Hi, I am trying in configure my FR v3.0.4 to pass inner identity to outer in eap-peap setup. I read some of the old mails with similar issues, like the following: http://lists.freeradius.org/pipermail/freeradius-users/2014-August/073458.ht... I made the following setting as suggested in the mail: 1. Update outer reply in file inner-tunnel, post auth: update outer.reply { User-Name = "%{request:User-Name}" } 2. Set "use_tunneled_reply=yes" in file eap With the above setting, I still couldn't get it working. I compared my debug with that of above article. I see the difference at this line: eap_peap : Using saved attributes from the original Access-Accept Stripped-User-Name = 'bob' The above article uses "User-Name". Is this the difference? I use "Stripped-User-Name" for actual authentication against ldap, but want "User-Name" (with domain) for logging and accounting. I am not sure when they are used in different phases. At near the end of the debug, I even see: Stripped-User-Name = 'bigman' which is obviously wrong, as 'bigman' is the name I made up for "Anonymous Identity". Can anyone give me a clue what I have done wrong? Thanks in advance. Debug log follows. Fu-Keung Received Access-Request Id 23 from 10.10.1.1:3406 to 10.80.1.1:1812 length 234 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x0201000b016269676d616e Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 (1) Received Access-Request packet from host 10.10.1.1 port 3406, id=23, length=234 (1) User-Name = 'bigman' (1) Framed-MTU = 1450 (1) EAP-Message = 0x0201000b016269676d616e (1) Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06 (1) Chargeable-User-Identity = 0x00 (1) NAS-IP-Address = 10.10.1.1 (1) NAS-Identifier = 'WiFi-Controller-7' (1) NAS-Port = 33558758 (1) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Framed-Protocol = PPP (1) Calling-Station-Id = '00-18-60-68-03-EC' (1) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (1) Acct-Session-Id = '115001511383b5ab70' (1) Framed-IP-Address = 202.189.123.194 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (1) authorize { (1) filter_username filter_username { (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (1) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (1) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (1) auth_log : EXPAND %t (1) auth_log : --> Thu Jan 15 11:38:41 2015 (1) [auth_log] = ok (1) [chap] = noop (1) [mschap] = noop (1) suffix : Checking for suffix after "@" (1) suffix : No '@' in User-Name = "bigman", looking up realm NULL (1) suffix : Found realm "NULL" (1) suffix : Adding Stripped-User-Name = "bigman" (1) suffix : Adding Realm = "NULL" (1) suffix : Authentication realm is LOCAL (1) [suffix] = ok (1) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (1) EXPAND %{Realm} (1) --> NULL (1) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (1) eap : Peer sent code Response (2) ID 1 length 11 (1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (1) authenticate { (1) eap : Peer sent method Identity (1) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : Flushing SSL sessions (of #0) (1) eap_peap : Initiate (1) eap_peap : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c45dc8f5 (1) [eap] = handled (1) } # authenticate = handled (1) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=23, length=0 (1) EAP-Message = 0x010200061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xc45fd1a2c45dc8f54b145a25fcad284d Sending Access-Challenge Id 23 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c45dc8f54b145a25fcad284d (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 24 from 10.10.1.1:3406 to 10.80.1.1:1812 length 481 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976 ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060 00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500 120013000100020003000f00100011 Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c45dc8f54b145a25fcad284d (2) Received Access-Request packet from host 10.10.1.1 port 3406, id=24, length=481 (2) User-Name = 'bigman' (2) Framed-MTU = 1450 (2) EAP-Message = 0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976 ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060 00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500 120013000100020003000f00100011 (2) Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7 (2) Chargeable-User-Identity = 0x00 (2) NAS-IP-Address = 10.10.1.1 (2) NAS-Identifier = 'WiFi-Controller-7' (2) NAS-Port = 33558758 (2) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Framed-Protocol = PPP (2) Calling-Station-Id = '00-18-60-68-03-EC' (2) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (2) Acct-Session-Id = '115001511383b5ab70' (2) Framed-IP-Address = 202.189.123.194 (2) State = 0xc45fd1a2c45dc8f54b145a25fcad284d (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (2) authorize { (2) filter_username filter_username { (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (2) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (2) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (2) auth_log : EXPAND %t (2) auth_log : --> Thu Jan 15 11:38:41 2015 (2) [auth_log] = ok (2) [chap] = noop (2) [mschap] = noop (2) suffix : Checking for suffix after "@" (2) suffix : No '@' in User-Name = "bigman", looking up realm NULL (2) suffix : Found realm "NULL" (2) suffix : Adding Stripped-User-Name = "bigman" (2) suffix : Adding Realm = "NULL" (2) suffix : Authentication realm is LOCAL (2) [suffix] = ok (2) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (2) EXPAND %{Realm} (2) --> NULL (2) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (2) eap : Peer sent code Response (2) ID 2 length 240 (2) eap : Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (2) authenticate { (2) eap : Expiring EAP session with state 0xc45fd1a2c45dc8f5 (2) eap : Finished EAP session with state 0xc45fd1a2c45dc8f5 (2) eap : Previous EAP request found for state 0xc45fd1a2c45dc8f5, released from the list (2) eap : Peer sent method PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS TLS Length 230 (2) eap_peap : Length Included (2) eap_peap : eaptls_verify returned 11 (2) eap_peap : (other): before/accept initialization (2) eap_peap : TLS_accept: before/accept initialization (2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello SSL: Client requested cached session 976ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e74 (2) eap_peap : TLS_accept: SSLv3 read client hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (2) eap_peap : TLS_accept: SSLv3 write server hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0cb2], Certificate (2) eap_peap : TLS_accept: SSLv3 write certificate A (2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap : TLS_accept: SSLv3 write key exchange A (2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap : TLS_accept: SSLv3 write server done A (2) eap_peap : TLS_accept: SSLv3 flush data (2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c55cc8f5 (2) [eap] = handled (2) } # authenticate = handled (2) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=24, length=0 (2) EAP-Message = 0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1 732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311 63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30 190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333 95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b 130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707 320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920 5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d01010105000382 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xc45fd1a2c55cc8f54b145a25fcad284d Sending Access-Challenge Id 24 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1 732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311 63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30 190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333 95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b 130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707 320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920 5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d0101010500038 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c55cc8f54b145a25fcad284d (2) Finished request Waking up in 0.2 seconds. Received Access-Request Id 25 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020300061900 Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c55cc8f54b145a25fcad284d (3) Received Access-Request packet from host 10.10.1.1 port 3406, id=25, length=247 (3) User-Name = 'bigman' (3) Framed-MTU = 1450 (3) EAP-Message = 0x020300061900 (3) Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e (3) Chargeable-User-Identity = 0x00 (3) NAS-IP-Address = 10.10.1.1 (3) NAS-Identifier = 'WiFi-Controller-7' (3) NAS-Port = 33558758 (3) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Framed-Protocol = PPP (3) Calling-Station-Id = '00-18-60-68-03-EC' (3) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (3) Acct-Session-Id = '115001511383b5ab70' (3) Framed-IP-Address = 202.189.123.194 (3) State = 0xc45fd1a2c55cc8f54b145a25fcad284d (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (3) authorize { (3) filter_username filter_username { (3) if (&User-Name =~ / /) (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\\.\\./ ) (3) if (&User-Name =~ /\\.\\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\\.$/) (3) if (&User-Name =~ /\\.$/) -> FALSE (3) if (&User-Name =~ /@\\./) (3) if (&User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (3) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (3) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (3) auth_log : EXPAND %t (3) auth_log : --> Thu Jan 15 11:38:41 2015 (3) [auth_log] = ok (3) [chap] = noop (3) [mschap] = noop (3) suffix : Checking for suffix after "@" (3) suffix : No '@' in User-Name = "bigman", looking up realm NULL (3) suffix : Found realm "NULL" (3) suffix : Adding Stripped-User-Name = "bigman" (3) suffix : Adding Realm = "NULL" (3) suffix : Authentication realm is LOCAL (3) [suffix] = ok (3) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (3) EXPAND %{Realm} (3) --> NULL (3) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (3) eap : Peer sent code Response (2) ID 3 length 6 (3) eap : Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (3) authenticate { (3) eap : Expiring EAP session with state 0xc45fd1a2c55cc8f5 (3) eap : Finished EAP session with state 0xc45fd1a2c55cc8f5 (3) eap : Previous EAP request found for state 0xc45fd1a2c55cc8f5, released from the list (3) eap : Peer sent method PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c65bc8f5 (3) [eap] = handled (3) } # authenticate = handled (3) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=25, length=0 (3) EAP-Message = 0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676 56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f 677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703 a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d 46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3 88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663 c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0 0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092a (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xc45fd1a2c65bc8f54b145a25fcad284d Sending Access-Challenge Id 25 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676 56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f 677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703 a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d 46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3 88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663 c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0 0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c65bc8f54b145a25fcad284d (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 26 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020400061900 Message-Authenticator = 0x07909351500113863860a840942c0c81 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c65bc8f54b145a25fcad284d (4) Received Access-Request packet from host 10.10.1.1 port 3406, id=26, length=247 (4) User-Name = 'bigman' (4) Framed-MTU = 1450 (4) EAP-Message = 0x020400061900 (4) Message-Authenticator = 0x07909351500113863860a840942c0c81 (4) Chargeable-User-Identity = 0x00 (4) NAS-IP-Address = 10.10.1.1 (4) NAS-Identifier = 'WiFi-Controller-7' (4) NAS-Port = 33558758 (4) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Framed-Protocol = PPP (4) Calling-Station-Id = '00-18-60-68-03-EC' (4) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (4) Acct-Session-Id = '115001511383b5ab70' (4) Framed-IP-Address = 202.189.123.194 (4) State = 0xc45fd1a2c65bc8f54b145a25fcad284d (4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (4) authorize { (4) filter_username filter_username { (4) if (&User-Name =~ / /) (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\\.\\./ ) (4) if (&User-Name =~ /\\.\\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\\.$/) (4) if (&User-Name =~ /\\.$/) -> FALSE (4) if (&User-Name =~ /@\\./) (4) if (&User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (4) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (4) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (4) auth_log : EXPAND %t (4) auth_log : --> Thu Jan 15 11:38:41 2015 (4) [auth_log] = ok (4) [chap] = noop (4) [mschap] = noop (4) suffix : Checking for suffix after "@" (4) suffix : No '@' in User-Name = "bigman", looking up realm NULL (4) suffix : Found realm "NULL" (4) suffix : Adding Stripped-User-Name = "bigman" (4) suffix : Adding Realm = "NULL" (4) suffix : Authentication realm is LOCAL (4) [suffix] = ok (4) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (4) EXPAND %{Realm} (4) --> NULL (4) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (4) eap : Peer sent code Response (2) ID 4 length 6 (4) eap : Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (4) authenticate { (4) eap : Expiring EAP session with state 0xc45fd1a2c65bc8f5 (4) eap : Finished EAP session with state 0xc45fd1a2c65bc8f5 (4) eap : Previous EAP request found for state 0xc45fd1a2c65bc8f5, released from the list (4) eap : Peer sent method PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c75ac8f5 (4) [eap] = handled (4) } # authenticate = handled (4) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=26, length=0 (4) EAP-Message = 0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006 0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746 76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472 7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495 f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61 ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312 b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069 c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8e (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xc45fd1a2c75ac8f54b145a25fcad284d Sending Access-Challenge Id 26 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006 0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746 76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472 7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495 f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61 ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312 b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069 c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c75ac8f54b145a25fcad284d (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 27 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020500061900 Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c75ac8f54b145a25fcad284d (5) Received Access-Request packet from host 10.10.1.1 port 3406, id=27, length=247 (5) User-Name = 'bigman' (5) Framed-MTU = 1450 (5) EAP-Message = 0x020500061900 (5) Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38 (5) Chargeable-User-Identity = 0x00 (5) NAS-IP-Address = 10.10.1.1 (5) NAS-Identifier = 'WiFi-Controller-7' (5) NAS-Port = 33558758 (5) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Framed-Protocol = PPP (5) Calling-Station-Id = '00-18-60-68-03-EC' (5) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (5) Acct-Session-Id = '115001511383b5ab70' (5) Framed-IP-Address = 202.189.123.194 (5) State = 0xc45fd1a2c75ac8f54b145a25fcad284d (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (5) authorize { (5) filter_username filter_username { (5) if (&User-Name =~ / /) (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\\.\\./ ) (5) if (&User-Name =~ /\\.\\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\\.$/) (5) if (&User-Name =~ /\\.$/) -> FALSE (5) if (&User-Name =~ /@\\./) (5) if (&User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (5) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (5) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (5) auth_log : EXPAND %t (5) auth_log : --> Thu Jan 15 11:38:41 2015 (5) [auth_log] = ok (5) [chap] = noop (5) [mschap] = noop (5) suffix : Checking for suffix after "@" (5) suffix : No '@' in User-Name = "bigman", looking up realm NULL (5) suffix : Found realm "NULL" (5) suffix : Adding Stripped-User-Name = "bigman" (5) suffix : Adding Realm = "NULL" (5) suffix : Authentication realm is LOCAL (5) [suffix] = ok (5) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (5) EXPAND %{Realm} (5) --> NULL (5) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (5) eap : Peer sent code Response (2) ID 5 length 6 (5) eap : Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (5) authenticate { (5) eap : Expiring EAP session with state 0xc45fd1a2c75ac8f5 (5) eap : Finished EAP session with state 0xc45fd1a2c75ac8f5 (5) eap : Previous EAP request found for state 0xc45fd1a2c75ac8f5, released from the list (5) eap : Peer sent method PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS (5) eap_peap : Received TLS ACK (5) eap_peap : Received TLS ACK (5) eap_peap : ACK handshake fragment handler (5) eap_peap : eaptls_verify returned 1 (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c059c8f5 (5) [eap] = handled (5) } # authenticate = handled (5) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=27, length=0 (5) EAP-Message = 0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1 17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500 038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13 70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5 eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911 35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed 0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751ac (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xc45fd1a2c059c8f54b145a25fcad284d Sending Access-Challenge Id 27 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1 17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500 038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13 70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5 eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911 35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed 0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c059c8f54b145a25fcad284d (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 28 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb 6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04 886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471 Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c059c8f54b145a25fcad284d (6) Received Access-Request packet from host 10.10.1.1 port 3406, id=28, length=385 (6) User-Name = 'bigman' (6) Framed-MTU = 1450 (6) EAP-Message = 0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb 6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04 886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471 (6) Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4 (6) Chargeable-User-Identity = 0x00 (6) NAS-IP-Address = 10.10.1.1 (6) NAS-Identifier = 'WiFi-Controller-7' (6) NAS-Port = 33558758 (6) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Framed-Protocol = PPP (6) Calling-Station-Id = '00-18-60-68-03-EC' (6) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (6) Acct-Session-Id = '115001511383b5ab70' (6) Framed-IP-Address = 202.189.123.194 (6) State = 0xc45fd1a2c059c8f54b145a25fcad284d (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (6) authorize { (6) filter_username filter_username { (6) if (&User-Name =~ / /) (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\\.\\./ ) (6) if (&User-Name =~ /\\.\\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\\.$/) (6) if (&User-Name =~ /\\.$/) -> FALSE (6) if (&User-Name =~ /@\\./) (6) if (&User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (6) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (6) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (6) auth_log : EXPAND %t (6) auth_log : --> Thu Jan 15 11:38:42 2015 (6) [auth_log] = ok (6) [chap] = noop (6) [mschap] = noop (6) suffix : Checking for suffix after "@" (6) suffix : No '@' in User-Name = "bigman", looking up realm NULL (6) suffix : Found realm "NULL" (6) suffix : Adding Stripped-User-Name = "bigman" (6) suffix : Adding Realm = "NULL" (6) suffix : Authentication realm is LOCAL (6) [suffix] = ok (6) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (6) EXPAND %{Realm} (6) --> NULL (6) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (6) eap : Peer sent code Response (2) ID 6 length 144 (6) eap : Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (6) authenticate { (6) eap : Expiring EAP session with state 0xc45fd1a2c059c8f5 (6) eap : Finished EAP session with state 0xc45fd1a2c059c8f5 (6) eap : Previous EAP request found for state 0xc45fd1a2c059c8f5, released from the list (6) eap : Peer sent method PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS TLS Length 134 (6) eap_peap : Length Included (6) eap_peap : eaptls_verify returned 11 (6) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (6) eap_peap : TLS_accept: SSLv3 read client key exchange A (6) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (6) eap_peap : TLS_accept: SSLv3 read finished A (6) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_peap : TLS_accept: SSLv3 write change cipher spec A (6) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (6) eap_peap : TLS_accept: SSLv3 write finished A (6) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 to cache (6) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (6) eap_peap : eaptls_process returned 13 (6) eap_peap : FR_TLS_HANDLED (6) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c158c8f5 (6) [eap] = handled (6) } # authenticate = handled (6) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=28, length=0 (6) EAP-Message = 0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96 da21b4bfc6fc733123a (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xc45fd1a2c158c8f54b145a25fcad284d Sending Access-Challenge Id 28 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96 da21b4bfc6fc733123a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c158c8f54b145a25fcad284d (6) Finished request Received Access-Request Id 29 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020700061900 Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c158c8f54b145a25fcad284d (7) Received Access-Request packet from host 10.10.1.1 port 3406, id=29, length=247 (7) User-Name = 'bigman' (7) Framed-MTU = 1450 (7) EAP-Message = 0x020700061900 (7) Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde (7) Chargeable-User-Identity = 0x00 (7) NAS-IP-Address = 10.10.1.1 (7) NAS-Identifier = 'WiFi-Controller-7' (7) NAS-Port = 33558758 (7) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Framed-Protocol = PPP (7) Calling-Station-Id = '00-18-60-68-03-EC' (7) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (7) Acct-Session-Id = '115001511383b5ab70' (7) Framed-IP-Address = 202.189.123.194 (7) State = 0xc45fd1a2c158c8f54b145a25fcad284d (7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (7) authorize { (7) filter_username filter_username { (7) if (&User-Name =~ / /) (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\\.\\./ ) (7) if (&User-Name =~ /\\.\\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\\.$/) (7) if (&User-Name =~ /\\.$/) -> FALSE (7) if (&User-Name =~ /@\\./) (7) if (&User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (7) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (7) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (7) auth_log : EXPAND %t (7) auth_log : --> Thu Jan 15 11:38:42 2015 (7) [auth_log] = ok (7) [chap] = noop (7) [mschap] = noop (7) suffix : Checking for suffix after "@" (7) suffix : No '@' in User-Name = "bigman", looking up realm NULL (7) suffix : Found realm "NULL" (7) suffix : Adding Stripped-User-Name = "bigman" (7) suffix : Adding Realm = "NULL" (7) suffix : Authentication realm is LOCAL (7) [suffix] = ok (7) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (7) EXPAND %{Realm} (7) --> NULL (7) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (7) eap : Peer sent code Response (2) ID 7 length 6 (7) eap : Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (7) authenticate { (7) eap : Expiring EAP session with state 0xc45fd1a2c158c8f5 (7) eap : Finished EAP session with state 0xc45fd1a2c158c8f5 (7) eap : Previous EAP request found for state 0xc45fd1a2c158c8f5, released from the list (7) eap : Peer sent method PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : Received TLS ACK (7) eap_peap : Received TLS ACK (7) eap_peap : ACK handshake is finished (7) eap_peap : eaptls_verify returned 3 (7) eap_peap : eaptls_process returned 3 (7) eap_peap : FR_TLS_SUCCESS (7) eap_peap : Session established. Decoding tunneled attributes (7) eap_peap : Peap state TUNNEL ESTABLISHED (7) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c257c8f5 (7) [eap] = handled (7) } # authenticate = handled (7) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=29, length=0 (7) EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xc45fd1a2c257c8f54b145a25fcad284d Sending Access-Challenge Id 29 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c257c8f54b145a25fcad284d (7) Finished request Received Access-Request Id 30 from 10.10.1.1:3406 to 10.80.1.1:1812 length 337 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11 6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452 Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c257c8f54b145a25fcad284d (8) Received Access-Request packet from host 10.10.1.1 port 3406, id=30, length=337 (8) User-Name = 'bigman' (8) Framed-MTU = 1450 (8) EAP-Message = 0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11 6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452 (8) Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b (8) Chargeable-User-Identity = 0x00 (8) NAS-IP-Address = 10.10.1.1 (8) NAS-Identifier = 'WiFi-Controller-7' (8) NAS-Port = 33558758 (8) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Framed-Protocol = PPP (8) Calling-Station-Id = '00-18-60-68-03-EC' (8) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (8) Acct-Session-Id = '115001511383b5ab70' (8) Framed-IP-Address = 202.189.123.194 (8) State = 0xc45fd1a2c257c8f54b145a25fcad284d (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (8) authorize { (8) filter_username filter_username { (8) if (&User-Name =~ / /) (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@.*@/ ) (8) if (&User-Name =~ /@.*@/ ) -> FALSE (8) if (&User-Name =~ /\\.\\./ ) (8) if (&User-Name =~ /\\.\\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\\.$/) (8) if (&User-Name =~ /\\.$/) -> FALSE (8) if (&User-Name =~ /@\\./) (8) if (&User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (8) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (8) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (8) auth_log : EXPAND %t (8) auth_log : --> Thu Jan 15 11:38:42 2015 (8) [auth_log] = ok (8) [chap] = noop (8) [mschap] = noop (8) suffix : Checking for suffix after "@" (8) suffix : No '@' in User-Name = "bigman", looking up realm NULL (8) suffix : Found realm "NULL" (8) suffix : Adding Stripped-User-Name = "bigman" (8) suffix : Adding Realm = "NULL" (8) suffix : Authentication realm is LOCAL (8) [suffix] = ok (8) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (8) EXPAND %{Realm} (8) --> NULL (8) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (8) eap : Peer sent code Response (2) ID 8 length 96 (8) eap : Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (8) authenticate { (8) eap : Expiring EAP session with state 0xc45fd1a2c257c8f5 (8) eap : Finished EAP session with state 0xc45fd1a2c257c8f5 (8) eap : Previous EAP request found for state 0xc45fd1a2c257c8f5, released from the list (8) eap : Peer sent method PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes (8) eap_peap : Peap state WAITING FOR INNER IDENTITY (8) eap_peap : Identity - bob@abc.com (8) eap_peap : Got inner identity 'bob@abc.com' (8) eap_peap : Setting default EAP type for tunneled EAP session (8) eap_peap : Got tunneled request EAP-Message = 0x020800120174666b6c616940686b752e686b server Local-WiFi { (8) eap_peap : Setting User-Name to bob@abc.com Sending tunneled request EAP-Message = 0x020800120174666b6c616940686b752e686b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 server inner-tunnel { (8) server inner-tunnel { (8) Request: EAP-Message = 0x020800120174666b6c616940686b752e686b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : Checking for suffix after "@" (8) suffix : Looking up realm "abc.com" for User-Name = "bob@abc.com" (8) suffix : Found realm "abc.com" (8) suffix : Adding Stripped-User-Name = "bob" (8) suffix : Adding Realm = "abc.com" (8) suffix : Authentication realm is LOCAL (8) [suffix] = ok (8) update control { (8) &Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : Peer sent code Response (2) ID 8 length 18 (8) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Peer sent method Identity (1) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : Issuing Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xde946618de9d7cad (8) [eap] = handled (8) } # authenticate = handled (8) Reply: EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618de9d7cad0c64434fd93f0777 (8) } # server inner-tunnel } # server inner-tunnel (8) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618de9d7cad0c64434fd93f0777 (8) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618de9d7cad0c64434fd93f0777 (8) eap_peap : Got tunneled Access-Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c356c8f5 (8) [eap] = handled (8) } # authenticate = handled (8) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=30, length=0 (8) EAP-Message = 0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c ec006126ddbd781a3811c45a43cc665fa6e6b88 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xc45fd1a2c356c8f54b145a25fcad284d Sending Access-Challenge Id 30 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c ec006126ddbd781a3811c45a43cc665fa6e6b88 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c356c8f54b145a25fcad284d (8) Finished request Received Access-Request Id 31 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506 f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017 3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4 Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c356c8f54b145a25fcad284d (9) Received Access-Request packet from host 10.10.1.1 port 3406, id=31, length=385 (9) User-Name = 'bigman' (9) Framed-MTU = 1450 (9) EAP-Message = 0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506 f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017 3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4 (9) Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba (9) Chargeable-User-Identity = 0x00 (9) NAS-IP-Address = 10.10.1.1 (9) NAS-Identifier = 'WiFi-Controller-7' (9) NAS-Port = 33558758 (9) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Framed-Protocol = PPP (9) Calling-Station-Id = '00-18-60-68-03-EC' (9) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (9) Acct-Session-Id = '115001511383b5ab70' (9) Framed-IP-Address = 202.189.123.194 (9) State = 0xc45fd1a2c356c8f54b145a25fcad284d (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (9) authorize { (9) filter_username filter_username { (9) if (&User-Name =~ / /) (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\\.\\./ ) (9) if (&User-Name =~ /\\.\\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\\.$/) (9) if (&User-Name =~ /\\.$/) -> FALSE (9) if (&User-Name =~ /@\\./) (9) if (&User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (9) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (9) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (9) auth_log : EXPAND %t (9) auth_log : --> Thu Jan 15 11:38:42 2015 (9) [auth_log] = ok (9) [chap] = noop (9) [mschap] = noop (9) suffix : Checking for suffix after "@" (9) suffix : No '@' in User-Name = "bigman", looking up realm NULL (9) suffix : Found realm "NULL" (9) suffix : Adding Stripped-User-Name = "bigman" (9) suffix : Adding Realm = "NULL" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (9) EXPAND %{Realm} (9) --> NULL (9) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (9) eap : Peer sent code Response (2) ID 9 length 144 (9) eap : Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (9) authenticate { (9) eap : Expiring EAP session with state 0xde946618de9d7cad (9) eap : Finished EAP session with state 0xc45fd1a2c356c8f5 (9) eap : Previous EAP request found for state 0xc45fd1a2c356c8f5, released from the list (9) eap : Peer sent method PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes (9) eap_peap : Peap state phase2 (9) eap_peap : EAP type MSCHAPv2 (26) (9) eap_peap : Got tunneled request EAP-Message = 0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016 36d8f0074666b6c616940686b752e686b server Local-WiFi { (9) eap_peap : Setting User-Name to bob@abc.com Sending tunneled request EAP-Message = 0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016 36d8f0074666b6c616940686b752e686b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' State = 0xde946618de9d7cad0c64434fd93f0777 Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 server inner-tunnel { (9) server inner-tunnel { (9) Request: EAP-Message = 0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016 36d8f0074666b6c616940686b752e686b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' State = 0xde946618de9d7cad0c64434fd93f0777 Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : Checking for suffix after "@" (9) suffix : Looking up realm "abc.com" for User-Name = "bob@abc.com" (9) suffix : Found realm "abc.com" (9) suffix : Adding Stripped-User-Name = "bob" (9) suffix : Adding Realm = "abc.com" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) update control { (9) &Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : Peer sent code Response (2) ID 9 length 72 (9) eap : No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) if (&EAP-Message) (9) if (&EAP-Message) -> TRUE (9) if (&EAP-Message) { (9) load-balance ldap_Portal_redundant { (9) redundant-load-balance group ldap_Portal_redundant { rlm_ldap (ldap_PortalPwd_2): Reserved connection (4) (9) ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(! (postOfficeBox=nowifi)))) (9) ldap_PortalPwd_2 : --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi)))) (9) ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk (9) ldap_PortalPwd_2 : --> ou=802.1x,o=hku,c=hk (9) ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(! (givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub' (9) ldap_PortalPwd_2 : Waiting for search result... (9) ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk" (9) ldap_PortalPwd_2 : Processing user attributes (9) ldap_PortalPwd_2 : &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg' (9) ldap_PortalPwd_2 : &control:NT-Password := 0x4433343845383035444432323934453241424435424438433732303143334345 rlm_ldap (ldap_PortalPwd_2): Released connection (4) (9) [ldap_PortalPwd_2] = ok (9) } # redundant-load-balance ldap_Portal_redundant = ok (9) if (notfound) (9) if (notfound) -> FALSE (9) } # if (&EAP-Message) = ok (9) ... skipping else for request 9: Preceding "if" was taken (9) [expiration] = noop (9) [logintime] = noop (9) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (9) WARNING: pap : Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0xde946618de9d7cad (9) eap : Finished EAP session with state 0xde946618de9d7cad (9) eap : Previous EAP request found for state 0xde946618de9d7cad, released from the list (9) eap : Peer sent method MSCHAPv2 (26) (9) eap : EAP MSCHAPv2 (26) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap_mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2 : Auth-Type MS-CHAP { (9) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (9) mschap : Found NT-Password (9) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password (9) mschap : Creating challenge hash with username: bob@abc.com (9) mschap : Client is using MS-CHAPv2 (9) mschap : Adding MS-CHAPv2 MPPE keys (9) [mschap] = ok (9) } # Auth-Type MS-CHAP = ok MSCHAP Success (9) eap : New EAP session, adding 'State' attribute to reply 0xde946618df9e7cad (9) [eap] = handled (9) } # authenticate = handled (9) Reply: EAP-Message = 0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618df9e7cad0c64434fd93f0777 (9) } # server inner-tunnel } # server inner-tunnel (9) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618df9e7cad0c64434fd93f0777 (9) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618df9e7cad0c64434fd93f0777 (9) eap_peap : Got tunneled Access-Challenge (9) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cc55c8f5 (9) [eap] = handled (9) } # authenticate = handled (9) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=31, length=0 (9) EAP-Message = 0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961 0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xc45fd1a2cc55c8f54b145a25fcad284d Sending Access-Challenge Id 31 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961 0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2cc55c8f54b145a25fcad284d (9) Finished request Received Access-Request Id 32 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a 27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1 Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2cc55c8f54b145a25fcad284d (10) Received Access-Request packet from host 10.10.1.1 port 3406, id=32, length=321 (10) User-Name = 'bigman' (10) Framed-MTU = 1450 (10) EAP-Message = 0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a 27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1 (10) Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35 (10) Chargeable-User-Identity = 0x00 (10) NAS-IP-Address = 10.10.1.1 (10) NAS-Identifier = 'WiFi-Controller-7' (10) NAS-Port = 33558758 (10) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Framed-Protocol = PPP (10) Calling-Station-Id = '00-18-60-68-03-EC' (10) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (10) Acct-Session-Id = '115001511383b5ab70' (10) Framed-IP-Address = 202.189.123.194 (10) State = 0xc45fd1a2cc55c8f54b145a25fcad284d (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (10) authorize { (10) filter_username filter_username { (10) if (&User-Name =~ / /) (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@.*@/ ) (10) if (&User-Name =~ /@.*@/ ) -> FALSE (10) if (&User-Name =~ /\\.\\./ ) (10) if (&User-Name =~ /\\.\\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\\.$/) (10) if (&User-Name =~ /\\.$/) -> FALSE (10) if (&User-Name =~ /@\\./) (10) if (&User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (10) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (10) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (10) auth_log : EXPAND %t (10) auth_log : --> Thu Jan 15 11:38:42 2015 (10) [auth_log] = ok (10) [chap] = noop (10) [mschap] = noop (10) suffix : Checking for suffix after "@" (10) suffix : No '@' in User-Name = "bigman", looking up realm NULL (10) suffix : Found realm "NULL" (10) suffix : Adding Stripped-User-Name = "bigman" (10) suffix : Adding Realm = "NULL" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (10) EXPAND %{Realm} (10) --> NULL (10) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (10) eap : Peer sent code Response (2) ID 10 length 80 (10) eap : Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (10) authenticate { (10) eap : Expiring EAP session with state 0xde946618df9e7cad (10) eap : Finished EAP session with state 0xc45fd1a2cc55c8f5 (10) eap : Previous EAP request found for state 0xc45fd1a2cc55c8f5, released from the list (10) eap : Peer sent method PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes (10) eap_peap : Peap state phase2 (10) eap_peap : EAP type MSCHAPv2 (26) (10) eap_peap : Got tunneled request EAP-Message = 0x020a00061a03 server Local-WiFi { (10) eap_peap : Setting User-Name to bob@abc.com Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' State = 0xde946618df9e7cad0c64434fd93f0777 Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 server inner-tunnel { (10) server inner-tunnel { (10) Request: EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' State = 0xde946618df9e7cad0c64434fd93f0777 Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (10) authorize { (10) [chap] = noop (10) [mschap] = noop (10) suffix : Checking for suffix after "@" (10) suffix : Looking up realm "abc.com" for User-Name = "bob@abc.com" (10) suffix : Found realm "abc.com" (10) suffix : Adding Stripped-User-Name = "bob" (10) suffix : Adding Realm = "abc.com" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) update control { (10) &Proxy-To-Realm := 'LOCAL' (10) } # update control = noop (10) eap : Peer sent code Response (2) ID 10 length 6 (10) eap : No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) if (&EAP-Message) (10) if (&EAP-Message) -> TRUE (10) if (&EAP-Message) { (10) load-balance ldap_Portal_redundant { (10) redundant-load-balance group ldap_Portal_redundant { rlm_ldap (ldap_PortalPwd_2): Reserved connection (4) (10) ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(! (postOfficeBox=nowifi)))) (10) ldap_PortalPwd_2 : --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi)))) (10) ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk (10) ldap_PortalPwd_2 : --> ou=802.1x,o=hku,c=hk (10) ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(! (givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub' (10) ldap_PortalPwd_2 : Waiting for search result... (10) ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk" (10) ldap_PortalPwd_2 : Processing user attributes (10) ldap_PortalPwd_2 : &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg' (10) ldap_PortalPwd_2 : &control:NT-Password := 0x4433343845383035444432323934453241424435424438433732303143334345 rlm_ldap (ldap_PortalPwd_2): Released connection (4) (10) [ldap_PortalPwd_2] = ok (10) } # redundant-load-balance ldap_Portal_redundant = ok (10) if (notfound) (10) if (notfound) -> FALSE (10) } # if (&EAP-Message) = ok (10) ... skipping else for request 10: Preceding "if" was taken (10) [expiration] = noop (10) [logintime] = noop (10) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (10) WARNING: pap : Auth-Type already set. Not setting to PAP (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = EAP (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (10) authenticate { (10) eap : Expiring EAP session with state 0xde946618df9e7cad (10) eap : Finished EAP session with state 0xde946618df9e7cad (10) eap : Previous EAP request found for state 0xde946618df9e7cad, released from the list (10) eap : Peer sent method MSCHAPv2 (26) (10) eap : EAP MSCHAPv2 (26) (10) eap : Calling eap_mschapv2 to process EAP data (10) eap : Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) Login OK: [bob@abc.com] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC via TLS tunnel) (10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (10) post-auth { (10) update outer.reply { (10) EXPAND %{request:User-Name} (10) --> bob@abc.com (10) User-Name = "bob@abc.com" (10) } # update outer.reply = noop (10) } # post-auth = noop (10) Reply: MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7 MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'bob' (10) } # server inner-tunnel } # server inner-tunnel (10) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7 MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'bob' (10) eap_peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7 MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'bob' (10) eap_peap : Tunneled authentication was successful (10) eap_peap : SUCCESS (10) eap_peap : Saving tunneled attributes for later (10) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cd54c8f5 (10) [eap] = handled (10) } # authenticate = handled (10) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=32, length=0 (10) User-Name = 'bob@abc.com' (10) EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xc45fd1a2cd54c8f54b145a25fcad284d Sending Access-Challenge Id 32 from 10.80.1.1:1812 to 10.10.1.1:3406 User-Name = 'bob@abc.com' EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2cd54c8f54b145a25fcad284d (10) Finished request Waking up in 0.2 seconds. Received Access-Request Id 33 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778 261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2cd54c8f54b145a25fcad284d (11) Received Access-Request packet from host 10.10.1.1 port 3406, id=33, length=321 (11) User-Name = 'bigman' (11) Framed-MTU = 1450 (11) EAP-Message = 0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778 261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf (11) Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9 (11) Chargeable-User-Identity = 0x00 (11) NAS-IP-Address = 10.10.1.1 (11) NAS-Identifier = 'WiFi-Controller-7' (11) NAS-Port = 33558758 (11) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) Framed-Protocol = PPP (11) Calling-Station-Id = '00-18-60-68-03-EC' (11) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (11) Acct-Session-Id = '115001511383b5ab70' (11) Framed-IP-Address = 202.189.123.194 (11) State = 0xc45fd1a2cd54c8f54b145a25fcad284d (11) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (11) authorize { (11) filter_username filter_username { (11) if (&User-Name =~ / /) (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@.*@/ ) (11) if (&User-Name =~ /@.*@/ ) -> FALSE (11) if (&User-Name =~ /\\.\\./ ) (11) if (&User-Name =~ /\\.\\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\\.$/) (11) if (&User-Name =~ /\\.$/) -> FALSE (11) if (&User-Name =~ /@\\./) (11) if (&User-Name =~ /@\\./) -> FALSE (11) } # filter_username filter_username = notfound (11) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (11) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (11) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (11) auth_log : EXPAND %t (11) auth_log : --> Thu Jan 15 11:38:42 2015 (11) [auth_log] = ok (11) [chap] = noop (11) [mschap] = noop (11) suffix : Checking for suffix after "@" (11) suffix : No '@' in User-Name = "bigman", looking up realm NULL (11) suffix : Found realm "NULL" (11) suffix : Adding Stripped-User-Name = "bigman" (11) suffix : Adding Realm = "NULL" (11) suffix : Authentication realm is LOCAL (11) [suffix] = ok (11) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (11) EXPAND %{Realm} (11) --> NULL (11) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (11) eap : Peer sent code Response (2) ID 11 length 80 (11) eap : Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = EAP (11) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (11) authenticate { (11) eap : Expiring EAP session with state 0xc45fd1a2cd54c8f5 (11) eap : Finished EAP session with state 0xc45fd1a2cd54c8f5 (11) eap : Previous EAP request found for state 0xc45fd1a2cd54c8f5, released from the list (11) eap : Peer sent method PEAP (25) (11) eap : EAP PEAP (25) (11) eap : Calling eap_peap to process EAP data (11) eap_peap : processing EAP-TLS (11) eap_peap : eaptls_verify returned 7 (11) eap_peap : Done initial handshake (11) eap_peap : eaptls_process returned 7 (11) eap_peap : FR_TLS_OK (11) eap_peap : Session established. Decoding tunneled attributes (11) eap_peap : Peap state send tlv success (11) eap_peap : Received EAP-TLV response (11) eap_peap : Success (11) eap_peap : Using saved attributes from the original Access-Accept Stripped-User-Name = 'bob' (11) eap_peap : Saving session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 vps 0xdb9b50 in the cache (11) eap : Freeing handler (11) [eap] = ok (11) } # authenticate = ok (11) Login OK: [bigman] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC) (11) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (11) post-auth { (11) [exec] = noop (11) remove_reply_message_if_eap remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else else { (11) [noop] = noop (11) } # else else = noop (11) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (11) } # post-auth = noop (11) Sending Access-Accept packet to host 10.10.1.1 port 3406, id=33, length=0 (11) Stripped-User-Name = 'bob' (11) MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf (11) MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19 (11) EAP-MSK = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbfdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a1 7134fe0b843a3bb19 (11) EAP-EMSK = 0x7a6b367b28793e34682cef71b58ec94c2f9dc00044d0e0a83b3b574158756196e40940146e5bbcba4d03755a09bc9ceafe3305b3da7bfe9 bffd812066bea9cbb (11) EAP-Session-Id = 0x1954b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16754b73641e3caf729409a814c4e2c0f4c4522113a1cbfd 2509d86377e80e55ca3 (11) EAP-Message = 0x030b0004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) Stripped-User-Name = 'bigman' Sending Access-Accept Id 33 from 10.80.1.1:1812 to 10.10.1.1:3406 MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 (11) Finished request Waking up in 0.2 seconds.