS-Identifier = 'Cisco-WLC-5508' (5) Airespace-Wlan-Id = 9 (5) Service-Type = Framed-User (5) Framed-MTU = 1300 (5) NAS-Port-Type = Wireless-802.11 (5) Tunnel-Type:0 = VLAN (5) Tunnel-Medium-Type:0 = IEEE-802 (5) Tunnel-Private-Group-Id:0 = '212' (5) EAP-Message = 0x020700061900 (5) State = 0xfcd853a7f8df4aafb400e9d91b88b168 (5) Message-Authenticator = 0x75def782b74b9f6aaae4b726602f9eae (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (!&User-Name) { (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) { (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent code Response (2) ID 7 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xfcd853a7f8df4aaf (5) eap: Finished EAP session with state 0xfcd853a7f8df4aaf (5) eap: Previous EAP request found for state 0xfcd853a7f8df4aaf, released from the list (5) eap: Peer sent method PEAP (25) (5) eap: EAP PEAP (25) (5) eap: Calling eap_peap to process EAP data (5) eap_peap: processing EAP-TLS (5) eap_peap: Received TLS ACK (5) eap_peap: Received TLS ACK (5) eap_peap: ACK handshake is finished (5) eap_peap: eaptls_verify returned 3 (5) eap_peap: eaptls_process returned 3 (5) eap_peap: FR_TLS_SUCCESS (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: EAP session adding &reply:State = 0xfcd853a7f9d04aaf (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Sent Access-Challenge Id 244 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (5) EAP-Message = 0x0108002b19001703010020e9acf4878f2cf9c9c79de729087ad3e19b253b8c0e50b1c26443853c5c984637 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xfcd853a7f9d04aafb400e9d91b88b168 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 245 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280 (6) User-Name = 'vdiuser001' (6) Calling-Station-Id = '00-c0-a8-c6-d7-79' (6) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (6) NAS-Port = 13 (6) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (6) NAS-IP-Address = 10.70.1.1 (6) NAS-Identifier = 'Cisco-WLC-5508' (6) Airespace-Wlan-Id = 9 (6) Service-Type = Framed-User (6) Framed-MTU = 1300 (6) NAS-Port-Type = Wireless-802.11 (6) Tunnel-Type:0 = VLAN (6) Tunnel-Medium-Type:0 = IEEE-802 (6) Tunnel-Private-Group-Id:0 = '212' (6) EAP-Message = 0x0208002b190017030100204283191b2685faf2b92c873c8c3972380e81ab3a78cc797b6518e8af45963138 (6) State = 0xfcd853a7f9d04aafb400e9d91b88b168 (6) Message-Authenticator = 0x36d173beae56175a27434016ac0a82cb (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (!&User-Name) { (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) { (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent code Response (2) ID 8 length 43 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xfcd853a7f9d04aaf (6) eap: Finished EAP session with state 0xfcd853a7f9d04aaf (6) eap: Previous EAP request found for state 0xfcd853a7f9d04aaf, released from the list (6) eap: Peer sent method PEAP (25) (6) eap: EAP PEAP (25) (6) eap: Calling eap_peap to process EAP data (6) eap_peap: processing EAP-TLS (6) eap_peap: eaptls_verify returned 7 (6) eap_peap: Done initial handshake (6) eap_peap: eaptls_process returned 7 (6) eap_peap: FR_TLS_OK (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - vdiuser001 (6) eap_peap: Got inner identity 'vdiuser001' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031 (6) eap_peap: Setting User-Name to vdiuser001 (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = 'vdiuser001' (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0208000f0176646975736572303031 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = 'vdiuser001' (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent code Response (2) ID 8 length 15 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent method Identity (1) (6) eap: Calling eap_mschapv2 to process EAP data (6) eap_mschapv2: Issuing Challenge (6) eap: EAP session adding &reply:State = 0x6a2b492e6a22538f (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x6a2b492e6a22538fe503884f9d44e7ff (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff (6) eap_peap: Got tunneled Access-Challenge (6) eap: EAP session adding &reply:State = 0xfcd853a7fad14aaf (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Sent Access-Challenge Id 245 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (6) EAP-Message = 0x0109004b190017030100406a3b46095fb10b93a11e13b5e74fc5eac154270b5a9ef8fdfb482c1dab2a759a4872e47dec1beaf306303e2a07d5e762b3381999cc96604175fe9c6adf84eab2 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xfcd853a7fad14aafb400e9d91b88b168 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 246 from 10.70.1.1:32770 to 10.10.10.3:1812 length 344 (7) User-Name = 'vdiuser001' (7) Calling-Station-Id = '00-c0-a8-c6-d7-79' (7) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test' (7) NAS-Port = 13 (7) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78' (7) NAS-IP-Address = 10.70.1.1 (7) NAS-Identifier = 'Cisco-WLC-5508' (7) Airespace-Wlan-Id = 9 (7) Service-Type = Framed-User (7) Framed-MTU = 1300 (7) NAS-Port-Type = Wireless-802.11 (7) Tunnel-Type:0 = VLAN (7) Tunnel-Medium-Type:0 = IEEE-802 (7) Tunnel-Private-Group-Id:0 = '212' (7) EAP-Message = 0x0209006b19001703010060e3ebfd336d1c0bb5d36d68ac263e5e6d7f80e8a1e28be6bc752c0d06555b63f06367b0ca1803b17f092d89c35ce418ecce8b1425853a3dd6ccd16a292e80e46a1ecc98ba53222a0c1cccc827075993197807413d5778b2712ce2ad3eae35d7ce (7) State = 0xfcd853a7fad14aafb400e9d91b88b168 (7) Message-Authenticator = 0x4c9a2819e43b37c8eadf9473681308a2 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (!&User-Name) { (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) { (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent code Response (2) ID 9 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x6a2b492e6a22538f (7) eap: Finished EAP session with state 0xfcd853a7fad14aaf (7) eap: Previous EAP request found for state 0xfcd853a7fad14aaf, released from the list (7) eap: Peer sent method PEAP (25) (7) eap: EAP PEAP (25) (7) eap: Calling eap_peap to process EAP data (7) eap_peap: processing EAP-TLS (7) eap_peap: eaptls_verify returned 7 (7) eap_peap: Done initial handshake (7) eap_peap: eaptls_process returned 7 (7) eap_peap: FR_TLS_OK (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP type MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031 (7) eap_peap: Setting User-Name to vdiuser001 (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = 'vdiuser001' (7) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = 'vdiuser001' (7) State = 0x6a2b492e6a22538fe503884f9d44e7ff (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent code Response (2) ID 9 length 69 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) sql: EXPAND %{User-Name} (7) sql: --> vdiuser001 (7) sql: SQL-User-Name set to 'vdiuser001' rlm_sql (sql): Reserved connection (0) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority (7) sql: User not found in any groups rlm_sql (sql): Released connection (0) rlm_sql (sql): Closing connection (1), from 1 unused connections rlm_sql_mysql: Socket destructor called, closing socket (7) [sql] = notfound rlm_ldap (ldap): Reserved connection (0) (7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (sAMAccountName=vdiuser001) (7) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local" (7) ldap: Processing user attributes (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Closing connection (1), from 1 unused connections (7) [ldap] = ok (7) if (control:Ldap-UserDn =~ /OU=EDU/) { (7) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) { (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) { (7) update control { (7) Simultaneous-Use := 3 (7) } # update control = noop (7) update outer.session-state { (7) Tunnel-type = VLAN (7) Tunnel-medium-type = IEEE-802 (7) Tunnel-Private-Group-Id = PRS-WIFI-Client (7) } # update outer.session-state = noop (7) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop (7) ... skipping elsif for request 7: Preceding "if" was taken (7) ... skipping else for request 7: Preceding "if" was taken (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x6a2b492e6a22538f (7) eap: Finished EAP session with state 0x6a2b492e6a22538f (7) eap: Previous EAP request found for state 0x6a2b492e6a22538f, released from the list (7) eap: Peer sent method MSCHAPv2 (26) (7) eap: EAP MSCHAPv2 (26) (7) eap: Calling eap_mschapv2 to process EAP data (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2: Auth-Type MS-CHAP { (7) mschap: Creating challenge hash with username: vdiuser001 (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=vdiuser001 (7) mschap: Creating challenge hash with username: vdiuser001 (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=9f432e6abc4ec74e (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=bcae7bc9d2c22a1291791a130d422a537209282de03718a0 (7) mschap: ERROR: Program returned code (1) and output 'Must change password (0xc0000224)' (7) mschap: ERROR: Must change password (0xc0000224) (7) mschap: Password has expired. The user should retry authentication (7) [mschap] = reject (7) } # Auth-Type MS-CHAP = reject (7) MSCHAP-Error: E=648 R=1 C=00063b49e7c084b7016b35ab4336020d V=3 M=Password Expired (7) Found new challenge from MS-CHAP-Error: err=648 retry=1 challenge=00063b49e7c084b7016b35ab4336020d (7) ERROR: MSCHAP Failure (7) eap: EAP session adding &reply:State = 0x6a2b492e6b21538f (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x6a2b492e6b21538fe503884f9d44e7ff (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff (7) eap_peap: Got tunneled Access-Challenge (7) eap: EAP session adding &reply:State = 0xfcd853a7fbd24aaf (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/raddb/sites-enabled/default (7) session-state: Saving cached attributes (7) Tunnel-Type = VLAN (7) Tunnel-Medium-Type = IEEE-802 (7) Tunnel-Private-Group-Id = 'PRS-WIFI-Client' (7) Sent Access-Challenge Id 246 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0 (7) EAP-Message = 0x010a006b19001703010060b3897a1c79b4063ee3eea85ec0eb5b1ffef302d6c90c1819ac828808598205d33c2dbad5a1af49ff0f8add5f0cb05a598bdae558b2e839b44204ac2b0fbc80437323b4f46871add958ea20f13a19e66bb6c2402389e445ba3305ffea4be0b16b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xfcd853a7fbd24aafb400e9d91b88b168 (7) Finished request
________________________________
Subject: Re: Pass change/expiry problem From: A.L.M.Buxey@lboro.ac.uk Date: Wed, 3 Jun 2015 08:20:33 +0100 To: freeradius-users@lists.freeradius.org; richardvanderveen@outlook.com; freeradius-users@lists.freeradius.org
I seem to recall a very recent change related to that feature. Can you try the latest pre 3.0.9 release (get it via git)?
alan