(0) Received Access-Request Id 28 from 192.168.40.112:59581 to 192.168.40.217:1812 length 409 (0) User-Name = "cisco@realm.local" (0) Service-Type = Framed-User (0) Cisco-AVPair = "service-type=Framed" (0) Framed-MTU = 1485 (0) EAP-Message = 0x0201001601636973636f407265616c6d2e6c6f63616c (0) Message-Authenticator = 0xcc70a7abf0a5eb8d0511f556bf18caa2 (0) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (0) Cisco-AVPair = "method=dot1x" (0) Cisco-AVPair = "client-iif-id=2147484066" (0) Cisco-AVPair = "vlan-id=4089" (0) NAS-IP-Address = 192.168.40.112 (0) NAS-Port-Id = "capwap_90000005" (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Port = 409013 (0) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (0) Cisco-AVPair = "wlan-profile-name=BIC-ID" (0) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (0) Calling-Station-Id = "f4-8c-50-14-43-f3" (0) Airespace-Wlan-Id = 2 (0) NAS-Identifier = "C9800-CL_2" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (0) suffix: No such realm "realm.local" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 22 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x69ffbb4569fdbffe (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 28 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (0) EAP-Message = 0x01020016041081877306f68bb7522349a4493f9f3022 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x69ffbb4569fdbffe6a7d2cd7e6f69276 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 29 from 192.168.40.112:59581 to 192.168.40.217:1812 length 412 (1) User-Name = "cisco@realm.local" (1) Service-Type = Framed-User (1) Cisco-AVPair = "service-type=Framed" (1) Framed-MTU = 1485 (1) EAP-Message = 0x02020007031915 (1) Message-Authenticator = 0xf614ce4452fd4eca69cd71d4c0d90889 (1) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (1) Cisco-AVPair = "method=dot1x" (1) Cisco-AVPair = "client-iif-id=2147484066" (1) Cisco-AVPair = "vlan-id=4089" (1) NAS-IP-Address = 192.168.40.112 (1) NAS-Port-Id = "capwap_90000005" (1) NAS-Port-Type = Wireless-802.11 (1) NAS-Port = 409013 (1) State = 0x69ffbb4569fdbffe6a7d2cd7e6f69276 (1) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (1) Cisco-AVPair = "wlan-profile-name=BIC-ID" (1) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (1) Calling-Station-Id = "f4-8c-50-14-43-f3" (1) Airespace-Wlan-Id = 2 (1) NAS-Identifier = "C9800-CL_2" (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (1) suffix: No such realm "realm.local" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 7 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry cisco@realm.local at line 113 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x69ffbb4569fdbffe (1) eap: Finished EAP session with state 0x69ffbb4569fdbffe (1) eap: Previous EAP request found for state 0x69ffbb4569fdbffe, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 3 length 6 (1) eap: EAP session adding &reply:State = 0x69ffbb4568fca2fe (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 29 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (1) Tunnel-Type = VLAN (1) Tunnel-Medium-Type = IEEE-802 (1) Tunnel-Private-Group-Id = "VLAN103" (1) EAP-Message = 0x010300061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x69ffbb4568fca2fe6a7d2cd7e6f69276 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 30 from 192.168.40.112:59581 to 192.168.40.217:1812 length 577 (2) User-Name = "cisco@realm.local" (2) Service-Type = Framed-User (2) Cisco-AVPair = "service-type=Framed" (2) Framed-MTU = 1485 (2) EAP-Message = 0x020300ac1980000000a2160303009d01000099030361d6319cd2cbd0fb1b162e7bb3434ae396474b0eb88aa6dfee95caa3e971887700002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100 (2) Message-Authenticator = 0x3238a7c4ad698e860b0c56246a9807aa (2) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (2) Cisco-AVPair = "method=dot1x" (2) Cisco-AVPair = "client-iif-id=2147484066" (2) Cisco-AVPair = "vlan-id=4089" (2) NAS-IP-Address = 192.168.40.112 (2) NAS-Port-Id = "capwap_90000005" (2) NAS-Port-Type = Wireless-802.11 (2) NAS-Port = 409013 (2) State = 0x69ffbb4568fca2fe6a7d2cd7e6f69276 (2) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (2) Cisco-AVPair = "wlan-profile-name=BIC-ID" (2) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (2) Calling-Station-Id = "f4-8c-50-14-43-f3" (2) Airespace-Wlan-Id = 2 (2) NAS-Identifier = "C9800-CL_2" (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (2) suffix: No such realm "realm.local" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 172 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x69ffbb4568fca2fe (2) eap: Finished EAP session with state 0x69ffbb4568fca2fe (2) eap: Previous EAP request found for state 0x69ffbb4568fca2fe, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 162 bytes (2) eap_peap: Got complete TLS record (162 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.3 [length 009d] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 003d] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 0308] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 014d] (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 1194 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 1004 (2) eap: EAP session adding &reply:State = 0x69ffbb456bfba2fe (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 30 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (2) EAP-Message = 0x010403ec19c0000004aa160303003d02000039030321207bb2e39cd4378c087247ab50871fdcff79dfe9efd7580df804f303b510a700c030000011ff01000100000b0004030001020017000016030303080b0003040003010002fe308202fa308201e2a003020102021473c7be2a43a7509dd38de3529948c80bf138ba5e300d06092a864886f70d01010b0500301f311d301b06035504030c14667265657261646975732e6269632e6c6f63616c301e170d3231313232373137313530355a170d3331313232353137313530355a301f311d301b06035504030c14667265657261646975732e6269632e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100b91dc1a90ae651b793b264d42939b5572f31a0d76ae41541e6c7c91f7daf7779a67a6d01fb259d5731b97f692cd899411897be0bac23640cd749abe27a6a84ac2bfc536693628e68c14e44362d0ec2e6090a694430a1cfad6ef9869943661efd98aac123013767 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x69ffbb456bfba2fe6a7d2cd7e6f69276 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 31 from 192.168.40.112:59581 to 192.168.40.217:1812 length 411 (3) User-Name = "cisco@realm.local" (3) Service-Type = Framed-User (3) Cisco-AVPair = "service-type=Framed" (3) Framed-MTU = 1485 (3) EAP-Message = 0x020400061900 (3) Message-Authenticator = 0x7542cbb7475ae9af882d8f0469e5118e (3) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (3) Cisco-AVPair = "method=dot1x" (3) Cisco-AVPair = "client-iif-id=2147484066" (3) Cisco-AVPair = "vlan-id=4089" (3) NAS-IP-Address = 192.168.40.112 (3) NAS-Port-Id = "capwap_90000005" (3) NAS-Port-Type = Wireless-802.11 (3) NAS-Port = 409013 (3) State = 0x69ffbb456bfba2fe6a7d2cd7e6f69276 (3) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (3) Cisco-AVPair = "wlan-profile-name=BIC-ID" (3) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (3) Calling-Station-Id = "f4-8c-50-14-43-f3" (3) Airespace-Wlan-Id = 2 (3) NAS-Identifier = "C9800-CL_2" (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (3) suffix: No such realm "realm.local" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x69ffbb456bfba2fe (3) eap: Finished EAP session with state 0x69ffbb456bfba2fe (3) eap: Previous EAP request found for state 0x69ffbb456bfba2fe, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 5 length 206 (3) eap: EAP session adding &reply:State = 0x69ffbb456afaa2fe (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 31 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (3) EAP-Message = 0x010500ce1900cc97474b5f44416c31aec0609d7470c6bee3fdb9a425b6012fb8042d8db76a897823db26ea4e22d82eb773338c61622423e2040653564c5ba6fbb299da3620f1c68f98e6667b3233c7c8b64ddf93175a5b143df7c40cd11cf59310deee3c32ce955b63115c59927e7a85d3baf4ee06a394c03b070cf693e964554d50254b5b11d2612dbe1fc360b083b2296fed5f8a92a38044a6f3b288f84446e5ca707c0316ee50dc12fda4fe84d716516ba9905abcf6578f2c8d2d5033006b1adb6ca87b16030300040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x69ffbb456afaa2fe6a7d2cd7e6f69276 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 32 from 192.168.40.112:59581 to 192.168.40.217:1812 length 541 (4) User-Name = "cisco@realm.local" (4) Service-Type = Framed-User (4) Cisco-AVPair = "service-type=Framed" (4) Framed-MTU = 1485 (4) EAP-Message = 0x0205008819800000007e1603030046100000424104baa7118f396441cf2fd189d2821dd644720ccf07ceddec566c64fada826c68a55677b1e8dab7714949ea56132d2bf2fa931b3ae44bb2aeee068e8f12e61c645a140303000101160303002800000000000000007b9f0a23e6702883dc76902e7de25bf7e26680c71ec99cc066550bc69e5f8b1e (4) Message-Authenticator = 0x81efab1ca41ca8f01b5c840b28ed7cab (4) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (4) Cisco-AVPair = "method=dot1x" (4) Cisco-AVPair = "client-iif-id=2147484066" (4) Cisco-AVPair = "vlan-id=4089" (4) NAS-IP-Address = 192.168.40.112 (4) NAS-Port-Id = "capwap_90000005" (4) NAS-Port-Type = Wireless-802.11 (4) NAS-Port = 409013 (4) State = 0x69ffbb456afaa2fe6a7d2cd7e6f69276 (4) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (4) Cisco-AVPair = "wlan-profile-name=BIC-ID" (4) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (4) Calling-Station-Id = "f4-8c-50-14-43-f3" (4) Airespace-Wlan-Id = 2 (4) NAS-Identifier = "C9800-CL_2" (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (4) suffix: No such realm "realm.local" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 5 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x69ffbb456afaa2fe (4) eap: Finished EAP session with state 0x69ffbb456afaa2fe (4) eap: Previous EAP request found for state 0x69ffbb456afaa2fe, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: TLS_accept: SSLv3/TLS write server done (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS read finished (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS write finished (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: TLS - Connection Established (4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (4) eap_peap: TLS-Session-Version = "TLS 1.2" (4) eap_peap: TLS - got 51 bytes of data (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 6 length 57 (4) eap: EAP session adding &reply:State = 0x69ffbb456df9a2fe (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (4) TLS-Session-Version = "TLS 1.2" (4) Sent Access-Challenge Id 32 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (4) EAP-Message = 0x0106003919001403030001011603030028afde6b0c8f2caa24d0a417e99eced6fc11bafc57f2fd97ea7d8d0f4ef1bfb511e48557b2262946b7 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x69ffbb456df9a2fe6a7d2cd7e6f69276 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 33 from 192.168.40.112:59581 to 192.168.40.217:1812 length 411 (5) User-Name = "cisco@realm.local" (5) Service-Type = Framed-User (5) Cisco-AVPair = "service-type=Framed" (5) Framed-MTU = 1485 (5) EAP-Message = 0x020600061900 (5) Message-Authenticator = 0x7aafcbb2e81e6d34220a9f23af4ea990 (5) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (5) Cisco-AVPair = "method=dot1x" (5) Cisco-AVPair = "client-iif-id=2147484066" (5) Cisco-AVPair = "vlan-id=4089" (5) NAS-IP-Address = 192.168.40.112 (5) NAS-Port-Id = "capwap_90000005" (5) NAS-Port-Type = Wireless-802.11 (5) NAS-Port = 409013 (5) State = 0x69ffbb456df9a2fe6a7d2cd7e6f69276 (5) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (5) Cisco-AVPair = "wlan-profile-name=BIC-ID" (5) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (5) Calling-Station-Id = "f4-8c-50-14-43-f3" (5) Airespace-Wlan-Id = 2 (5) NAS-Identifier = "C9800-CL_2" (5) Restoring &session-state (5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) &session-state:TLS-Session-Version = "TLS 1.2" (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (5) suffix: No such realm "realm.local" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 6 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x69ffbb456df9a2fe (5) eap: Finished EAP session with state 0x69ffbb456df9a2fe (5) eap: Previous EAP request found for state 0x69ffbb456df9a2fe, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 7 length 40 (5) eap: EAP session adding &reply:State = 0x69ffbb456cf8a2fe (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 33 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (5) EAP-Message = 0x010700281900170303001dafde6b0c8f2caa25b31aa81dee7af33454e8c969291254df27326d219e (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x69ffbb456cf8a2fe6a7d2cd7e6f69276 (5) Finished request Waking up in 3.2 seconds. (6) Received Access-Request Id 34 from 192.168.40.112:59581 to 192.168.40.217:1812 length 458 (6) User-Name = "cisco@realm.local" (6) Service-Type = Framed-User (6) Cisco-AVPair = "service-type=Framed" (6) Framed-MTU = 1485 (6) EAP-Message = 0x020700351900170303002a0000000000000001d5eb87810d5de75a8cdc8d7735c14c41c3db899d4526c73e9849fe8de64100985096 (6) Message-Authenticator = 0x35ba063270477c7b69cb19b6b7ce04f5 (6) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (6) Cisco-AVPair = "method=dot1x" (6) Cisco-AVPair = "client-iif-id=2147484066" (6) Cisco-AVPair = "vlan-id=4089" (6) NAS-IP-Address = 192.168.40.112 (6) NAS-Port-Id = "capwap_90000005" (6) NAS-Port-Type = Wireless-802.11 (6) NAS-Port = 409013 (6) State = 0x69ffbb456cf8a2fe6a7d2cd7e6f69276 (6) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (6) Cisco-AVPair = "wlan-profile-name=BIC-ID" (6) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (6) Calling-Station-Id = "f4-8c-50-14-43-f3" (6) Airespace-Wlan-Id = 2 (6) NAS-Identifier = "C9800-CL_2" (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (6) suffix: No such realm "realm.local" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 53 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x69ffbb456cf8a2fe (6) eap: Finished EAP session with state 0x69ffbb456cf8a2fe (6) eap: Previous EAP request found for state 0x69ffbb456cf8a2fe, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - cisco@realm.local (6) eap_peap: Got inner identity 'cisco@realm.local' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0207001601636973636f407265616c6d2e6c6f63616c (6) eap_peap: Setting User-Name to cisco@realm.local (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0207001601636973636f407265616c6d2e6c6f63616c (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "cisco@realm.local" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0207001601636973636f407265616c6d2e6c6f63616c (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "cisco@realm.local" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (6) suffix: No such realm "realm.local" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 22 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 43 (6) eap: EAP session adding &reply:State = 0x85f7067f85ff1c9f (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0108002b1a010800261090ccac236dcc33d4e7fd0ed1223b5434667265657261646975732d332e302e3231 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x85f7067f85ff1c9f83906193b9684ff0 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0108002b1a010800261090ccac236dcc33d4e7fd0ed1223b5434667265657261646975732d332e302e3231 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x85f7067f85ff1c9f83906193b9684ff0 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0108002b1a010800261090ccac236dcc33d4e7fd0ed1223b5434667265657261646975732d332e302e3231 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x85f7067f85ff1c9f83906193b9684ff0 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 74 (6) eap: EAP session adding &reply:State = 0x69ffbb456ff7a2fe (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 34 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (6) EAP-Message = 0x0108004a1900170303003fafde6b0c8f2caa2694671da306b47fcca4d3df193d0c0b04172584b6bbef777d0069b213ca83bf1dfc92f8fd3a7a96b15903047c9399d2117570338e5fa81e (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x69ffbb456ff7a2fe6a7d2cd7e6f69276 (6) Finished request Waking up in 3.2 seconds. (7) Received Access-Request Id 35 from 192.168.40.112:59581 to 192.168.40.217:1812 length 512 (7) User-Name = "cisco@realm.local" (7) Service-Type = Framed-User (7) Cisco-AVPair = "service-type=Framed" (7) Framed-MTU = 1485 (7) EAP-Message = 0x0208006b190017030300600000000000000002e120170fae9375cf077730954790feff797cf77a365ff964d6d10323a90cd4407a7193009e8854e2f66b412046286e4a9d7dc2fc05c044a0ff31bda8258428c501426118674825d6851d3fc7ab3d3c5ec8568f2565dfca18 (7) Message-Authenticator = 0xf405c5841dfd48b1b8501c01496b7c08 (7) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (7) Cisco-AVPair = "method=dot1x" (7) Cisco-AVPair = "client-iif-id=2147484066" (7) Cisco-AVPair = "vlan-id=4089" (7) NAS-IP-Address = 192.168.40.112 (7) NAS-Port-Id = "capwap_90000005" (7) NAS-Port-Type = Wireless-802.11 (7) NAS-Port = 409013 (7) State = 0x69ffbb456ff7a2fe6a7d2cd7e6f69276 (7) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (7) Cisco-AVPair = "wlan-profile-name=BIC-ID" (7) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (7) Calling-Station-Id = "f4-8c-50-14-43-f3" (7) Airespace-Wlan-Id = 2 (7) NAS-Identifier = "C9800-CL_2" (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (7) suffix: No such realm "realm.local" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 8 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x85f7067f85ff1c9f (7) eap: Finished EAP session with state 0x69ffbb456ff7a2fe (7) eap: Previous EAP request found for state 0x69ffbb456ff7a2fe, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0208004c1a0208004731639eca51b08fef2d6a1df9f8b138b4e600000000000000002c5effbee3a7947602c0494950e86559f2b7acacb8e9cbc000636973636f407265616c6d2e6c6f63616c (7) eap_peap: Setting User-Name to cisco@realm.local (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0208004c1a0208004731639eca51b08fef2d6a1df9f8b138b4e600000000000000002c5effbee3a7947602c0494950e86559f2b7acacb8e9cbc000636973636f407265616c6d2e6c6f63616c (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "cisco@realm.local" (7) eap_peap: State = 0x85f7067f85ff1c9f83906193b9684ff0 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0208004c1a0208004731639eca51b08fef2d6a1df9f8b138b4e600000000000000002c5effbee3a7947602c0494950e86559f2b7acacb8e9cbc000636973636f407265616c6d2e6c6f63616c (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "cisco@realm.local" (7) State = 0x85f7067f85ff1c9f83906193b9684ff0 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (7) suffix: No such realm "realm.local" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 8 length 76 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files: users: Matched entry cisco@realm.local at line 113 (7) [files] = ok (7) [expiration] = noop (7) [logintime] = noop (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x85f7067f85ff1c9f (7) eap: Finished EAP session with state 0x85f7067f85ff1c9f (7) eap: Previous EAP request found for state 0x85f7067f85ff1c9f, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Creating challenge hash with username: cisco@realm.local (7) mschap: Client is using MS-CHAPv2 (7) mschap: Adding MS-CHAPv2 MPPE keys (7) eap_mschapv2: [mschap] = ok (7) eap_mschapv2: } # authenticate = ok (7) eap_mschapv2: MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 9 length 51 (7) eap: EAP session adding &reply:State = 0x85f7067f84fe1c9f (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) Tunnel-Type = VLAN (7) Tunnel-Medium-Type = IEEE-802 (7) Tunnel-Private-Group-Id = "VLAN103" (7) EAP-Message = 0x010900331a0308002e533d31303933434134323646324432314546344139314444343038464537434543464233324131383437 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x85f7067f84fe1c9f83906193b9684ff0 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: Tunnel-Type = VLAN (7) eap_peap: Tunnel-Medium-Type = IEEE-802 (7) eap_peap: Tunnel-Private-Group-Id = "VLAN103" (7) eap_peap: EAP-Message = 0x010900331a0308002e533d31303933434134323646324432314546344139314444343038464537434543464233324131383437 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x85f7067f84fe1c9f83906193b9684ff0 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: Tunnel-Type = VLAN (7) eap_peap: Tunnel-Medium-Type = IEEE-802 (7) eap_peap: Tunnel-Private-Group-Id = "VLAN103" (7) eap_peap: EAP-Message = 0x010900331a0308002e533d31303933434134323646324432314546344139314444343038464537434543464233324131383437 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x85f7067f84fe1c9f83906193b9684ff0 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 9 length 82 (7) eap: EAP session adding &reply:State = 0x69ffbb456ef6a2fe (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 35 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (7) EAP-Message = 0x0109005219001703030047afde6b0c8f2caa2789ce40eca88fca198bffc01cf49578ffa9f006b7e491bdb7cef543f68885555e175969f74514c25b408fe2e59bc8928abad11ad2c107a40aacd1e8b7c9d581 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x69ffbb456ef6a2fe6a7d2cd7e6f69276 (7) Finished request Waking up in 3.2 seconds. (8) Received Access-Request Id 36 from 192.168.40.112:59581 to 192.168.40.217:1812 length 442 (8) User-Name = "cisco@realm.local" (8) Service-Type = Framed-User (8) Cisco-AVPair = "service-type=Framed" (8) Framed-MTU = 1485 (8) EAP-Message = 0x020900251900170303001a0000000000000003529f0b568ec5b5429114dd6165b63ae1dd21 (8) Message-Authenticator = 0x241237b53db4eb481286a4e80d68ee08 (8) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (8) Cisco-AVPair = "method=dot1x" (8) Cisco-AVPair = "client-iif-id=2147484066" (8) Cisco-AVPair = "vlan-id=4089" (8) NAS-IP-Address = 192.168.40.112 (8) NAS-Port-Id = "capwap_90000005" (8) NAS-Port-Type = Wireless-802.11 (8) NAS-Port = 409013 (8) State = 0x69ffbb456ef6a2fe6a7d2cd7e6f69276 (8) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (8) Cisco-AVPair = "wlan-profile-name=BIC-ID" (8) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (8) Calling-Station-Id = "f4-8c-50-14-43-f3" (8) Airespace-Wlan-Id = 2 (8) NAS-Identifier = "C9800-CL_2" (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (8) suffix: No such realm "realm.local" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 37 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x85f7067f84fe1c9f (8) eap: Finished EAP session with state 0x69ffbb456ef6a2fe (8) eap: Previous EAP request found for state 0x69ffbb456ef6a2fe, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: Setting User-Name to cisco@realm.local (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "cisco@realm.local" (8) eap_peap: State = 0x85f7067f84fe1c9f83906193b9684ff0 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020900061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "cisco@realm.local" (8) State = 0x85f7067f84fe1c9f83906193b9684ff0 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (8) suffix: No such realm "realm.local" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) files: users: Matched entry cisco@realm.local at line 113 (8) [files] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x85f7067f84fe1c9f (8) eap: Finished EAP session with state 0x85f7067f84fe1c9f (8) eap: Previous EAP request found for state 0x85f7067f84fe1c9f, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 9 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) post-auth { (8) if (0) { (8) if (0) -> FALSE (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) Tunnel-Type = VLAN (8) Tunnel-Medium-Type = IEEE-802 (8) Tunnel-Private-Group-Id = "VLAN103" (8) MS-MPPE-Encryption-Policy = Encryption-Allowed (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) MS-MPPE-Send-Key = 0x48f68d9a78552a273c9cdeaa9eb452de (8) MS-MPPE-Recv-Key = 0x0ce82b533532b2d6fd9f78f8241c691e (8) EAP-Message = 0x03090004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "cisco@realm.local" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: Tunnel-Type = VLAN (8) eap_peap: Tunnel-Medium-Type = IEEE-802 (8) eap_peap: Tunnel-Private-Group-Id = "VLAN103" (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x48f68d9a78552a273c9cdeaa9eb452de (8) eap_peap: MS-MPPE-Recv-Key = 0x0ce82b533532b2d6fd9f78f8241c691e (8) eap_peap: EAP-Message = 0x03090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "cisco@realm.local" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: Tunnel-Type = VLAN (8) eap_peap: Tunnel-Medium-Type = IEEE-802 (8) eap_peap: Tunnel-Private-Group-Id = "VLAN103" (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x48f68d9a78552a273c9cdeaa9eb452de (8) eap_peap: MS-MPPE-Recv-Key = 0x0ce82b533532b2d6fd9f78f8241c691e (8) eap_peap: EAP-Message = 0x03090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "cisco@realm.local" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 10 length 46 (8) eap: EAP session adding &reply:State = 0x69ffbb4561f5a2fe (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Sent Access-Challenge Id 36 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (8) EAP-Message = 0x010a002e19001703030023afde6b0c8f2caa28669cacf54a63b5ca6a2a0dcb3d1cd13cc4b3a24722d4f405ef8b1d (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x69ffbb4561f5a2fe6a7d2cd7e6f69276 (8) Finished request Waking up in 3.1 seconds. (9) Received Access-Request Id 37 from 192.168.40.112:59581 to 192.168.40.217:1812 length 451 (9) User-Name = "cisco@realm.local" (9) Service-Type = Framed-User (9) Cisco-AVPair = "service-type=Framed" (9) Framed-MTU = 1485 (9) EAP-Message = 0x020a002e19001703030023000000000000000457f6f94d1249e6b3256fd60896a545650ae2cf1c51f0acb8bc3e4b (9) Message-Authenticator = 0x05539f420ac52f583d7fb5d96e223bbe (9) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5" (9) Cisco-AVPair = "method=dot1x" (9) Cisco-AVPair = "client-iif-id=2147484066" (9) Cisco-AVPair = "vlan-id=4089" (9) NAS-IP-Address = 192.168.40.112 (9) NAS-Port-Id = "capwap_90000005" (9) NAS-Port-Type = Wireless-802.11 (9) NAS-Port = 409013 (9) State = 0x69ffbb4561f5a2fe6a7d2cd7e6f69276 (9) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID" (9) Cisco-AVPair = "wlan-profile-name=BIC-ID" (9) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID" (9) Calling-Station-Id = "f4-8c-50-14-43-f3" (9) Airespace-Wlan-Id = 2 (9) NAS-Identifier = "C9800-CL_2" (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: Looking up realm "realm.local" for User-Name = "cisco@realm.local" (9) suffix: No such realm "realm.local" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 10 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x69ffbb4561f5a2fe (9) eap: Finished EAP session with state 0x69ffbb4561f5a2fe (9) eap: Previous EAP request found for state 0x69ffbb4561f5a2fe, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap: Sending EAP Success (code 3) ID 10 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (9) post-auth { (9) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (9) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (9) update { (9) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (9) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 37 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0 (9) MS-MPPE-Recv-Key = 0x409edb6b2e8a373530fd9dc88f1b98579e3422813735a69438935c6fe27507e1 (9) MS-MPPE-Send-Key = 0xc473c971393fbd08f4f2d3aa1af2adfc4db0f7d201d77115fdeae876c3a35b88 (9) EAP-Message = 0x030a0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "cisco@realm.local" (9) Finished request Waking up in 3.1 seconds. (0) Cleaning up request packet ID 28 with timestamp +6 (1) Cleaning up request packet ID 29 with timestamp +6 (2) Cleaning up request packet ID 30 with timestamp +6 (3) Cleaning up request packet ID 31 with timestamp +6 (4) Cleaning up request packet ID 32 with timestamp +6 Waking up in 1.7 seconds. (5) Cleaning up request packet ID 33 with timestamp +8 (6) Cleaning up request packet ID 34 with timestamp +8 (7) Cleaning up request packet ID 35 with timestamp +8 (8) Cleaning up request packet ID 36 with timestamp +8 (9) Cleaning up request packet ID 37 with timestamp +8