Copyright (C) 1999-2015 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /etc/raddb/dictionary including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/eap including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/abfab-tr including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/accounting including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/" run_dir = "/var/run/radiusd" libdir = "/usr/lib" radacctdir = "/var/log//radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client xxx.xxx.xxx.0/24 { ipaddr = xxx.xxx.xxx.2 require_message_authenticator = no secret = <<< secret >>> shortname = "CAMPUS-MANAGEMENT" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debug state unknown (cap_sys_ptrace capability not set) radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_passwd # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Loaded module rlm_soh # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_exec # Instantiating module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_unix # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log//radwtmp" } # Loaded module rlm_always # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_detail # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log//radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_radutmp # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log//radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_dhcp # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_unpack # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Loaded module rlm_pap # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_files # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" compat = "cistron" } reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:68 Cistron compatibility checks for entry cwlu ... [/etc/raddb/mods-config/files/authorize]:71 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:72 Cistron compatibility checks for entry student ... [/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:196 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:202 Cistron compatibility checks for entry DEFAULT ... reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } rlm_mschap (mschap): using internal authentication # Loaded module rlm_chap # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_digest # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log//radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log//radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log//radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log//radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log//sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log//linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{Packet-Type}:-default}" } # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log//linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_eap # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 1024 } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/AuthCert.pem" certificate_file = "/etc/raddb/certs/AuthCert.pem" ca_file = "/etc/raddb/certs/cacrl/cacrl.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { tmpdir = "/etc/raddb/certs/tmp" client = "/check_client_cert.sh /etc/raddb/certs/tmp %{TLS-Client-Cert-Filename} /etc/raddb/certs/AuthCert.pem" } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-auth {...} } # server inner-tunnel server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Ready to process requests (0) Received Access-Request Id 125 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 263 (0) User-Name = 'student' (0) Framed-MTU = 1400 (0) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (0) Calling-Station-Id = '00-25-9C-94-85-84' (0) Cisco-AVPair = 'ssid=CAMPUS' (0) Service-Type = Login-User (0) Cisco-AVPair = 'service-type=Login' (0) Message-Authenticator = 0xbb1898762731522dc4e039459f3fae45 (0) EAP-Message = 0x0201000c016169726c696e65 (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Port = 436 (0) NAS-Port-Id = '436' (0) NAS-IP-Address = xxx.xxx.xxx.2 (0) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "student", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) update control { (0) EAP-TLS-Require-Client-Cert := Yes (0) } # update control = noop (0) eap: Peer sent code Response (2) ID 1 length 12 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent method Identity (1) (0) eap: Calling eap_ttls to process EAP data (0) eap_ttls: Flushing SSL sessions (of #0) (0) eap_ttls: Requiring client certificate (0) eap_ttls: Initiate (0) eap_ttls: Requiring client certificate (0) eap_ttls: Start returned 1 (0) eap: EAP session adding &reply:State = 0x9bcdbfd59bcfaaec (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 125 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (0) EAP-Message = 0x010200061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x9bcdbfd59bcfaaec19ea252da52603d3 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 126 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 351 (1) User-Name = 'student' (1) Framed-MTU = 1400 (1) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (1) Calling-Station-Id = '00-25-9C-94-85-84' (1) Cisco-AVPair = 'ssid=CAMPUS' (1) Service-Type = Login-User (1) Cisco-AVPair = 'service-type=Login' (1) Message-Authenticator = 0x1e7d6b8992e939b8afb5559f2bd93c49 (1) EAP-Message = 0x0202005215800000004816030100430100003f030155a38da0a8295960790984953dd5d6fda60f005413166d2da99c8ea0aa6bb2b700001800390038003300320016001300660035002f000a000500040100 (1) NAS-Port-Type = Wireless-802.11 (1) NAS-Port = 436 (1) NAS-Port-Id = '436' (1) State = 0x9bcdbfd59bcfaaec19ea252da52603d3 (1) NAS-IP-Address = xxx.xxx.xxx.2 (1) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "student", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) update control { (1) EAP-TLS-Require-Client-Cert := Yes (1) } # update control = noop (1) eap: Peer sent code Response (2) ID 2 length 82 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x9bcdbfd59bcfaaec (1) eap: Finished EAP session with state 0x9bcdbfd59bcfaaec (1) eap: Previous EAP request found for state 0x9bcdbfd59bcfaaec, released from the list (1) eap: Peer sent method TTLS (21) (1) eap: EAP TTLS (21) (1) eap: Calling eap_ttls to process EAP data (1) eap_ttls: Authenticate (1) eap_ttls: processing EAP-TLS (1) eap_ttls: TLS Length 72 (1) eap_ttls: Length Included (1) eap_ttls: eaptls_verify returned 11 (1) eap_ttls: (other): before/accept initialization (1) eap_ttls: TLS_accept: before/accept initialization (1) eap_ttls: <<< Unknown TLS version [length 0005] (1) eap_ttls: <<< TLS 1.0 Handshake [length 0043], ClientHello (1) eap_ttls: TLS_accept: SSLv3 read client hello A (1) eap_ttls: >>> Unknown TLS version [length 0005] (1) eap_ttls: >>> TLS 1.0 Handshake [length 004a], ServerHello (1) eap_ttls: TLS_accept: SSLv3 write server hello A (1) eap_ttls: >>> Unknown TLS version [length 0005] (1) eap_ttls: >>> TLS 1.0 Handshake [length 13c6], Certificate (1) eap_ttls: TLS_accept: SSLv3 write certificate A (1) eap_ttls: >>> Unknown TLS version [length 0005] (1) eap_ttls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange (1) eap_ttls: TLS_accept: SSLv3 write key exchange A (1) eap_ttls: >>> Unknown TLS version [length 0005] (1) eap_ttls: >>> TLS 1.0 Handshake [length 010b], CertificateRequest (1) eap_ttls: TLS_accept: SSLv3 write certificate request A (1) eap_ttls: TLS_accept: SSLv3 flush data (1) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_ttls: eaptls_process returned 13 (1) eap: EAP session adding &reply:State = 0x9bcdbfd59aceaaec (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 126 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (1) EAP-Message = 0x010303f615c00000173c160301004a0200004603011fa4e35bb881349722b8f6061450071533b4af7a88311fea6eff087cd823e58c2093c65df3253f3fa2c2fac8c19ccbb47e845394db8f7659602f0f704dc8cec08900390016030113c60b0013c20013bf00068b308206873082056fa0030201020212 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x9bcdbfd59aceaaec19ea252da52603d3 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 127 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 275 (2) User-Name = 'student' (2) Framed-MTU = 1400 (2) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (2) Calling-Station-Id = '00-25-9C-94-85-84' (2) Cisco-AVPair = 'ssid=CAMPUS' (2) Service-Type = Login-User (2) Cisco-AVPair = 'service-type=Login' (2) Message-Authenticator = 0x8543fb6b668999949e221e74cf6abe49 (2) EAP-Message = 0x020300061500 (2) NAS-Port-Type = Wireless-802.11 (2) NAS-Port = 436 (2) NAS-Port-Id = '436' (2) State = 0x9bcdbfd59aceaaec19ea252da52603d3 (2) NAS-IP-Address = xxx.xxx.xxx.2 (2) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (!&User-Name) { (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) { (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "student", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) update control { (2) EAP-TLS-Require-Client-Cert := Yes (2) } # update control = noop (2) eap: Peer sent code Response (2) ID 3 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x9bcdbfd59aceaaec (2) eap: Finished EAP session with state 0x9bcdbfd59aceaaec (2) eap: Previous EAP request found for state 0x9bcdbfd59aceaaec, released from the list (2) eap: Peer sent method TTLS (21) (2) eap: EAP TTLS (21) (2) eap: Calling eap_ttls to process EAP data (2) eap_ttls: Authenticate (2) eap_ttls: processing EAP-TLS (2) eap_ttls: Received TLS ACK (2) eap_ttls: Received TLS ACK (2) eap_ttls: ACK handshake fragment handler (2) eap_ttls: eaptls_verify returned 1 (2) eap_ttls: eaptls_process returned 13 (2) eap: EAP session adding &reply:State = 0x9bcdbfd599c9aaec (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 127 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (2) EAP-Message = 0x010403f615c00000173c617279300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030206082b06010505070301302a0603551d1104233021880f2b06010401eb10864a01ff30112e0fa00e06052b1b070106a00504033cbf643081f806082b060105050701010481 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x9bcdbfd599c9aaec19ea252da52603d3 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 128 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 275 (3) User-Name = 'student' (3) Framed-MTU = 1400 (3) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (3) Calling-Station-Id = '00-25-9C-94-85-84' (3) Cisco-AVPair = 'ssid=CAMPUS' (3) Service-Type = Login-User (3) Cisco-AVPair = 'service-type=Login' (3) Message-Authenticator = 0x909e7cb645be59cfbf72e50343deff49 (3) EAP-Message = 0x020400061500 (3) NAS-Port-Type = Wireless-802.11 (3) NAS-Port = 436 (3) NAS-Port-Id = '436' (3) State = 0x9bcdbfd599c9aaec19ea252da52603d3 (3) NAS-IP-Address = xxx.xxx.xxx.2 (3) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (!&User-Name) { (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) { (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "student", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) update control { (3) EAP-TLS-Require-Client-Cert := Yes (3) } # update control = noop (3) eap: Peer sent code Response (2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x9bcdbfd599c9aaec (3) eap: Finished EAP session with state 0x9bcdbfd599c9aaec (3) eap: Previous EAP request found for state 0x9bcdbfd599c9aaec, released from the list (3) eap: Peer sent method TTLS (21) (3) eap: EAP TTLS (21) (3) eap: Calling eap_ttls to process EAP data (3) eap_ttls: Authenticate (3) eap_ttls: processing EAP-TLS (3) eap_ttls: Received TLS ACK (3) eap_ttls: Received TLS ACK (3) eap_ttls: ACK handshake fragment handler (3) eap_ttls: eaptls_verify returned 1 (3) eap_ttls: eaptls_process returned 13 (3) eap: EAP session adding &reply:State = 0x9bcdbfd598c8aaec (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 128 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (3) EAP-Message = 0x010503f615c00000173c6566656e636520616e6420537061636520436f6d70616e7931193017060355040b13105445535420454e5649524f4e4d454e54311530130603550403130c45414453205465737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100abf6 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x9bcdbfd598c8aaec19ea252da52603d3 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 129 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 275 (4) User-Name = 'student' (4) Framed-MTU = 1400 (4) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (4) Calling-Station-Id = '00-25-9C-94-85-84' (4) Cisco-AVPair = 'ssid=CAMPUS' (4) Service-Type = Login-User (4) Cisco-AVPair = 'service-type=Login' (4) Message-Authenticator = 0x7f008e8914d2ebd4183f21849db4632c (4) EAP-Message = 0x020500061500 (4) NAS-Port-Type = Wireless-802.11 (4) NAS-Port = 436 (4) NAS-Port-Id = '436' (4) State = 0x9bcdbfd598c8aaec19ea252da52603d3 (4) NAS-IP-Address = xxx.xxx.xxx.2 (4) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (!&User-Name) { (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) { (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "student", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) update control { (4) EAP-TLS-Require-Client-Cert := Yes (4) } # update control = noop (4) eap: Peer sent code Response (2) ID 5 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x9bcdbfd598c8aaec (4) eap: Finished EAP session with state 0x9bcdbfd598c8aaec (4) eap: Previous EAP request found for state 0x9bcdbfd598c8aaec, released from the list (4) eap: Peer sent method TTLS (21) (4) eap: EAP TTLS (21) (4) eap: Calling eap_ttls to process EAP data (4) eap_ttls: Authenticate (4) eap_ttls: processing EAP-TLS (4) eap_ttls: Received TLS ACK (4) eap_ttls: Received TLS ACK (4) eap_ttls: ACK handshake fragment handler (4) eap_ttls: eaptls_verify returned 1 (4) eap_ttls: eaptls_process returned 13 (4) eap: EAP session adding &reply:State = 0x9bcdbfd59fcbaaec (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 129 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (4) EAP-Message = 0x010603f615c00000173c20646f206e6f74207472757374308180060b2b06010401ff300306026a3071306f06082b06010505070202306330331a2c4575726f7065616e204165726f737061636520446566656e636520616e6420537061636520436f6d70616e7930030201011a2c54455354206d656469 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x9bcdbfd59fcbaaec19ea252da52603d3 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 130 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 275 (5) User-Name = 'student' (5) Framed-MTU = 1400 (5) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (5) Calling-Station-Id = '00-25-9C-94-85-84' (5) Cisco-AVPair = 'ssid=CAMPUS' (5) Service-Type = Login-User (5) Cisco-AVPair = 'service-type=Login' (5) Message-Authenticator = 0x47292d5e469bdb12cae59436a4e46b84 (5) EAP-Message = 0x020600061500 (5) NAS-Port-Type = Wireless-802.11 (5) NAS-Port = 436 (5) NAS-Port-Id = '436' (5) State = 0x9bcdbfd59fcbaaec19ea252da52603d3 (5) NAS-IP-Address = xxx.xxx.xxx.2 (5) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (!&User-Name) { (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) { (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "student", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) EAP-TLS-Require-Client-Cert := Yes (5) } # update control = noop (5) eap: Peer sent code Response (2) ID 6 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x9bcdbfd59fcbaaec (5) eap: Finished EAP session with state 0x9bcdbfd59fcbaaec (5) eap: Previous EAP request found for state 0x9bcdbfd59fcbaaec, released from the list (5) eap: Peer sent method TTLS (21) (5) eap: EAP TTLS (21) (5) eap: Calling eap_ttls to process EAP data (5) eap_ttls: Authenticate (5) eap_ttls: processing EAP-TLS (5) eap_ttls: Received TLS ACK (5) eap_ttls: Received TLS ACK (5) eap_ttls: ACK handshake fragment handler (5) eap_ttls: eaptls_verify returned 1 (5) eap_ttls: eaptls_process returned 13 (5) eap: EAP session adding &reply:State = 0x9bcdbfd59ecaaaec (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Sent Access-Challenge Id 130 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (5) EAP-Message = 0x010703f615c00000173c5f23c6763fbe6fdd273e034fb3ef4cc6dbc9af18a7fe9bdc9ddaf9d1048b12e9492b5adcfc8c80cd5f749b62b43973d45f5eeac198a70c93ea431cb7c657ce8358dc884b12bb165499ae668887c6fab20d0dfbd1c47ee0bc4de3413caea8bc123b78da5a72b3495966d4ca3d8e (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x9bcdbfd59ecaaaec19ea252da52603d3 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 131 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 275 (6) User-Name = 'student' (6) Framed-MTU = 1400 (6) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (6) Calling-Station-Id = '00-25-9C-94-85-84' (6) Cisco-AVPair = 'ssid=CAMPUS' (6) Service-Type = Login-User (6) Cisco-AVPair = 'service-type=Login' (6) Message-Authenticator = 0x716976d3dd634b7728acb1bb137021e1 (6) EAP-Message = 0x020700061500 (6) NAS-Port-Type = Wireless-802.11 (6) NAS-Port = 436 (6) NAS-Port-Id = '436' (6) State = 0x9bcdbfd59ecaaaec19ea252da52603d3 (6) NAS-IP-Address = xxx.xxx.xxx.2 (6) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (!&User-Name) { (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) { (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "student", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) EAP-TLS-Require-Client-Cert := Yes (6) } # update control = noop (6) eap: Peer sent code Response (2) ID 7 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x9bcdbfd59ecaaaec (6) eap: Finished EAP session with state 0x9bcdbfd59ecaaaec (6) eap: Previous EAP request found for state 0x9bcdbfd59ecaaaec, released from the list (6) eap: Peer sent method TTLS (21) (6) eap: EAP TTLS (21) (6) eap: Calling eap_ttls to process EAP data (6) eap_ttls: Authenticate (6) eap_ttls: processing EAP-TLS (6) eap_ttls: Received TLS ACK (6) eap_ttls: Received TLS ACK (6) eap_ttls: ACK handshake fragment handler (6) eap_ttls: eaptls_verify returned 1 (6) eap_ttls: eaptls_process returned 13 (6) eap: EAP session adding &reply:State = 0x9bcdbfd59dc5aaec (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Sent Access-Challenge Id 131 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (6) EAP-Message = 0x010803aa15800000173c8ba6a40484a4bc00dab30a60ccdd92a848f87c1942082eea078e3389aa55bc97197a336850e513e5a6bcea0fe737e33a63fbde18a8624d266b8a140124a31014dd1babde5cb973cd8788868f782d98c443ee22e856fe50459d56a676aa381fc829f0513986de5c643acc170378 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x9bcdbfd59dc5aaec19ea252da52603d3 (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 132 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 1679 (7) User-Name = 'student' (7) Framed-MTU = 1400 (7) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (7) Calling-Station-Id = '00-25-9C-94-85-84' (7) Cisco-AVPair = 'ssid=CAMPUS' (7) Service-Type = Login-User (7) Cisco-AVPair = 'service-type=Login' (7) Message-Authenticator = 0x9c585e791741ce48d0b5098df28541ff (7) EAP-Message = 0x0208057815c00000159c16030113c60b0013c20013bf00068b308206873082056fa003020102021211215ad55946647e3915b964010827e2e9f2300d06092a864886f70d01010505003077310b300906035504061302444531363034060355040a132d4575726f7065616e204165726f6e617574696320 (7) NAS-Port-Type = Wireless-802.11 (7) NAS-Port = 436 (7) NAS-Port-Id = '436' (7) State = 0x9bcdbfd59dc5aaec19ea252da52603d3 (7) NAS-IP-Address = xxx.xxx.xxx.2 (7) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (!&User-Name) { (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) { (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "student", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) EAP-TLS-Require-Client-Cert := Yes (7) } # update control = noop (7) eap: Peer sent code Response (2) ID 8 length 1400 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x9bcdbfd59dc5aaec (7) eap: Finished EAP session with state 0x9bcdbfd59dc5aaec (7) eap: Previous EAP request found for state 0x9bcdbfd59dc5aaec, released from the list (7) eap: Peer sent method TTLS (21) (7) eap: EAP TTLS (21) (7) eap: Calling eap_ttls to process EAP data (7) eap_ttls: Authenticate (7) eap_ttls: processing EAP-TLS (7) eap_ttls: TLS Length 5532 (7) eap_ttls: Received EAP-TLS First Fragment of the message (7) eap_ttls: eaptls_verify returned 9 (7) eap_ttls: eaptls_process returned 13 (7) eap: EAP session adding &reply:State = 0x9bcdbfd59cc4aaec (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Sent Access-Challenge Id 132 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (7) EAP-Message = 0x010900061500 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x9bcdbfd59cc4aaec19ea252da52603d3 (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 133 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 1679 (8) User-Name = 'student' (8) Framed-MTU = 1400 (8) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (8) Calling-Station-Id = '00-25-9C-94-85-84' (8) Cisco-AVPair = 'ssid=CAMPUS' (8) Service-Type = Login-User (8) Cisco-AVPair = 'service-type=Login' (8) Message-Authenticator = 0xbcd7ca03fa688510616e87cac8f26033 (8) EAP-Message = 0x0209057815403016801448aaa68d782a31cc872387e93c1c179a039146fb300d06092a864886f70d010105050003820101003e934713857a355f608f8f3f7f9916a3215c740cf0712bee056451e15b897b5d665b9640d44ee329aecc9fac099fd8a25555002ab05cb1a1fd4fe12f37871543c6a5e3d4b9 (8) NAS-Port-Type = Wireless-802.11 (8) NAS-Port = 436 (8) NAS-Port-Id = '436' (8) State = 0x9bcdbfd59cc4aaec19ea252da52603d3 (8) NAS-IP-Address = xxx.xxx.xxx.2 (8) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (!&User-Name) { (8) if (!&User-Name) -> FALSE (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@.*@/ ) { (8) if (&User-Name =~ /@.*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "student", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) EAP-TLS-Require-Client-Cert := Yes (8) } # update control = noop (8) eap: Peer sent code Response (2) ID 9 length 1400 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x9bcdbfd59cc4aaec (8) eap: Finished EAP session with state 0x9bcdbfd59cc4aaec (8) eap: Previous EAP request found for state 0x9bcdbfd59cc4aaec, released from the list (8) eap: Peer sent method TTLS (21) (8) eap: EAP TTLS (21) (8) eap: Calling eap_ttls to process EAP data (8) eap_ttls: Authenticate (8) eap_ttls: processing EAP-TLS (8) eap_ttls: More fragments to follow (8) eap_ttls: eaptls_verify returned 10 (8) eap_ttls: eaptls_process returned 13 (8) eap: EAP session adding &reply:State = 0x9bcdbfd593c7aaec (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Sent Access-Challenge Id 133 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (8) EAP-Message = 0x010a00061500 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x9bcdbfd593c7aaec19ea252da52603d3 (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 134 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 1679 (9) User-Name = 'student' (9) Framed-MTU = 1400 (9) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (9) Calling-Station-Id = '00-25-9C-94-85-84' (9) Cisco-AVPair = 'ssid=CAMPUS' (9) Service-Type = Login-User (9) Cisco-AVPair = 'service-type=Login' (9) Message-Authenticator = 0x31161572c7523ccf41bd9ae9753bd931 (9) EAP-Message = 0x020a05781540206d656469756d2073772063627020706f6c696379202d20646f206e6f74207472757374307c060b2b06010401ff3003060269306d306b06082b06010505070202305f30331a2c4575726f7065616e204165726f737061636520446566656e636520616e6420537061636520436f6d7061 (9) NAS-Port-Type = Wireless-802.11 (9) NAS-Port = 436 (9) NAS-Port-Id = '436' (9) State = 0x9bcdbfd593c7aaec19ea252da52603d3 (9) NAS-IP-Address = xxx.xxx.xxx.2 (9) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (!&User-Name) { (9) if (!&User-Name) -> FALSE (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) { (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "student", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) update control { (9) EAP-TLS-Require-Client-Cert := Yes (9) } # update control = noop (9) eap: Peer sent code Response (2) ID 10 length 1400 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x9bcdbfd593c7aaec (9) eap: Finished EAP session with state 0x9bcdbfd593c7aaec (9) eap: Previous EAP request found for state 0x9bcdbfd593c7aaec, released from the list (9) eap: Peer sent method TTLS (21) (9) eap: EAP TTLS (21) (9) eap: Calling eap_ttls to process EAP data (9) eap_ttls: Authenticate (9) eap_ttls: processing EAP-TLS (9) eap_ttls: More fragments to follow (9) eap_ttls: eaptls_verify returned 10 (9) eap_ttls: eaptls_process returned 13 (9) eap: EAP session adding &reply:State = 0x9bcdbfd592c6aaec (9) [eap] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Sent Access-Challenge Id 134 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (9) EAP-Message = 0x010b00061500 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x9bcdbfd592c6aaec19ea252da52603d3 (9) Finished request Waking up in 4.8 seconds. (10) Received Access-Request Id 135 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 1639 (10) User-Name = 'student' (10) Framed-MTU = 1400 (10) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (10) Calling-Station-Id = '00-25-9C-94-85-84' (10) Cisco-AVPair = 'ssid=CAMPUS' (10) Service-Type = Login-User (10) Cisco-AVPair = 'service-type=Login' (10) Message-Authenticator = 0x9cfd51842c173b94013e93baad56352e (10) EAP-Message = 0x020b055015006d70616e7931193017060355040b13105445535420454e5649524f4e4d454e54311a30180603550403131145414453205445535420526f6f74204341301e170d3038303432353030303030305a170d3238303432353030303030305a307c310b3009060355040613024445313630340603 (10) NAS-Port-Type = Wireless-802.11 (10) NAS-Port = 436 (10) NAS-Port-Id = '436' (10) State = 0x9bcdbfd592c6aaec19ea252da52603d3 (10) NAS-IP-Address = xxx.xxx.xxx.2 (10) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (!&User-Name) { (10) if (!&User-Name) -> FALSE (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@.*@/ ) { (10) if (&User-Name =~ /@.*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "student", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) update control { (10) EAP-TLS-Require-Client-Cert := Yes (10) } # update control = noop (10) eap: Peer sent code Response (2) ID 11 length 1360 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Expiring EAP session with state 0x9bcdbfd592c6aaec (10) eap: Finished EAP session with state 0x9bcdbfd592c6aaec (10) eap: Previous EAP request found for state 0x9bcdbfd592c6aaec, released from the list (10) eap: Peer sent method TTLS (21) (10) eap: EAP TTLS (21) (10) eap: Calling eap_ttls to process EAP data (10) eap_ttls: Authenticate (10) eap_ttls: processing EAP-TLS (10) eap_ttls: eaptls_verify returned 7 (10) eap_ttls: Done initial handshake (10) eap_ttls: <<< Unknown TLS version [length 0005] (10) eap_ttls: <<< TLS 1.0 Handshake [length 13c6], Certificate (10) eap_ttls: TLS Verify creating certificate attributes (10) eap_ttls: chain-depth=2, (10) eap_ttls: error=0 (10) eap_ttls: --> User-Name = student (10) eap_ttls: --> BUF-Name = EADS TEST Root CA (10) eap_ttls: --> subject = /C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/CN=EADS TEST Root CA (10) eap_ttls: --> issuer = /C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/CN=EADS TEST Root CA (10) eap_ttls: --> verify return:1 (10) eap_ttls: TLS Verify creating certificate attributes (10) eap_ttls: TLS-Cert-Serial := '07' (10) eap_ttls: TLS-Cert-Expiration := '190525193644Z' (10) eap_ttls: TLS-Cert-Subject := '/C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/CN=EADS Test CA' (10) eap_ttls: TLS-Cert-Issuer := '/C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/CN=EADS TEST Root CA' (10) eap_ttls: TLS-Cert-Common-Name := 'EADS Test CA' (10) eap_ttls: chain-depth=1, (10) eap_ttls: error=0 (10) eap_ttls: --> User-Name = student (10) eap_ttls: --> BUF-Name = EADS Test CA (10) eap_ttls: --> subject = /C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/CN=EADS Test CA (10) eap_ttls: --> issuer = /C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/CN=EADS TEST Root CA (10) eap_ttls: --> verify return:1 (10) eap_ttls: TLS Verify creating certificate attributes (10) eap_ttls: TLS-Client-Cert-Serial := '11215ad55946647e3915b964010827e2e9f2' (10) eap_ttls: TLS-Client-Cert-Expiration := '170129141552Z' (10) eap_ttls: TLS-Client-Cert-Subject := '/C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/OU=Aircraft/OU=AIB/CN=D-AXYZ.A359.AIB.auth' (10) eap_ttls: TLS-Client-Cert-Issuer := '/C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/CN=EADS Test CA' (10) eap_ttls: TLS-Client-Cert-Common-Name := 'D-AXYZ.A359.AIB.auth' (10) eap_ttls: TLS-Client-Cert-X509v3-Extended-Key-Usage += 'TLS Web Client Authentication, TLS Web Server Authentication' (10) eap_ttls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += '5B:09:9D:C9:0F:7F:68:FE:6D:B6:CF:B1:9F:BF:BD:F8:6C:89:25:42' (10) eap_ttls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += 'keyid:48:AA:A6:8D:78:2A:31:CC:87:23:87:E9:3C:1C:17:9A:03:91:46:FB ' (10) eap_ttls: Verifying client certificate: /check_client_cert.sh /etc/raddb/certs/tmp %{TLS-Client-Cert-Filename} /etc/raddb/certs/AuthCert.pem (10) eap_ttls: Executing: /check_client_cert.sh /etc/raddb/certs/tmp %{TLS-Client-Cert-Filename} /etc/raddb/certs/AuthCert.pem: (10) eap_ttls: EXPAND %{TLS-Client-Cert-Filename} (10) eap_ttls: --> /etc/raddb/certs/tmp/radiusd.client.XXDju6gZ (10) eap_ttls: Program returned code (0) and output 'Last client-OU: AIB; Last server-OU: AIB EKU: TLS Web Client Authentication, TLS Web Server Authentication' (10) eap_ttls: Client certificate CN D-AXYZ.A359.AIB.auth passed external validation (10) eap_ttls: chain-depth=0, (10) eap_ttls: error=0 (10) eap_ttls: --> User-Name = student (10) eap_ttls: --> BUF-Name = D-AXYZ.A359.AIB.auth (10) eap_ttls: --> subject = /C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/OU=Aircraft/OU=AIB/CN=D-AXYZ.A359.AIB.auth (10) eap_ttls: --> issuer = /C=DE/O=European Aeronautic Defence and Space Company/OU=TEST ENVIRONMENT/CN=EADS Test CA (10) eap_ttls: --> verify return:1 (10) eap_ttls: TLS_accept: SSLv3 read client certificate A (10) eap_ttls: <<< Unknown TLS version [length 0005] (10) eap_ttls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange (10) eap_ttls: TLS_accept: SSLv3 read client key exchange A (10) eap_ttls: <<< Unknown TLS version [length 0005] (10) eap_ttls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify (10) eap_ttls: TLS_accept: SSLv3 read certificate verify A (10) eap_ttls: <<< Unknown TLS version [length 0005] (10) eap_ttls: <<< TLS 1.0 ChangeCipherSpec [length 0001] (10) eap_ttls: <<< Unknown TLS version [length 0005] (10) eap_ttls: <<< TLS 1.0 Handshake [length 0010], Finished (10) eap_ttls: TLS_accept: SSLv3 read finished A (10) eap_ttls: >>> Unknown TLS version [length 0005] (10) eap_ttls: >>> TLS 1.0 ChangeCipherSpec [length 0001] (10) eap_ttls: TLS_accept: SSLv3 write change cipher spec A (10) eap_ttls: >>> Unknown TLS version [length 0005] (10) eap_ttls: >>> TLS 1.0 Handshake [length 0010], Finished (10) eap_ttls: TLS_accept: SSLv3 write finished A (10) eap_ttls: TLS_accept: SSLv3 flush data TLS: adding session 93c65df3253f3fa2c2fac8c19ccbb47e845394db8f7659602f0f704dc8cec089 to cache (10) eap_ttls: (other): SSL negotiation finished successfully SSL Connection Established (10) eap_ttls: eaptls_process returned 13 (10) eap: EAP session adding &reply:State = 0x9bcdbfd591c1aaec (10) [eap] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) Post-Auth-Type sub-section not found. Ignoring. (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Sent Access-Challenge Id 135 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (10) EAP-Message = 0x010c004515800000003b1403010001011603010030abda9f1cae570cd3812fb7da16c2565f2c2bbb01bfe0ba0ec29f62dd7db404e0454ec96830171a81a67216eb760d8e97 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x9bcdbfd591c1aaec19ea252da52603d3 (10) Finished request Waking up in 4.7 seconds. (11) Received Access-Request Id 136 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 428 (11) User-Name = 'student' (11) Framed-MTU = 1400 (11) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (11) Calling-Station-Id = '00-25-9C-94-85-84' (11) Cisco-AVPair = 'ssid=CAMPUS' (11) Service-Type = Login-User (11) Cisco-AVPair = 'service-type=Login' (11) Message-Authenticator = 0xaa530fbdd5ef0587bfaa519bd78293b7 (11) EAP-Message = 0x020c009f15800000009517030100901bff4f07430717e3ddf1e64c6815701812681fcf9824fc2c02b4f641fc643640f750157f2a95290b91aa6ad0777e34bff74364001caa14b058007bc8bfaa6e33763ea05e71b92b0caa0a90f3e76451f1ace888a14ab2ebbf8b0dfd5bef5d125037866d2955eafa99 (11) NAS-Port-Type = Wireless-802.11 (11) NAS-Port = 436 (11) NAS-Port-Id = '436' (11) State = 0x9bcdbfd591c1aaec19ea252da52603d3 (11) NAS-IP-Address = xxx.xxx.xxx.2 (11) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (11) session-state: No cached attributes (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (!&User-Name) { (11) if (!&User-Name) -> FALSE (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@.*@/ ) { (11) if (&User-Name =~ /@.*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "student", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) update control { (11) EAP-TLS-Require-Client-Cert := Yes (11) } # update control = noop (11) eap: Peer sent code Response (2) ID 12 length 159 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = EAP (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap: Expiring EAP session with state 0x9bcdbfd591c1aaec (11) eap: Finished EAP session with state 0x9bcdbfd591c1aaec (11) eap: Previous EAP request found for state 0x9bcdbfd591c1aaec, released from the list (11) eap: Peer sent method TTLS (21) (11) eap: EAP TTLS (21) (11) eap: Calling eap_ttls to process EAP data (11) eap_ttls: Authenticate (11) eap_ttls: processing EAP-TLS (11) eap_ttls: TLS Length 149 (11) eap_ttls: Length Included (11) eap_ttls: eaptls_verify returned 11 (11) eap_ttls: <<< Unknown TLS version [length 0005] (11) eap_ttls: eaptls_process returned 7 (11) eap_ttls: Session established. Proceeding to decode tunneled attributes (11) eap_ttls: Got tunneled request (11) eap_ttls: User-Name = 'student' (11) eap_ttls: MS-CHAP-Challenge = 0xd90494ec392b33daf7f1eb9b0b8d4cd5 (11) eap_ttls: MS-CHAP2-Response = 0xd000d4956dcf2c2b84603298a98823bb9e090000000000000000865f505be820f1ec7950de9a16dba17abf42798990f37c18 (11) eap_ttls: Sending tunneled request (11) Virtual server inner-tunnel received request (11) User-Name = 'student' (11) MS-CHAP-Challenge = 0xd90494ec392b33daf7f1eb9b0b8d4cd5 (11) MS-CHAP2-Response = 0xd000d4956dcf2c2b84603298a98823bb9e090000000000000000865f505be820f1ec7950de9a16dba17abf42798990f37c18 (11) server inner-tunnel { (11) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (11) authorize { (11) [chap] = noop (11) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (11) [mschap] = ok (11) [unix] = notfound (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "student", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) update control { (11) &Proxy-To-Realm := LOCAL (11) } # update control = noop (11) eap: No EAP-Message, not doing EAP (11) [eap] = noop (11) files: users: Matched entry student at line 72 (11) [files] = ok (11) [expiration] = noop (11) [logintime] = noop (11) pap: WARNING: Auth-Type already set. Not setting to PAP (11) [pap] = noop (11) } # authorize = ok (11) Found Auth-Type = MSCHAP (11) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (11) Auth-Type MS-CHAP { (11) mschap: Found Cleartext-Password, hashing to create NT-Password (11) mschap: Found Cleartext-Password, hashing to create LM-Password (11) mschap: Creating challenge hash with username: student (11) mschap: Client is using MS-CHAPv2 (11) mschap: Adding MS-CHAPv2 MPPE keys (11) [mschap] = ok (11) } # Auth-Type MS-CHAP = ok (11) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (11) Login OK: [student/] (from client CAMPUS-MANAGEMENT port 0 via TLS tunnel) (11) } # server inner-tunnel (11) Virtual server sending reply (11) MS-CHAP2-Success = 0xd0533d42464137423734363741393941363446413343444139413532413941393036414538324632433831 (11) MS-MPPE-Recv-Key = 0x82c3ebfbaed78f1663ed5ab09d860e3d (11) MS-MPPE-Send-Key = 0x6e5945017cec36eaf4344452e661045b (11) MS-MPPE-Encryption-Policy = Encryption-Allowed (11) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (11) eap_ttls: Got tunneled Access-Accept (11) eap_ttls: Got MS-CHAP2-Success, tunneling it to the client in a challenge (11) eap_ttls: Sending tunneled reply attributes (11) eap_ttls: MS-CHAP2-Success = 0xd0533d42464137423734363741393941363446413343444139413532413941393036414538324632433831 >>> Unknown TLS version [length 0005] (11) eap: EAP session adding &reply:State = 0x9bcdbfd590c0aaec (11) [eap] = handled (11) } # authenticate = handled (11) Using Post-Auth-Type Challenge (11) Post-Auth-Type sub-section not found. Ignoring. (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Sent Access-Challenge Id 136 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 0 (11) EAP-Message = 0x010d005f1580000000551703010050293b2bb1e66356a33e08eaf1f4f04236f3276581708230c47338b9d20131710feb1c2f336e8db9269b229c6bafc124802f075c57dbfc129ea57880d006d6512adf95f3f813b3deb29555e52a1a6bad27 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0x9bcdbfd590c0aaec19ea252da52603d3 (11) Finished request Waking up in 2.1 seconds. (12) Received Access-Request Id 137 from xxx.xxx.xxx.2:1645 to xxx.xxx.yyy.109:1812 length 275 (12) User-Name = 'student' (12) Framed-MTU = 1400 (12) Called-Station-Id = 'A4-18-75-02-72-C0:CAMPUS' (12) Calling-Station-Id = '00-25-9C-94-85-84' (12) Cisco-AVPair = 'ssid=CAMPUS' (12) Service-Type = Login-User (12) Cisco-AVPair = 'service-type=Login' (12) Message-Authenticator = 0x9fe78dca8c0679f88d3e530cab540384 (12) EAP-Message = 0x020d00061500 (12) NAS-Port-Type = Wireless-802.11 (12) NAS-Port = 436 (12) NAS-Port-Id = '436' (12) State = 0x9bcdbfd590c0aaec19ea252da52603d3 (12) NAS-IP-Address = xxx.xxx.xxx.2 (12) NAS-Identifier = 'PN=Z420H0100210_SER=420H01000024_SW=ADX581828400002_CFG=ADX591829400002' (12) session-state: No cached attributes (12) # Executing section authorize from file /etc/raddb/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (!&User-Name) { (12) if (!&User-Name) -> FALSE (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@.*@/ ) { (12) if (&User-Name =~ /@.*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "student", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) update control { (12) EAP-TLS-Require-Client-Cert := Yes (12) } # update control = noop (12) eap: Peer sent code Response (2) ID 13 length 6 (12) eap: Continuing tunnel setup (12) [eap] = ok (12) } # authorize = ok (12) Found Auth-Type = EAP (12) # Executing group from file /etc/raddb/sites-enabled/default (12) authenticate { (12) eap: Expiring EAP session with state 0x9bcdbfd590c0aaec (12) eap: Finished EAP session with state 0x9bcdbfd590c0aaec (12) eap: Previous EAP request found for state 0x9bcdbfd590c0aaec, released from the list (12) eap: Peer sent method TTLS (21) (12) eap: EAP TTLS (21) (12) eap: Calling eap_ttls to process EAP data (12) eap_ttls: Authenticate (12) eap_ttls: processing EAP-TLS (12) eap_ttls: Received TLS ACK (12) eap_ttls: Received TLS ACK (12) eap_ttls: ERROR: Invalid ACK received: 0 (12) eap_ttls: eaptls_verify returned 0 (12) eap_ttls: eaptls_process returned 0 (12) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (12) eap: Failed in EAP select (12) [eap] = invalid (12) } # authenticate = invalid (12) Failed to authenticate the user (12) Login incorrect (eap_ttls: Invalid ACK received: 0): [student/] (from client CAMPUS-MANAGEMENT port 436 cli 00-25-9C-94-85-84) (12) Using Post-Auth-Type Reject (12) # Executing group from file /etc/raddb/sites-enabled/default (12) Post-Auth-Type REJECT { (12) attr_filter.access_reject: EXPAND %{User-Name} (12) attr_filter.access_reject: --> student (12) attr_filter.access_reject: Matched entry DEFAULT at line 18 (12) [attr_filter.access_reject] = updated (12) [eap] = noop (12) policy remove_reply_message_if_eap { (12) if (&reply:EAP-Message && &reply:Reply-Message) { (12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (12) else { (12) [noop] = noop (12) } # else = noop (12) } # policy remove_reply_message_if_eap = noop (12) } # Post-Auth-Type REJECT = updated (12) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (12) : Sending delayed response (12) : Sent Access-Reject Id 137 from xxx.xxx.yyy.109:1812 to xxx.xxx.xxx.2:1645 length 44 (12) : EAP-Message = 0x040d0004 (12) : Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.1 seconds. (0) : Cleaning up request packet ID 125 with timestamp +372 (1) : Cleaning up request packet ID 126 with timestamp +372 (2) : Cleaning up request packet ID 127 with timestamp +372 (3) : Cleaning up request packet ID 128 with timestamp +372 (4) : Cleaning up request packet ID 129 with timestamp +372 (5) : Cleaning up request packet ID 130 with timestamp +372 (6) : Cleaning up request packet ID 131 with timestamp +372 (7) : Cleaning up request packet ID 132 with timestamp +372 (8) : Cleaning up request packet ID 133 with timestamp +372 (9) : Cleaning up request packet ID 134 with timestamp +373 (10) : Cleaning up request packet ID 135 with timestamp +373 Waking up in 2.5 seconds. (11) : Cleaning up request packet ID 136 with timestamp +375 (12) : Cleaning up request packet ID 137 with timestamp +375 Ready to process requests Ready to process requests Signalled to terminate Exiting normally SSL: Removing session 93c65df3253f3fa2c2fac8c19ccbb47e845394db8f7659602f0f704dc8cec089 from the cache