Thanks Alan,
You can add some "unlang" to the "authorize" section. If you see the sample configuration for sites-available/default, for the difference between "authorize" and "authentication", the location for the rules should be fairly clear.
Have tried adding the following in /sites-enabled/default bottom of "authoriztion { } section", inside "preacct { preprocess } section" and inside "post-auth { } section", any device can connect. if("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { ok } else { reject } Removed Calling-Station-Id from radcheck, any device can connect with login credentials. When Calling-Station-Id attribute is used in radcheck, only the the device mac-addr in radcheck can connect, without "unlang", adding more than 1 mac-addr in radcheck is not working. mysql> select * from radcheck; +----+----------+--------------------+----+----------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------+ | 1 | testing | Cleartext-Password | := | password | +----+----------+--------------------+----+----------+ 1 row in set (0.00 sec) mysql> select * from macaddrlist; +----+----------+--------------+----------+----------+ | id | username | macaddr1 | macaddr2 | macaddr3 | +----+----------+--------------+----------+----------+ | 1 | testing | 1002b52c096b | NULL | NULL | +----+----------+--------------+----------+----------+ 1 row in set (0.00 sec) mysql> debug output ################################################################################################ detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.909128 sec (17) Received Access-Request Id 5 from 10.225.251.10:56766 to 172.16.2.4:1812 length 184 (17) User-Name = "testing" (17) NAS-IP-Address = 10.225.251.10 (17) NAS-Port = 0 (17) NAS-Identifier = "172.16.6.63" (17) NAS-Port-Type = Wireless-802.11 (17) Calling-Station-Id = "f894c2addb53" (17) Called-Station-Id = "removed" (17) Service-Type = Login-User (17) Framed-MTU = 1100 (17) EAP-Message = 0x0202000c0174657374696e67 (17) Aruba-Essid-Name = "wtf" (17) Aruba-Location-Id = "Building-A" (17) Aruba-AP-Group = "Cluster" (17) Message-Authenticator = 0x23e7c95a6d11b0eefbfc4986de4ee921 (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [chap] = noop (17) [mschap] = noop (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "testing", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 2 length 12 (17) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) authenticate { (17) eap: Peer sent packet with method EAP Identity (1) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: Initiating new EAP-TLS session (17) eap_peap: [eaptls start] = request (17) eap: Sending EAP Request (code 1) ID 3 length 6 (17) eap: EAP session adding &reply:State = 0x735d7f17735e66c6 (17) [eap] = handled (17) } # authenticate = handled (17) Using Post-Auth-Type Challenge (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) Challenge { ... } # empty sub-section is ignored (17) Sent Access-Challenge Id 5 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (17) EAP-Message = 0x010300061920 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x735d7f17735e66c6a880ae3bd9d49d0e (17) Finished request Waking up in 4.9 seconds. (18) Received Access-Request Id 6 from 10.225.251.10:56766 to 172.16.2.4:1812 length 362 (18) User-Name = "testing" (18) NAS-IP-Address = 10.225.251.10 (18) NAS-Port = 0 (18) NAS-Identifier = "172.16.6.63" (18) NAS-Port-Type = Wireless-802.11 (18) Calling-Station-Id = "f894c2addb53" (18) Called-Station-Id = "removed" (18) Service-Type = Login-User (18) Framed-MTU = 1100 (18) EAP-Message = 0x020300ac1980000000a2160303009d010000990303642bdf14a9bfdb6161357fc070503ec4d997eed1d0309e2acef37c8b7f4b122900002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d (18) State = 0x735d7f17735e66c6a880ae3bd9d49d0e (18) Aruba-Essid-Name = "wtf" (18) Aruba-Location-Id = "Building-A" (18) Aruba-AP-Group = "Cluster" (18) Message-Authenticator = 0x76908f7c21e3f826fc836b0caab67eb3 (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) [chap] = noop (18) [mschap] = noop (18) [digest] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "testing", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) eap: Peer sent EAP Response (code 2) ID 3 length 172 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) authenticate { (18) eap: Expiring EAP session with state 0x735d7f17735e66c6 (18) eap: Finished EAP session with state 0x735d7f17735e66c6 (18) eap: Previous EAP request found for state 0x735d7f17735e66c6, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: Continuing EAP-TLS (18) eap_peap: Peer indicated complete TLS record size will be 162 bytes (18) eap_peap: Got complete TLS record (162 bytes) (18) eap_peap: [eaptls verify] = length included (18) eap_peap: (other): before SSL initialization (18) eap_peap: TLS_accept: before SSL initialization (18) eap_peap: TLS_accept: before SSL initialization (18) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 009d] (18) eap_peap: TLS_accept: SSLv3/TLS read client hello (18) eap_peap: >>> send TLS 1.2 [length 003d] (18) eap_peap: TLS_accept: SSLv3/TLS write server hello (18) eap_peap: >>> send TLS 1.2 [length 02ed] (18) eap_peap: TLS_accept: SSLv3/TLS write certificate (18) eap_peap: >>> send TLS 1.2 [length 014d] (18) eap_peap: TLS_accept: SSLv3/TLS write key exchange (18) eap_peap: >>> send TLS 1.2 [length 0004] (18) eap_peap: TLS_accept: SSLv3/TLS write server done (18) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (18) eap_peap: In SSL Handshake Phase (18) eap_peap: In SSL Accept mode (18) eap_peap: [eaptls process] = handled (18) eap: Sending EAP Request (code 1) ID 4 length 1004 (18) eap: EAP session adding &reply:State = 0x735d7f17725966c6 (18) [eap] = handled (18) } # authenticate = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) Sent Access-Challenge Id 6 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (18) EAP-Message = 0x010403ec19c00000048f160303003d020000390303cb62284a7188ef72f890ca8edff8ba19c759c47607fe6b34444f574e4752440100c030000011ff01000100000b0004030001020017000016030302ed0b0002e90002e60002e3308202df308201c7a00302010202144332d5c60c9f4d943c5616923e (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x735d7f17725966c6a880ae3bd9d49d0e (18) Finished request Waking up in 4.9 seconds. (19) Received Access-Request Id 7 from 10.225.251.10:56766 to 172.16.2.4:1812 length 196 (19) User-Name = "testing" (19) NAS-IP-Address = 10.225.251.10 (19) NAS-Port = 0 (19) NAS-Identifier = "172.16.6.63" (19) NAS-Port-Type = Wireless-802.11 (19) Calling-Station-Id = "f894c2addb53" (19) Called-Station-Id = "removed" (19) Service-Type = Login-User (19) Framed-MTU = 1100 (19) EAP-Message = 0x020400061900 (19) State = 0x735d7f17725966c6a880ae3bd9d49d0e (19) Aruba-Essid-Name = "wtf" (19) Aruba-Location-Id = "Building-A" (19) Aruba-AP-Group = "Cluster" (19) Message-Authenticator = 0xad236167427d138b918fee7d9e1602bd (19) session-state: No cached attributes (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) [chap] = noop (19) [mschap] = noop (19) [digest] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "testing", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) eap: Peer sent EAP Response (code 2) ID 4 length 6 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) authenticate { (19) eap: Expiring EAP session with state 0x735d7f17725966c6 (19) eap: Finished EAP session with state 0x735d7f17725966c6 (19) eap: Previous EAP request found for state 0x735d7f17725966c6, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: Continuing EAP-TLS (19) eap_peap: Peer ACKed our handshake fragment (19) eap_peap: [eaptls verify] = request (19) eap_peap: [eaptls process] = handled (19) eap: Sending EAP Request (code 1) ID 5 length 179 (19) eap: EAP session adding &reply:State = 0x735d7f17715866c6 (19) [eap] = handled (19) } # authenticate = handled (19) Using Post-Auth-Type Challenge (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) Challenge { ... } # empty sub-section is ignored (19) Sent Access-Challenge Id 7 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (19) EAP-Message = 0x010500b31900da3145a6f9eecf76845fb83242f5aadd813424fce1c90e8b12600da59dde36fdaf1d7bf5fa62e7423780336ab99ab603af42f2074076fde75e9540e506163484354d638af9269b1c3ca911c400886a443197ae1b7f67cec1ab2354b9dd9ef9691bcabfbc4b17be8750cdc934028e8228ce (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0x735d7f17715866c6a880ae3bd9d49d0e (19) Finished request Waking up in 4.9 seconds. (20) Received Access-Request Id 8 from 10.225.251.10:56766 to 172.16.2.4:1812 length 326 (20) User-Name = "testing" (20) NAS-IP-Address = 10.225.251.10 (20) NAS-Port = 0 (20) NAS-Identifier = "172.16.6.63" (20) NAS-Port-Type = Wireless-802.11 (20) Calling-Station-Id = "f894c2addb53" (20) Called-Station-Id = "removed" (20) Service-Type = Login-User (20) Framed-MTU = 1100 (20) EAP-Message = 0x0205008819800000007e16030300461000004241044e9e061bc42f5cee3b1c557f06e3dec5721a615dd2f79ca82ce3e7038da4006571019eeb6c12895e0e38c65c1ce9771b723011ba85fff25e0ffed61b7cbc448114030300010116030300280000000000000000f9b65095f49b130430f1568b453bdb (20) State = 0x735d7f17715866c6a880ae3bd9d49d0e (20) Aruba-Essid-Name = "wtf" (20) Aruba-Location-Id = "Building-A" (20) Aruba-AP-Group = "Cluster" (20) Message-Authenticator = 0x840d1e263f5c62c55398933cbacd6a37 (20) session-state: No cached attributes (20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [preprocess] = ok (20) [chap] = noop (20) [mschap] = noop (20) [digest] = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "testing", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) eap: Peer sent EAP Response (code 2) ID 5 length 136 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # authorize = ok (20) Found Auth-Type = eap (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) authenticate { (20) eap: Expiring EAP session with state 0x735d7f17715866c6 (20) eap: Finished EAP session with state 0x735d7f17715866c6 (20) eap: Previous EAP request found for state 0x735d7f17715866c6, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: Continuing EAP-TLS (20) eap_peap: Peer indicated complete TLS record size will be 126 bytes (20) eap_peap: Got complete TLS record (126 bytes) (20) eap_peap: [eaptls verify] = length included (20) eap_peap: TLS_accept: SSLv3/TLS write server done (20) eap_peap: <<< recv TLS 1.2 [length 0046] (20) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (20) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (20) eap_peap: <<< recv TLS 1.2 [length 0010] (20) eap_peap: TLS_accept: SSLv3/TLS read finished (20) eap_peap: >>> send TLS 1.2 [length 0001] (20) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (20) eap_peap: >>> send TLS 1.2 [length 0010] (20) eap_peap: TLS_accept: SSLv3/TLS write finished (20) eap_peap: (other): SSL negotiation finished successfully (20) eap_peap: SSL Connection Established (20) eap_peap: [eaptls process] = handled (20) eap: Sending EAP Request (code 1) ID 6 length 57 (20) eap: EAP session adding &reply:State = 0x735d7f17705b66c6 (20) [eap] = handled (20) } # authenticate = handled (20) Using Post-Auth-Type Challenge (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) Challenge { ... } # empty sub-section is ignored (20) Sent Access-Challenge Id 8 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (20) EAP-Message = 0x010600391900140303000101160303002806d33c56b068f0a1972df6aa137cc47d7b1a80a3ad56963b9608cb6d86532b0aca677b843c484752 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0x735d7f17705b66c6a880ae3bd9d49d0e (20) Finished request Waking up in 4.9 seconds. detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.087135 sec (21) Received Access-Request Id 9 from 10.225.251.10:56766 to 172.16.2.4:1812 length 196 (21) User-Name = "testing" (21) NAS-IP-Address = 10.225.251.10 (21) NAS-Port = 0 (21) NAS-Identifier = "172.16.6.63" (21) NAS-Port-Type = Wireless-802.11 (21) Calling-Station-Id = "f894c2addb53" (21) Called-Station-Id = "removed" (21) Service-Type = Login-User (21) Framed-MTU = 1100 (21) EAP-Message = 0x020600061900 (21) State = 0x735d7f17705b66c6a880ae3bd9d49d0e (21) Aruba-Essid-Name = "wtf" (21) Aruba-Location-Id = "Building-A" (21) Aruba-AP-Group = "Cluster" (21) Message-Authenticator = 0x2583cd16db50296cdb698d43f7162083 (21) session-state: No cached attributes (21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (21) authorize { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = notfound (21) } # policy filter_username = notfound (21) [preprocess] = ok (21) [chap] = noop (21) [mschap] = noop (21) [digest] = noop (21) suffix: Checking for suffix after "@" (21) suffix: No '@' in User-Name = "testing", looking up realm NULL (21) suffix: No such realm "NULL" (21) [suffix] = noop (21) eap: Peer sent EAP Response (code 2) ID 6 length 6 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # authorize = ok (21) Found Auth-Type = eap (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) authenticate { (21) eap: Expiring EAP session with state 0x735d7f17705b66c6 (21) eap: Finished EAP session with state 0x735d7f17705b66c6 (21) eap: Previous EAP request found for state 0x735d7f17705b66c6, released from the list (21) eap: Peer sent packet with method EAP PEAP (25) (21) eap: Calling submodule eap_peap to process data (21) eap_peap: Continuing EAP-TLS (21) eap_peap: Peer ACKed our handshake fragment. handshake is finished (21) eap_peap: [eaptls verify] = success (21) eap_peap: [eaptls process] = success (21) eap_peap: Session established. Decoding tunneled attributes (21) eap_peap: PEAP state TUNNEL ESTABLISHED (21) eap: Sending EAP Request (code 1) ID 7 length 40 (21) eap: EAP session adding &reply:State = 0x735d7f17775a66c6 (21) [eap] = handled (21) } # authenticate = handled (21) Using Post-Auth-Type Challenge (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) Challenge { ... } # empty sub-section is ignored (21) Sent Access-Challenge Id 9 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (21) EAP-Message = 0x010700281900170303001d06d33c56b068f0a2a3812d5b58620e2fa7b76dbd9d21b511548082e319 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0x735d7f17775a66c6a880ae3bd9d49d0e (21) Finished request Waking up in 3.6 seconds. (22) Received Access-Request Id 10 from 10.225.251.10:56766 to 172.16.2.4:1812 length 233 (22) User-Name = "testing" (22) NAS-IP-Address = 10.225.251.10 (22) NAS-Port = 0 (22) NAS-Identifier = "172.16.6.63" (22) NAS-Port-Type = Wireless-802.11 (22) Calling-Station-Id = "f894c2addb53" (22) Called-Station-Id = "removed" (22) Service-Type = Login-User (22) Framed-MTU = 1100 (22) EAP-Message = 0x0207002b190017030300200000000000000001b938010a38000c8411e999e607c654e50f81975d795f502a (22) State = 0x735d7f17775a66c6a880ae3bd9d49d0e (22) Aruba-Essid-Name = "wtf" (22) Aruba-Location-Id = "Building-A" (22) Aruba-AP-Group = "Cluster" (22) Message-Authenticator = 0x1cbbe970e0da43786de14a129aaf8233 (22) session-state: No cached attributes (22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [preprocess] = ok (22) [chap] = noop (22) [mschap] = noop (22) [digest] = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "testing", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) eap: Peer sent EAP Response (code 2) ID 7 length 43 (22) eap: Continuing tunnel setup (22) [eap] = ok (22) } # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) authenticate { (22) eap: Expiring EAP session with state 0x735d7f17775a66c6 (22) eap: Finished EAP session with state 0x735d7f17775a66c6 (22) eap: Previous EAP request found for state 0x735d7f17775a66c6, released from the list (22) eap: Peer sent packet with method EAP PEAP (25) (22) eap: Calling submodule eap_peap to process data (22) eap_peap: Continuing EAP-TLS (22) eap_peap: [eaptls verify] = ok (22) eap_peap: Done initial handshake (22) eap_peap: [eaptls process] = ok (22) eap_peap: Session established. Decoding tunneled attributes (22) eap_peap: PEAP state WAITING FOR INNER IDENTITY (22) eap_peap: Identity - testing (22) eap_peap: Got inner identity 'testing' (22) eap_peap: Setting default EAP type for tunneled EAP session (22) eap_peap: Got tunneled request (22) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (22) eap_peap: Setting User-Name to testing (22) eap_peap: Sending tunneled request to inner-tunnel (22) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (22) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (22) eap_peap: User-Name = "testing" (22) eap_peap: NAS-IP-Address = 10.225.251.10 (22) eap_peap: NAS-Port = 0 (22) eap_peap: NAS-Identifier = "172.16.6.63" (22) eap_peap: NAS-Port-Type = Wireless-802.11 (22) eap_peap: Calling-Station-Id = "f894c2addb53" (22) eap_peap: Called-Station-Id = "removed" (22) eap_peap: Service-Type = Login-User (22) eap_peap: Framed-MTU = 1100 (22) eap_peap: Aruba-Essid-Name = "wtf" (22) eap_peap: Aruba-Location-Id = "Building-A" (22) eap_peap: Aruba-AP-Group = "Cluster" (22) eap_peap: Event-Timestamp = "Apr 4 2023 13:55:58 IST" (22) Virtual server inner-tunnel received request (22) EAP-Message = 0x0207000c0174657374696e67 (22) FreeRADIUS-Proxied-To = 127.0.0.1 (22) User-Name = "testing" (22) NAS-IP-Address = 10.225.251.10 (22) NAS-Port = 0 (22) NAS-Identifier = "172.16.6.63" (22) NAS-Port-Type = Wireless-802.11 (22) Calling-Station-Id = "f894c2addb53" (22) Called-Station-Id = "removed" (22) Service-Type = Login-User (22) Framed-MTU = 1100 (22) Aruba-Essid-Name = "wtf" (22) Aruba-Location-Id = "Building-A" (22) Aruba-AP-Group = "Cluster" (22) Event-Timestamp = "Apr 4 2023 13:55:58 IST" (22) WARNING: Outer and inner identities are the same. User privacy is compromised. (22) server inner-tunnel { (22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [chap] = noop (22) [mschap] = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "testing", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) update control { (22) &Proxy-To-Realm := LOCAL (22) } # update control = noop (22) eap: Peer sent EAP Response (code 2) ID 7 length 12 (22) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (22) [eap] = ok (22) } # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (22) authenticate { (22) eap: Peer sent packet with method EAP Identity (1) (22) eap: Calling submodule eap_mschapv2 to process data (22) eap_mschapv2: Issuing Challenge (22) eap: Sending EAP Request (code 1) ID 8 length 43 (22) eap: EAP session adding &reply:State = 0xd7f01aa1d7f80035 (22) [eap] = handled (22) } # authenticate = handled (22) } # server inner-tunnel (22) Virtual server sending reply (22) EAP-Message = 0x0108002b1a0108002610cbd17d90df71474e7d5e8b5bbf06ed71667265657261646975732d332e302e3136 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (22) eap_peap: Got tunneled reply code 11 (22) eap_peap: EAP-Message = 0x0108002b1a0108002610cbd17d90df71474e7d5e8b5bbf06ed71667265657261646975732d332e302e3136 (22) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (22) eap_peap: State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (22) eap_peap: Got tunneled reply RADIUS code 11 (22) eap_peap: EAP-Message = 0x0108002b1a0108002610cbd17d90df71474e7d5e8b5bbf06ed71667265657261646975732d332e302e3136 (22) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (22) eap_peap: State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (22) eap_peap: Got tunneled Access-Challenge (22) eap: Sending EAP Request (code 1) ID 8 length 74 (22) eap: EAP session adding &reply:State = 0x735d7f17765566c6 (22) [eap] = handled (22) } # authenticate = handled (22) Using Post-Auth-Type Challenge (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) Challenge { ... } # empty sub-section is ignored (22) Sent Access-Challenge Id 10 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (22) EAP-Message = 0x0108004a1900170303003f06d33c56b068f0a3ecc1d3f5acb003ba8437eefefbad68f6ac6df379a757d2dd7acaf62aa3d766d59e2a42d6977997a88d1fe5fc5eced657eae7281da1b925 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0x735d7f17765566c6a880ae3bd9d49d0e (22) Finished request Waking up in 3.5 seconds. (23) Received Access-Request Id 11 from 10.225.251.10:56766 to 172.16.2.4:1812 length 287 (23) User-Name = "testing" (23) NAS-IP-Address = 10.225.251.10 (23) NAS-Port = 0 (23) NAS-Identifier = "172.16.6.63" (23) NAS-Port-Type = Wireless-802.11 (23) Calling-Station-Id = "f894c2addb53" (23) Called-Station-Id = "removed" (23) Service-Type = Login-User (23) Framed-MTU = 1100 (23) EAP-Message = 0x02080061190017030300560000000000000002f67a35ebc3b7ad310d98bdf6cf074035404cd137adc04c29c54705daabe0543d231628833f03d43a3c94fb544bce6c975b3bffbdd4be9989a6766cea342a3969a0b1ccb7d614a0c997d1da0bc543 (23) State = 0x735d7f17765566c6a880ae3bd9d49d0e (23) Aruba-Essid-Name = "wtf" (23) Aruba-Location-Id = "Building-A" (23) Aruba-AP-Group = "Cluster" (23) Message-Authenticator = 0xd3638e2d2a956e562ef28fdd6e96048c (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) [chap] = noop (23) [mschap] = noop (23) [digest] = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "testing", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) eap: Peer sent EAP Response (code 2) ID 8 length 97 (23) eap: Continuing tunnel setup (23) [eap] = ok (23) } # authorize = ok (23) Found Auth-Type = eap (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) authenticate { (23) eap: Expiring EAP session with state 0xd7f01aa1d7f80035 (23) eap: Finished EAP session with state 0x735d7f17765566c6 (23) eap: Previous EAP request found for state 0x735d7f17765566c6, released from the list (23) eap: Peer sent packet with method EAP PEAP (25) (23) eap: Calling submodule eap_peap to process data (23) eap_peap: Continuing EAP-TLS (23) eap_peap: [eaptls verify] = ok (23) eap_peap: Done initial handshake (23) eap_peap: [eaptls process] = ok (23) eap_peap: Session established. Decoding tunneled attributes (23) eap_peap: PEAP state phase2 (23) eap_peap: EAP method MSCHAPv2 (26) (23) eap_peap: Got tunneled request (23) eap_peap: EAP-Message = 0x020800421a0208003d3117e01e43f7d4bd928573267e76d4d87d0000000000000000200d9d030b1520e53a1034429bdf782af348f5f025188bd50074657374696e67 (23) eap_peap: Setting User-Name to testing (23) eap_peap: Sending tunneled request to inner-tunnel (23) eap_peap: EAP-Message = 0x020800421a0208003d3117e01e43f7d4bd928573267e76d4d87d0000000000000000200d9d030b1520e53a1034429bdf782af348f5f025188bd50074657374696e67 (23) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (23) eap_peap: User-Name = "testing" (23) eap_peap: State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (23) eap_peap: NAS-IP-Address = 10.225.251.10 (23) eap_peap: NAS-Port = 0 (23) eap_peap: NAS-Identifier = "172.16.6.63" (23) eap_peap: NAS-Port-Type = Wireless-802.11 (23) eap_peap: Calling-Station-Id = "f894c2addb53" (23) eap_peap: Called-Station-Id = "removed" (23) eap_peap: Service-Type = Login-User (23) eap_peap: Framed-MTU = 1100 (23) eap_peap: Aruba-Essid-Name = "wtf" (23) eap_peap: Aruba-Location-Id = "Building-A" (23) eap_peap: Aruba-AP-Group = "Cluster" (23) eap_peap: Event-Timestamp = "Apr 4 2023 13:55:58 IST" (23) Virtual server inner-tunnel received request (23) EAP-Message = 0x020800421a0208003d3117e01e43f7d4bd928573267e76d4d87d0000000000000000200d9d030b1520e53a1034429bdf782af348f5f025188bd50074657374696e67 (23) FreeRADIUS-Proxied-To = 127.0.0.1 (23) User-Name = "testing" (23) State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (23) NAS-IP-Address = 10.225.251.10 (23) NAS-Port = 0 (23) NAS-Identifier = "172.16.6.63" (23) NAS-Port-Type = Wireless-802.11 (23) Calling-Station-Id = "f894c2addb53" (23) Called-Station-Id = "removed" (23) Service-Type = Login-User (23) Framed-MTU = 1100 (23) Aruba-Essid-Name = "wtf" (23) Aruba-Location-Id = "Building-A" (23) Aruba-AP-Group = "Cluster" (23) Event-Timestamp = "Apr 4 2023 13:55:58 IST" (23) WARNING: Outer and inner identities are the same. User privacy is compromised. (23) server inner-tunnel { (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [chap] = noop (23) [mschap] = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "testing", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) update control { (23) &Proxy-To-Realm := LOCAL (23) } # update control = noop (23) eap: Peer sent EAP Response (code 2) ID 8 length 66 (23) eap: No EAP Start, assuming it's an on-going EAP conversation (23) [eap] = updated (23) [files] = noop (23) sql: EXPAND %{User-Name} (23) sql: --> testing (23) sql: SQL-User-Name set to 'testing' rlm_sql (sql): Reserved connection (12) (23) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (23) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (23) sql: User found in radcheck table (23) sql: Conditional check items matched, merging assignment check items (23) sql: Cleartext-Password := "password" (23) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (23) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id (23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id (23) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (23) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (23) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (23) sql: User found in the group table (23) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (23) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id (23) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id (23) sql: Group "Low_Access": Conditional check items matched (23) sql: Group "Low_Access": Merging assignment check items (23) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (23) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id (23) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id (23) sql: Group "Low_Access": Merging reply items (23) sql: Class = 0x6c6f775f616363657373 rlm_sql (sql): Released connection (12) Need 7 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (15), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10 (23) [sql] = ok (23) [expiration] = noop (23) [logintime] = noop (23) pap: WARNING: Auth-Type already set. Not setting to PAP (23) [pap] = noop (23) } # authorize = updated (23) Found Auth-Type = eap (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (23) authenticate { (23) eap: Expiring EAP session with state 0xd7f01aa1d7f80035 (23) eap: Finished EAP session with state 0xd7f01aa1d7f80035 (23) eap: Previous EAP request found for state 0xd7f01aa1d7f80035, released from the list (23) eap: Peer sent packet with method EAP MSCHAPv2 (26) (23) eap: Calling submodule eap_mschapv2 to process data (23) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (23) eap_mschapv2: authenticate { (23) mschap: Found Cleartext-Password, hashing to create NT-Password (23) mschap: Found Cleartext-Password, hashing to create LM-Password (23) mschap: Creating challenge hash with username: testing (23) mschap: Client is using MS-CHAPv2 (23) mschap: Adding MS-CHAPv2 MPPE keys (23) [mschap] = ok (23) } # authenticate = ok (23) MSCHAP Success (23) eap: Sending EAP Request (code 1) ID 9 length 51 (23) eap: EAP session adding &reply:State = 0xd7f01aa1d6f90035 (23) [eap] = handled (23) } # authenticate = handled (23) } # server inner-tunnel (23) Virtual server sending reply (23) Class = 0x6c6f775f616363657373 (23) EAP-Message = 0x010900331a0308002e533d31434533453246424232393134423330334345363142393732323431414345433032333541463438 (23) Message-Authenticator = 0x00000000000000000000000000000000 (23) State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (23) eap_peap: Got tunneled reply code 11 (23) eap_peap: Class = 0x6c6f775f616363657373 (23) eap_peap: EAP-Message = 0x010900331a0308002e533d31434533453246424232393134423330334345363142393732323431414345433032333541463438 (23) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (23) eap_peap: State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (23) eap_peap: Got tunneled reply RADIUS code 11 (23) eap_peap: Class = 0x6c6f775f616363657373 (23) eap_peap: EAP-Message = 0x010900331a0308002e533d31434533453246424232393134423330334345363142393732323431414345433032333541463438 (23) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (23) eap_peap: State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (23) eap_peap: Got tunneled Access-Challenge (23) eap: Sending EAP Request (code 1) ID 9 length 82 (23) eap: EAP session adding &reply:State = 0x735d7f17755466c6 (23) [eap] = handled (23) } # authenticate = handled (23) Using Post-Auth-Type Challenge (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Challenge { ... } # empty sub-section is ignored (23) Sent Access-Challenge Id 11 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (23) EAP-Message = 0x010900521900170303004706d33c56b068f0a48a90632e83818189836884d7619ce09535f33ad67f220c4165c88520856f26b9ac072beb94f7b4240467b4cd9ee012c265dc6bc981c202aad513d7fb082d4a (23) Message-Authenticator = 0x00000000000000000000000000000000 (23) State = 0x735d7f17755466c6a880ae3bd9d49d0e (23) Finished request Waking up in 3.5 seconds. (24) Received Access-Request Id 12 from 10.225.251.10:56766 to 172.16.2.4:1812 length 227 (24) User-Name = "testing" (24) NAS-IP-Address = 10.225.251.10 (24) NAS-Port = 0 (24) NAS-Identifier = "172.16.6.63" (24) NAS-Port-Type = Wireless-802.11 (24) Calling-Station-Id = "f894c2addb53" (24) Called-Station-Id = "removed" (24) Service-Type = Login-User (24) Framed-MTU = 1100 (24) EAP-Message = 0x020900251900170303001a0000000000000003d2de70e52a1738dba84235714d303de39473 (24) State = 0x735d7f17755466c6a880ae3bd9d49d0e (24) Aruba-Essid-Name = "wtf" (24) Aruba-Location-Id = "Building-A" (24) Aruba-AP-Group = "Cluster" (24) Message-Authenticator = 0xa4b05d75d7d707c345231bb97de889cf (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (24) authorize { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = notfound (24) } # policy filter_username = notfound (24) [preprocess] = ok (24) [chap] = noop (24) [mschap] = noop (24) [digest] = noop (24) suffix: Checking for suffix after "@" (24) suffix: No '@' in User-Name = "testing", looking up realm NULL (24) suffix: No such realm "NULL" (24) [suffix] = noop (24) eap: Peer sent EAP Response (code 2) ID 9 length 37 (24) eap: Continuing tunnel setup (24) [eap] = ok (24) } # authorize = ok (24) Found Auth-Type = eap (24) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (24) authenticate { (24) eap: Expiring EAP session with state 0xd7f01aa1d6f90035 (24) eap: Finished EAP session with state 0x735d7f17755466c6 (24) eap: Previous EAP request found for state 0x735d7f17755466c6, released from the list (24) eap: Peer sent packet with method EAP PEAP (25) (24) eap: Calling submodule eap_peap to process data (24) eap_peap: Continuing EAP-TLS (24) eap_peap: [eaptls verify] = ok (24) eap_peap: Done initial handshake (24) eap_peap: [eaptls process] = ok (24) eap_peap: Session established. Decoding tunneled attributes (24) eap_peap: PEAP state phase2 (24) eap_peap: EAP method MSCHAPv2 (26) (24) eap_peap: Got tunneled request (24) eap_peap: EAP-Message = 0x020900061a03 (24) eap_peap: Setting User-Name to testing (24) eap_peap: Sending tunneled request to inner-tunnel (24) eap_peap: EAP-Message = 0x020900061a03 (24) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (24) eap_peap: User-Name = "testing" (24) eap_peap: State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (24) eap_peap: NAS-IP-Address = 10.225.251.10 (24) eap_peap: NAS-Port = 0 (24) eap_peap: NAS-Identifier = "172.16.6.63" (24) eap_peap: NAS-Port-Type = Wireless-802.11 (24) eap_peap: Calling-Station-Id = "f894c2addb53" (24) eap_peap: Called-Station-Id = "removed" (24) eap_peap: Service-Type = Login-User (24) eap_peap: Framed-MTU = 1100 (24) eap_peap: Aruba-Essid-Name = "wtf" (24) eap_peap: Aruba-Location-Id = "Building-A" (24) eap_peap: Aruba-AP-Group = "Cluster" (24) eap_peap: Event-Timestamp = "Apr 4 2023 13:55:58 IST" (24) Virtual server inner-tunnel received request (24) EAP-Message = 0x020900061a03 (24) FreeRADIUS-Proxied-To = 127.0.0.1 (24) User-Name = "testing" (24) State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (24) NAS-IP-Address = 10.225.251.10 (24) NAS-Port = 0 (24) NAS-Identifier = "172.16.6.63" (24) NAS-Port-Type = Wireless-802.11 (24) Calling-Station-Id = "f894c2addb53" (24) Called-Station-Id = "removed" (24) Service-Type = Login-User (24) Framed-MTU = 1100 (24) Aruba-Essid-Name = "wtf" (24) Aruba-Location-Id = "Building-A" (24) Aruba-AP-Group = "Cluster" (24) Event-Timestamp = "Apr 4 2023 13:55:58 IST" (24) WARNING: Outer and inner identities are the same. User privacy is compromised. (24) server inner-tunnel { (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (24) authorize { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = notfound (24) } # policy filter_username = notfound (24) [chap] = noop (24) [mschap] = noop (24) suffix: Checking for suffix after "@" (24) suffix: No '@' in User-Name = "testing", looking up realm NULL (24) suffix: No such realm "NULL" (24) [suffix] = noop (24) update control { (24) &Proxy-To-Realm := LOCAL (24) } # update control = noop (24) eap: Peer sent EAP Response (code 2) ID 9 length 6 (24) eap: No EAP Start, assuming it's an on-going EAP conversation (24) [eap] = updated (24) [files] = noop (24) sql: EXPAND %{User-Name} (24) sql: --> testing (24) sql: SQL-User-Name set to 'testing' rlm_sql (sql): Reserved connection (13) (24) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (24) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (24) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (24) sql: User found in radcheck table (24) sql: Conditional check items matched, merging assignment check items (24) sql: Cleartext-Password := "password" (24) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (24) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id (24) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id (24) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (24) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (24) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (24) sql: User found in the group table (24) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (24) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id (24) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id (24) sql: Group "Low_Access": Conditional check items matched (24) sql: Group "Low_Access": Merging assignment check items (24) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (24) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id (24) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id (24) sql: Group "Low_Access": Merging reply items (24) sql: Class = 0x6c6f775f616363657373 rlm_sql (sql): Released connection (13) (24) [sql] = ok (24) [expiration] = noop (24) [logintime] = noop (24) pap: WARNING: Auth-Type already set. Not setting to PAP (24) [pap] = noop (24) } # authorize = updated (24) Found Auth-Type = eap (24) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (24) authenticate { (24) eap: Expiring EAP session with state 0xd7f01aa1d6f90035 (24) eap: Finished EAP session with state 0xd7f01aa1d6f90035 (24) eap: Previous EAP request found for state 0xd7f01aa1d6f90035, released from the list (24) eap: Peer sent packet with method EAP MSCHAPv2 (26) (24) eap: Calling submodule eap_mschapv2 to process data (24) eap: Sending EAP Success (code 3) ID 9 length 4 (24) eap: Freeing handler (24) [eap] = ok (24) } # authenticate = ok (24) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (24) post-auth { (24) sql: EXPAND .query (24) sql: --> .query (24) sql: Using query template 'query' rlm_sql (sql): Reserved connection (14) (24) sql: EXPAND %{User-Name} (24) sql: --> testing (24) sql: SQL-User-Name set to 'testing' (24) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (24) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58') (24) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58') (24) sql: SQL query returned: success (24) sql: 1 record(s) updated rlm_sql (sql): Released connection (14) (24) [sql] = ok (24) if (1) { (24) if (1) -> TRUE (24) if (1) { (24) update reply { (24) User-Name !* ANY (24) Message-Authenticator !* ANY (24) EAP-Message !* ANY (24) Proxy-State !* ANY (24) MS-MPPE-Encryption-Types !* ANY (24) MS-MPPE-Encryption-Policy !* ANY (24) MS-MPPE-Send-Key !* ANY (24) MS-MPPE-Recv-Key !* ANY (24) } # update reply = noop (24) update { (24) &outer.session-state::Class += &reply:Class[*] -> 0x6c6f775f616363657373 (24) } # update = noop (24) } # if (1) = noop (24) } # post-auth = ok (24) } # server inner-tunnel (24) Virtual server sending reply (24) Class = 0x6c6f775f616363657373 (24) eap_peap: Got tunneled reply code 2 (24) eap_peap: Class = 0x6c6f775f616363657373 (24) eap_peap: Got tunneled reply RADIUS code 2 (24) eap_peap: Class = 0x6c6f775f616363657373 (24) eap_peap: Tunneled authentication was successful (24) eap_peap: SUCCESS (24) eap_peap: Saving tunneled attributes for later (24) eap: Sending EAP Request (code 1) ID 10 length 46 (24) eap: EAP session adding &reply:State = 0x735d7f17745766c6 (24) [eap] = handled (24) } # authenticate = handled (24) Using Post-Auth-Type Challenge (24) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (24) Challenge { ... } # empty sub-section is ignored (24) session-state: Saving cached attributes (24) Class += 0x6c6f775f616363657373 (24) Sent Access-Challenge Id 12 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (24) EAP-Message = 0x010a002e1900170303002306d33c56b068f0a5ff5724e4971e20cb7fe2cf9f068b66fb14fcd7892634f657f8bf51 (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) State = 0x735d7f17745766c6a880ae3bd9d49d0e (24) Finished request Waking up in 3.4 seconds. (25) Received Access-Request Id 13 from 10.225.251.10:56766 to 172.16.2.4:1812 length 236 (25) User-Name = "testing" (25) NAS-IP-Address = 10.225.251.10 (25) NAS-Port = 0 (25) NAS-Identifier = "172.16.6.63" (25) NAS-Port-Type = Wireless-802.11 (25) Calling-Station-Id = "f894c2addb53" (25) Called-Station-Id = "removed" (25) Service-Type = Login-User (25) Framed-MTU = 1100 (25) EAP-Message = 0x020a002e190017030300230000000000000004e9eef28e29c4b401eadf07a8810dcfb57ef2afa013eba59fe7a695 (25) State = 0x735d7f17745766c6a880ae3bd9d49d0e (25) Aruba-Essid-Name = "wtf" (25) Aruba-Location-Id = "Building-A" (25) Aruba-AP-Group = "Cluster" (25) Message-Authenticator = 0x5171d1f2ada81cca1aceb3fe0b8a7500 (25) Restoring &session-state (25) &session-state:Class += 0x6c6f775f616363657373 (25) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (25) authorize { (25) policy filter_username { (25) if (&User-Name) { (25) if (&User-Name) -> TRUE (25) if (&User-Name) { (25) if (&User-Name =~ / /) { (25) if (&User-Name =~ / /) -> FALSE (25) if (&User-Name =~ /@[^@]*@/ ) { (25) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (25) if (&User-Name =~ /\.\./ ) { (25) if (&User-Name =~ /\.\./ ) -> FALSE (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (25) if (&User-Name =~ /\.$/) { (25) if (&User-Name =~ /\.$/) -> FALSE (25) if (&User-Name =~ /@\./) { (25) if (&User-Name =~ /@\./) -> FALSE (25) } # if (&User-Name) = notfound (25) } # policy filter_username = notfound (25) [preprocess] = ok (25) [chap] = noop (25) [mschap] = noop (25) [digest] = noop (25) suffix: Checking for suffix after "@" (25) suffix: No '@' in User-Name = "testing", looking up realm NULL (25) suffix: No such realm "NULL" (25) [suffix] = noop (25) eap: Peer sent EAP Response (code 2) ID 10 length 46 (25) eap: Continuing tunnel setup (25) [eap] = ok (25) } # authorize = ok (25) Found Auth-Type = eap (25) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (25) authenticate { (25) eap: Expiring EAP session with state 0x735d7f17745766c6 (25) eap: Finished EAP session with state 0x735d7f17745766c6 (25) eap: Previous EAP request found for state 0x735d7f17745766c6, released from the list (25) eap: Peer sent packet with method EAP PEAP (25) (25) eap: Calling submodule eap_peap to process data (25) eap_peap: Continuing EAP-TLS (25) eap_peap: [eaptls verify] = ok (25) eap_peap: Done initial handshake (25) eap_peap: [eaptls process] = ok (25) eap_peap: Session established. Decoding tunneled attributes (25) eap_peap: PEAP state send tlv success (25) eap_peap: Received EAP-TLV response (25) eap_peap: Success (25) eap_peap: Using saved attributes from the original Access-Accept (25) eap_peap: Class = 0x6c6f775f616363657373 (25) eap: Sending EAP Success (code 3) ID 10 length 4 (25) eap: Freeing handler (25) [eap] = ok (25) } # authenticate = ok (25) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (25) post-auth { (25) update { (25) &reply::Class += &session-state:Class[*] -> 0x6c6f775f616363657373 (25) } # update = noop (25) sql: EXPAND .query (25) sql: --> .query (25) sql: Using query template 'query' rlm_sql (sql): Reserved connection (12) (25) sql: EXPAND %{User-Name} (25) sql: --> testing (25) sql: SQL-User-Name set to 'testing' (25) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (25) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58') (25) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58') (25) sql: SQL query returned: success (25) sql: 1 record(s) updated rlm_sql (sql): Released connection (12) (25) [sql] = ok (25) [exec] = noop (25) policy remove_reply_message_if_eap { (25) if (&reply:EAP-Message && &reply:Reply-Message) { (25) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (25) else { (25) [noop] = noop (25) } # else = noop (25) } # policy remove_reply_message_if_eap = noop (25) } # post-auth = ok (25) Sent Access-Accept Id 13 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (25) Class = 0x6c6f775f616363657373 (25) MS-MPPE-Recv-Key = 0xcc45ee952a3ff5f4b509a0d3c77ca487b6b86fbecfc91e8f7a4594ca3057a3c8 (25) MS-MPPE-Send-Key = 0x201b8d504ad2e64f9f8498c6b8187edbaf3221f7681eca7b12d0c885fb1c7782 (25) EAP-Message = 0x030a0004 (25) Message-Authenticator = 0x00000000000000000000000000000000 (25) User-Name = "testing" (25) Class += 0x6c6f775f616363657373 (25) Finished request Waking up in 3.4 seconds. detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.784712 sec detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.975185 sec (26) Received Accounting-Request Id 14 from 10.225.251.10:56766 to 172.16.2.4:1813 length 227 (26) Acct-Status-Type = Start (26) NAS-IP-Address = 10.225.251.10 (26) User-Name = "testing" (26) NAS-Port = 0 (26) NAS-Port-Type = Wireless-802.11 (26) Calling-Station-Id = "f894c2addb53" (26) Called-Station-Id = "removed" (26) Framed-IP-Address = 10.225.251.21 (26) Acct-Multi-Session-Id = "F894C2ADDB53-1680596739" (26) Acct-Session-Id = "F05C1986E787-F894C2ADDB53-642BDF17-BE9CA" (26) Acct-Delay-Time = 0 (26) Aruba-Essid-Name = "wtf" (26) Aruba-Location-Id = "Building-A" (26) Aruba-User-Vlan = 51 (26) Class = 0x6c6f775f616363657373 (26) Acct-Authentic = 0 (26) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (26) preacct { (26) [preprocess] = ok (26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (26) EXPAND %{User-Name} (26) --> testing (26) SQL-User-Name set to 'testing' rlm_sql (sql): Reserved connection (15) (26) Executing select query: SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='testing' AND (macaddrlist.macaddr1='f894c2addb53' OR macaddrlist.macaddr2='f894c2addb53') rlm_sql (sql): Released connection (15) Need 6 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (16), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10 (26) EXPAND %{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') } (26) --> 0 (26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) -> TRUE (26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (26) [ok] = ok (26) } # if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) = ok (26) ... skipping else: Preceding "if" was taken (26) policy acct_unique { (26) update request { (26) &Tmp-String-9 := "ai:" (26) } # update request = noop (26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (26) EXPAND %{hex:&Class} (26) --> 6c6f775f616363657373 (26) EXPAND ^%{hex:&Tmp-String-9} (26) --> ^61693a (26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (26) else { (26) update request { (26) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (26) --> cdbb232bc69b751f19684df63248fe05 (26) &Acct-Unique-Session-Id := cdbb232bc69b751f19684df63248fe05 (26) } # update request = noop (26) } # else = noop (26) } # policy acct_unique = noop (26) suffix: Checking for suffix after "@" (26) suffix: No '@' in User-Name = "testing", looking up realm NULL (26) suffix: No such realm "NULL" (26) [suffix] = noop (26) [files] = noop (26) } # preacct = ok (26) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (26) accounting { (26) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (26) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230404 (26) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230404 (26) detail: EXPAND %t (26) detail: --> Tue Apr 4 13:55:59 2023 (26) [detail] = ok (26) [unix] = ok (26) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (26) sql: --> type.start.query (26) sql: Using query template 'query' rlm_sql (sql): Reserved connection (13) (26) sql: EXPAND %{User-Name} (26) sql: --> testing (26) sql: SQL-User-Name set to 'testing' (26) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}') (26) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('F05C1986E787-F894C2ADDB53-642BDF17-BE9CA', 'cdbb232bc69b751f19684df63248fe05', 'testing', '', '10.225.251.10', '0', 'Wireless-802.11', FROM_UNIXTIME(1680596759), FROM_UNIXTIME(1680596759), NULL, '0', '0', '', '', '0', '0', 'removed', 'f894c2addb53', '', '', '', '10.225.251.21') (26) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('F05C1986E787-F894C2ADDB53-642BDF17-BE9CA', 'cdbb232bc69b751f19684df63248fe05', 'testing', '', '10.225.251.10', '0', 'Wireless-802.11', FROM_UNIXTIME(1680596759), FROM_UNIXTIME(1680596759), NULL, '0', '0', '', '', '0', '0', 'removed', 'f894c2addb53', '', '', '', '10.225.251.21') (26) sql: SQL query returned: success (26) sql: 1 record(s) updated rlm_sql (sql): Released connection (13) (26) [sql] = ok (26) [exec] = noop (26) attr_filter.accounting_response: EXPAND %{User-Name} (26) attr_filter.accounting_response: --> testing (26) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (26) [attr_filter.accounting_response] = updated (26) } # accounting = updated (26) Sent Accounting-Response Id 14 from 172.16.2.4:1813 to 10.225.251.10:56766 length 0 (26) Finished request (26) Cleaning up request packet ID 14 with timestamp +529 Waking up in 2.0 seconds. detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.118670 sec detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.834735 sec (17) Cleaning up request packet ID 5 with timestamp +526 (18) Cleaning up request packet ID 6 with timestamp +526 (19) Cleaning up request packet ID 7 with timestamp +526 (20) Cleaning up request packet ID 8 with timestamp +526 Waking up in 1.2 seconds. detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.084496 sec (21) Cleaning up request packet ID 9 with timestamp +528 (22) Cleaning up request packet ID 10 with timestamp +528 (23) Cleaning up request packet ID 11 with timestamp +528 (24) Cleaning up request packet ID 12 with timestamp +528 (25) Cleaning up request packet ID 13 with timestamp +528 Ready to process requests detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.996618 sec detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.833356 sec detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.774564 sec (27) Received Accounting-Request Id 15 from 10.225.251.10:56766 to 172.16.2.4:1813 length 257 (27) Acct-Status-Type = Stop (27) NAS-IP-Address = 10.225.251.10 (27) User-Name = "testing" (27) NAS-Port = 0 (27) NAS-Port-Type = Wireless-802.11 (27) Calling-Station-Id = "f894c2addb53" (27) Called-Station-Id = "removed" (27) Framed-IP-Address = 10.225.251.21 (27) Acct-Multi-Session-Id = "F894C2ADDB53-1680596739" (27) Acct-Session-Id = "F05C1986E787-F894C2ADDB53-642BDF17-BE9CA" (27) Acct-Delay-Time = 0 (27) Aruba-Essid-Name = "wtf" (27) Aruba-Location-Id = "Building-A" (27) Aruba-User-Vlan = 51 (27) Class = 0x6c6f775f616363657373 (27) Acct-Input-Octets = 186004 (27) Acct-Output-Octets = 97394 (27) Acct-Input-Packets = 1019 (27) Acct-Output-Packets = 430 (27) Acct-Terminate-Cause = Idle-Timeout (27) Acct-Session-Time = 35 (27) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (27) preacct { (27) [preprocess] = ok (27) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (27) EXPAND %{User-Name} (27) --> testing (27) SQL-User-Name set to 'testing' rlm_sql (sql): Reserved connection (14) (27) Executing select query: SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='testing' AND (macaddrlist.macaddr1='f894c2addb53' OR macaddrlist.macaddr2='f894c2addb53') rlm_sql (sql): Released connection (14) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (17), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10 (27) EXPAND %{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') } (27) --> 0 (27) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) -> TRUE (27) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (27) [ok] = ok (27) } # if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) = ok (27) ... skipping else: Preceding "if" was taken (27) policy acct_unique { (27) update request { (27) &Tmp-String-9 := "ai:" (27) } # update request = noop (27) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (27) EXPAND %{hex:&Class} (27) --> 6c6f775f616363657373 (27) EXPAND ^%{hex:&Tmp-String-9} (27) --> ^61693a (27) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (27) else { (27) update request { (27) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (27) --> cdbb232bc69b751f19684df63248fe05 (27) &Acct-Unique-Session-Id := cdbb232bc69b751f19684df63248fe05 (27) } # update request = noop (27) } # else = noop (27) } # policy acct_unique = noop (27) suffix: Checking for suffix after "@" (27) suffix: No '@' in User-Name = "testing", looking up realm NULL (27) suffix: No such realm "NULL" (27) [suffix] = noop (27) [files] = noop (27) } # preacct = ok (27) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (27) accounting { (27) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (27) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230404 (27) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230404 (27) detail: EXPAND %t (27) detail: --> Tue Apr 4 13:56:34 2023 (27) [detail] = ok (27) [unix] = ok (27) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (27) sql: --> type.stop.query (27) sql: Using query template 'query' rlm_sql (sql): Reserved connection (12) (27) sql: EXPAND %{User-Name} (27) sql: --> testing (27) sql: SQL-User-Name set to 'testing' (27) sql: EXPAND UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' (27) sql: --> UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1680596794), acctsessiontime = 35, acctinputoctets = '0' << 32 | '186004', acctoutputoctets = '0' << 32 | '97394', acctterminatecause = 'Idle-Timeout', connectinfo_stop = '' WHERE AcctUniqueId = 'cdbb232bc69b751f19684df63248fe05' (27) sql: Executing query: UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1680596794), acctsessiontime = 35, acctinputoctets = '0' << 32 | '186004', acctoutputoctets = '0' << 32 | '97394', acctterminatecause = 'Idle-Timeout', connectinfo_stop = '' WHERE AcctUniqueId = 'cdbb232bc69b751f19684df63248fe05' rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0 (27) sql: SQL query returned: success (27) sql: 1 record(s) updated rlm_sql (sql): Released connection (12) (27) [sql] = ok (27) [exec] = noop (27) attr_filter.accounting_response: EXPAND %{User-Name} (27) attr_filter.accounting_response: --> testing (27) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (27) [attr_filter.accounting_response] = updated (27) } # accounting = updated (27) Sent Accounting-Response Id 15 from 172.16.2.4:1813 to 10.225.251.10:56766 length 0 (27) Finished request (27) Cleaning up request packet ID 15 with timestamp +564 Ready to process requests detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.212151 sec Thanks, On Tuesday, 4 April, 2023, 12:39:51 am IST, Alan DeKok <aland@deployingradius.com> wrote: On Apr 3, 2023, at 1:10 PM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
My bad, have used "==" operator with "users" file.
That's good.
The following in radcheck is working, is it possible to add multiple mac-addr values ?. I tried adding 3rd row with different mac-addr, it did not work.
Please read the SQL module documentation. See the wiki for "rlm_sql". The documentation describes how the module works, and what needs to go into SQL. You can't just add things to SQL and expect FreeRADIUS to understand what you mean.
What you want is s policy which says:
if user is X and MAC is not Y reject
Where to add this query ?.
In sites-enabled/default, under authenticate {} or authorize {} section or somewhere else ?.
You can add some "unlang" to the "authorize" section. If you see the sample configuration for sites-available/default, for the difference between "authorize" and "authentication", the location for the rules should be fairly clear. You can't just put the SQL query into a virtual server, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html