Hello, I'm trying to set up authentication over PEAP-MSCHAPv2. In LDAP I have NTLM-hashed passwords Version is 3.0.13 from CentOS 7 repository. Testing with radtest is successful: Sent Access-Request Id 72 from 0.0.0.0:36799 to 127.0.0.1:1812 length 87 User-Name = "robert_plestenjak" User-Password = "XXX" NAS-IP-Address = X.X.X.X NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "XXX" Received Access-Accept Id 72 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 When I test with Wifi (Cisco Meraki), it fails: (0) Received Access-Request Id 60 from X.X.X.X:37829 to X.X.X.X:1812 length 271 (0) User-Name = "robert_plestenjak" (0) NAS-IP-Address = X.X.X.X (0) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "18-F0-E4-3B-AA-02" (0) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (0) Acct-Session-Id = "AE4E038CE2ACDB0A" (0) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Meraki-Device-Name = "olai" (0) Framed-MTU = 1400 (0) EAP-Message = 0x0229001601726f626572745f706c657374656e6a616b (0) Message-Authenticator = 0x0a1c310be4f79d6acca1eb4a67deb60e (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 41 length 22 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 42 length 22 (0) eap: EAP session adding &reply:State = 0x46c8d21046e2d6bc (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 60 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (0) EAP-Message = 0x012a00160410dddf52a2d853bc9017a6c96d00a0b389 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x46c8d21046e2d6bc6e5900b0d6f9d128 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from X.X.X.X:37829 to X.X.X.X:1812 length 273 (1) User-Name = "robert_plestenjak" (1) NAS-IP-Address = X.X.X.X (1) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "18-F0-E4-3B-AA-02" (1) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (1) Acct-Session-Id = "AE4E038CE2ACDB0A" (1) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Meraki-Device-Name = "olai" (1) Framed-MTU = 1400 (1) EAP-Message = 0x022a00060319 (1) State = 0x46c8d21046e2d6bc6e5900b0d6f9d128 (1) Message-Authenticator = 0xd3ffb74c0af4b8f5b52afbf18d82b8d2 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 42 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (0) (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (uid=robert_plestenjak) (1) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (1) ldap: Processing user attributes (1) ldap: control:Password-With-Header += 'XXX' rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://auth3.xlab.si:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = updated (1) if ((ok || updated) && User-Password) { (1) if ((ok || updated) && User-Password) -> FALSE (1) [expiration] = noop (1) [logintime] = noop (1) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (1) pap: Removing &control:Password-With-Header (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x46c8d21046e2d6bc (1) eap: Finished EAP session with state 0x46c8d21046e2d6bc (1) eap: Previous EAP request found for state 0x46c8d21046e2d6bc, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 43 length 6 (1) eap: EAP session adding &reply:State = 0x46c8d21047e3cbbc (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 61 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (1) EAP-Message = 0x012b00061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x46c8d21047e3cbbc6e5900b0d6f9d128 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from X.X.X.X:37829 to X.X.X.X:1812 length 416 (2) User-Name = "robert_plestenjak" (2) NAS-IP-Address = X.X.X.X (2) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Calling-Station-Id = "18-F0-E4-3B-AA-02" (2) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (2) Acct-Session-Id = "AE4E038CE2ACDB0A" (2) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027073 (2) Meraki-Device-Name = "olai" (2) Framed-MTU = 1400 (2) EAP-Message = 0x022b009519800000008b160301008601000082030318104905101d0258ca25ae0986254aedf90b1c8fdf08e710e17c259b38fd5ad000002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403 (2) State = 0x46c8d21047e3cbbc6e5900b0d6f9d128 (2) Message-Authenticator = 0x8d7c5c5560d235684aceeb01ee99f66b (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 43 length 149 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x46c8d21047e3cbbc (2) eap: Finished EAP session with state 0x46c8d21047e3cbbc (2) eap: Previous EAP request found for state 0x46c8d21047e3cbbc, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 139 bytes (2) eap_peap: Got complete TLS record (139 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before/accept initialization (2) eap_peap: TLS_accept: before/accept initialization (2) eap_peap: <<< recv TLS 1.2 [length 0086] (2) eap_peap: TLS_accept: SSLv3 read client hello A (2) eap_peap: >>> send TLS 1.2 [length 0039] (2) eap_peap: TLS_accept: SSLv3 write server hello A (2) eap_peap: >>> send TLS 1.2 [length 08d3] (2) eap_peap: TLS_accept: SSLv3 write certificate A (2) eap_peap: >>> send TLS 1.2 [length 014d] (2) eap_peap: TLS_accept: SSLv3 write key exchange A (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3 write server done A (2) eap_peap: TLS_accept: SSLv3 flush data (2) eap_peap: TLS_accept: SSLv3 read client certificate A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 44 length 1004 (2) eap: EAP session adding &reply:State = 0x46c8d21044e4cbbc (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 62 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (2) EAP-Message = 0x012c03ec19c000000a711603030039020000350303ea32a5d7a1bbfdbf9e7ee34e29050563b1ffc93c77c2247fb4634b9936ff065600c02f00000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x46c8d21044e4cbbc6e5900b0d6f9d128 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 63 from X.X.X.X:37829 to X.X.X.X:1812 length 273 (3) User-Name = "robert_plestenjak" (3) NAS-IP-Address = X.X.X.X (3) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Calling-Station-Id = "18-F0-E4-3B-AA-02" (3) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (3) Acct-Session-Id = "AE4E038CE2ACDB0A" (3) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Meraki-Device-Name = "olai" (3) Framed-MTU = 1400 (3) EAP-Message = 0x022c00061900 (3) State = 0x46c8d21044e4cbbc6e5900b0d6f9d128 (3) Message-Authenticator = 0x44ed2c1a2c57511fb51626d94cea998d (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 44 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x46c8d21044e4cbbc (3) eap: Finished EAP session with state 0x46c8d21044e4cbbc (3) eap: Previous EAP request found for state 0x46c8d21044e4cbbc, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 45 length 1000 (3) eap: EAP session adding &reply:State = 0x46c8d21045e5cbbc (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 63 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (3) EAP-Message = 0x012d03e819402dbdf62800fd47c44b6189df90644cc345df23b390e938143137414b4dc3906a2aefff96f82551639cf9a10ead226ee8a9d0d7c4bf51bcca698315290b7a181527f2841445909d7d420004e8308204e4308203cca003020102020900d20da3179fcff6af300d06092a864886f70d01010b (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x46c8d21045e5cbbc6e5900b0d6f9d128 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 64 from X.X.X.X:37829 to X.X.X.X:1812 length 273 (4) User-Name = "robert_plestenjak" (4) NAS-IP-Address = X.X.X.X (4) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Calling-Station-Id = "18-F0-E4-3B-AA-02" (4) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (4) Acct-Session-Id = "AE4E038CE2ACDB0A" (4) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027076 (4) WLAN-AKM-Suite = 1027073 (4) Meraki-Device-Name = "olai" (4) Framed-MTU = 1400 (4) EAP-Message = 0x022d00061900 (4) State = 0x46c8d21045e5cbbc6e5900b0d6f9d128 (4) Message-Authenticator = 0xa82ea1907b66b0e0486d7358963589a7 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 45 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x46c8d21045e5cbbc (4) eap: Finished EAP session with state 0x46c8d21045e5cbbc (4) eap: Previous EAP request found for state 0x46c8d21045e5cbbc, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 46 length 691 (4) eap: EAP session adding &reply:State = 0x46c8d21042e6cbbc (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 64 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (4) EAP-Message = 0x012e02b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010082ec17a6a7053cdb07445b2a8258e5e5f0cad094486cb4a81527d41f7ff73f (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x46c8d21042e6cbbc6e5900b0d6f9d128 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 65 from X.X.X.X:37829 to X.X.X.X:1812 length 403 (5) User-Name = "robert_plestenjak" (5) NAS-IP-Address = X.X.X.X (5) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Calling-Station-Id = "18-F0-E4-3B-AA-02" (5) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (5) Acct-Session-Id = "AE4E038CE2ACDB0A" (5) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027073 (5) Meraki-Device-Name = "olai" (5) Framed-MTU = 1400 (5) EAP-Message = 0x022e008819800000007e1603030046100000424104fb2e08dfc5eb824bcf64fbb8ff77906d79826239bbc5ff15023c4371596d0422c7ea05f73a3fdffa848b11c8d757eba23c64302d202b63022e12e35a6f23fc48140303000101160303002800000000000000005b6195d7b05366d7ac3d11cf44f77c (5) State = 0x46c8d21042e6cbbc6e5900b0d6f9d128 (5) Message-Authenticator = 0xcdb102cb862715a789a736e630c4b31f (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 46 length 136 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x46c8d21042e6cbbc (5) eap: Finished EAP session with state 0x46c8d21042e6cbbc (5) eap: Previous EAP request found for state 0x46c8d21042e6cbbc, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer indicated complete TLS record size will be 126 bytes (5) eap_peap: Got complete TLS record (126 bytes) (5) eap_peap: [eaptls verify] = length included (5) eap_peap: <<< recv TLS 1.2 [length 0046] (5) eap_peap: TLS_accept: SSLv3 read client key exchange A (5) eap_peap: TLS_accept: SSLv3 read certificate verify A (5) eap_peap: <<< recv TLS 1.2 [length 0001] (5) eap_peap: <<< recv TLS 1.2 [length 0010] (5) eap_peap: TLS_accept: SSLv3 read finished A (5) eap_peap: >>> send TLS 1.2 [length 0001] (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A (5) eap_peap: >>> send TLS 1.2 [length 0010] (5) eap_peap: TLS_accept: SSLv3 write finished A (5) eap_peap: TLS_accept: SSLv3 flush data (5) eap_peap: (other): SSL negotiation finished successfully (5) eap_peap: SSL Connection Established (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 47 length 57 (5) eap: EAP session adding &reply:State = 0x46c8d21043e7cbbc (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 65 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (5) EAP-Message = 0x012f003919001403030001011603030028652f3ff10fb2c5ec7eaba85c96965e3cdaebaab760ef337bdf697193d7580a6381d9bc98fce6eb16 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x46c8d21043e7cbbc6e5900b0d6f9d128 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 66 from X.X.X.X:37829 to X.X.X.X:1812 length 273 (6) User-Name = "robert_plestenjak" (6) NAS-IP-Address = X.X.X.X (6) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Calling-Station-Id = "18-F0-E4-3B-AA-02" (6) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (6) Acct-Session-Id = "AE4E038CE2ACDB0A" (6) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027073 (6) Meraki-Device-Name = "olai" (6) Framed-MTU = 1400 (6) EAP-Message = 0x022f00061900 (6) State = 0x46c8d21043e7cbbc6e5900b0d6f9d128 (6) Message-Authenticator = 0xf613e30b444fdc6251b89176c4ea98e3 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 47 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x46c8d21043e7cbbc (6) eap: Finished EAP session with state 0x46c8d21043e7cbbc (6) eap: Previous EAP request found for state 0x46c8d21043e7cbbc, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: [eaptls verify] = success (6) eap_peap: [eaptls process] = success (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 48 length 40 (6) eap: EAP session adding &reply:State = 0x46c8d21040f8cbbc (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 66 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (6) EAP-Message = 0x013000281900170303001d652f3ff10fb2c5edc396f1fb96534d5a09ed3bd8844d3cb98c691e6cdd (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x46c8d21040f8cbbc6e5900b0d6f9d128 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 67 from X.X.X.X:37829 to X.X.X.X:1812 length 320 (7) User-Name = "robert_plestenjak" (7) NAS-IP-Address = X.X.X.X (7) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Calling-Station-Id = "18-F0-E4-3B-AA-02" (7) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (7) Acct-Session-Id = "AE4E038CE2ACDB0A" (7) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Meraki-Device-Name = "olai" (7) Framed-MTU = 1400 (7) EAP-Message = 0x023000351900170303002a000000000000000125e0edd772c07188d67f8ac17c95b08291f4d8ee740ac579a17566729c283e4de6c8 (7) State = 0x46c8d21040f8cbbc6e5900b0d6f9d128 (7) Message-Authenticator = 0x12f53a0a6021756bf2a6b2fc55a901a3 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 48 length 53 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x46c8d21040f8cbbc (7) eap: Finished EAP session with state 0x46c8d21040f8cbbc (7) eap: Previous EAP request found for state 0x46c8d21040f8cbbc, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - robert_plestenjak (7) eap_peap: Got inner identity 'robert_plestenjak' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0230001601726f626572745f706c657374656e6a616b (7) eap_peap: Setting User-Name to robert_plestenjak (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0230001601726f626572745f706c657374656e6a616b (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "robert_plestenjak" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0230001601726f626572745f706c657374656e6a616b (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "robert_plestenjak" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 48 length 22 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) eap: Sending EAP Request (code 1) ID 49 length 43 (7) eap: EAP session adding &reply:State = 0xb9b0a1f1b981bb6e (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x0131002b1a0131002610c55413e285b325a381cfe991245249f6667265657261646975732d332e302e3133 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x0131002b1a0131002610c55413e285b325a381cfe991245249f6667265657261646975732d332e302e3133 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x0131002b1a0131002610c55413e285b325a381cfe991245249f6667265657261646975732d332e302e3133 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 49 length 74 (7) eap: EAP session adding &reply:State = 0x46c8d21041f9cbbc (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 67 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (7) EAP-Message = 0x0131004a1900170303003f652f3ff10fb2c5ee7d1dc7c9e2a8eab376bcf614675fc6b749d9d35b70d018df036218eb66b192f7a667d1512441f23b4b8ed103e7e51abcc1ccb629d4b709 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x46c8d21041f9cbbc6e5900b0d6f9d128 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 68 from X.X.X.X:37829 to X.X.X.X:1812 length 374 (8) User-Name = "robert_plestenjak" (8) NAS-IP-Address = X.X.X.X (8) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Calling-Station-Id = "18-F0-E4-3B-AA-02" (8) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (8) Acct-Session-Id = "AE4E038CE2ACDB0A" (8) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Meraki-Device-Name = "olai" (8) Framed-MTU = 1400 (8) EAP-Message = 0x0231006b1900170303006000000000000000023889c5f8167aca23ac8159b1f565ea917ee16b989cfa799eec8b81911bc2fd6c32b4c44cd11d900a80376691793a616e041565552c1f286df0b04e830cc018dea39f6666cf1486ce3f36872ee5611b78130639007839772d (8) State = 0x46c8d21041f9cbbc6e5900b0d6f9d128 (8) Message-Authenticator = 0xd7d29fba79fdde7e4401eef1926543e4 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 49 length 107 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb9b0a1f1b981bb6e (8) eap: Finished EAP session with state 0x46c8d21041f9cbbc (8) eap: Previous EAP request found for state 0x46c8d21041f9cbbc, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0231004c1a023100473134d1e890f521ae70fbd338821cf2707b0000000000000000eeae867724f7f70ac517e7c1d96c26cb95f034fbd44e93dd00726f626572745f706c657374656e6a616b (8) eap_peap: Setting User-Name to robert_plestenjak (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0231004c1a023100473134d1e890f521ae70fbd338821cf2707b0000000000000000eeae867724f7f70ac517e7c1d96c26cb95f034fbd44e93dd00726f626572745f706c657374656e6a616b (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "robert_plestenjak" (8) eap_peap: State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0231004c1a023100473134d1e890f521ae70fbd338821cf2707b0000000000000000eeae867724f7f70ac517e7c1d96c26cb95f034fbd44e93dd00726f626572745f706c657374656e6a616b (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "robert_plestenjak" (8) State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 49 length 76 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (1) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=robert_plestenjak) (8) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (8) ldap: Processing user attributes (8) ldap: control:Password-With-Header += 'XXX' rlm_ldap (ldap): Released connection (1) (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (8) pap: Removing &control:Password-With-Header (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xb9b0a1f1b981bb6e (8) eap: Finished EAP session with state 0xb9b0a1f1b981bb6e (8) eap: Previous EAP request found for state 0xb9b0a1f1b981bb6e, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: Found Cleartext-Password, hashing to create NT-Password (8) mschap: Found Cleartext-Password, hashing to create LM-Password (8) mschap: Creating challenge hash with username: robert_plestenjak (8) mschap: Client is using MS-CHAPv2 (8) mschap: ERROR: MS-CHAP2-Response is incorrect (8) [mschap] = reject (8) } # authenticate = reject (8) eap: Sending EAP Failure (code 4) ID 49 length 4 (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> robert_plestenjak (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-CHAP-Error = "1E=691 R=1 C=d8407b0aa2c7a010f49f4e37fef85724 V=3 M=Authentication failed" (8) EAP-Message = 0x04310004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: MS-CHAP-Error = "1E=691 R=1 C=d8407b0aa2c7a010f49f4e37fef85724 V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04310004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: MS-CHAP-Error = "1E=691 R=1 C=d8407b0aa2c7a010f49f4e37fef85724 V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04310004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 50 length 46 (8) eap: EAP session adding &reply:State = 0x46c8d2104efacbbc (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (8) Sent Access-Challenge Id 68 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (8) EAP-Message = 0x0132002e19001703030023652f3ff10fb2c5ef30b7fb1e252f2bf6a22244994486f4debfdf66bcd18faa30877532 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x46c8d2104efacbbc6e5900b0d6f9d128 (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 69 from X.X.X.X:37829 to X.X.X.X:1812 length 313 (9) User-Name = "robert_plestenjak" (9) NAS-IP-Address = X.X.X.X (9) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Calling-Station-Id = "18-F0-E4-3B-AA-02" (9) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (9) Acct-Session-Id = "AE4E038CE2ACDB0A" (9) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Meraki-Device-Name = "olai" (9) Framed-MTU = 1400 (9) EAP-Message = 0x0232002e19001703030023000000000000000389125c7c96bd31281466aa12830d3193192521ab1698685080c754 (9) State = 0x46c8d2104efacbbc6e5900b0d6f9d128 (9) Message-Authenticator = 0xfd042959aaae54e9dd9ac31800d0667b (9) Restoring &session-state (9) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 50 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x46c8d2104efacbbc (9) eap: Finished EAP session with state 0x46c8d2104efacbbc (9) eap: Previous EAP request found for state 0x46c8d2104efacbbc, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 50 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> robert_plestenjak (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 69 from X.X.X.X:1812 to X.X.X.X:37829 length 44 (9) EAP-Message = 0x04320004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 60 with timestamp +9 (1) Cleaning up request packet ID 61 with timestamp +9 (2) Cleaning up request packet ID 62 with timestamp +9 (3) Cleaning up request packet ID 63 with timestamp +9 (4) Cleaning up request packet ID 64 with timestamp +9 (5) Cleaning up request packet ID 65 with timestamp +9 (6) Cleaning up request packet ID 66 with timestamp +9 (7) Cleaning up request packet ID 67 with timestamp +9 (8) Cleaning up request packet ID 68 with timestamp +9 (9) Cleaning up request packet ID 69 with timestamp +9 Ready to process requests (10) Received Access-Request Id 10 from X.X.X.X:51991 to X.X.X.X:1812 length 268 (10) User-Name = "robert_plestenjak" (10) NAS-IP-Address = X.X.X.X (10) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Calling-Station-Id = "18-F0-E4-3B-AA-02" (10) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (10) Acct-Session-Id = "6325D4B9D8CD9D01" (10) Acct-Multi-Session-Id = "33B691AA5B968946" (10) WLAN-Pairwise-Cipher = 1027076 (10) WLAN-Group-Cipher = 1027076 (10) WLAN-AKM-Suite = 1027073 (10) Meraki-Device-Name = "olai" (10) Framed-MTU = 1400 (10) EAP-Message = 0x02cd001601726f626572745f706c657374656e6a616b (10) Message-Authenticator = 0x9ef397887365b4a9c8d560ba66702b4c (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 205 length 22 (10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Peer sent packet with method EAP Identity (1) (10) eap: Calling submodule eap_md5 to process data (10) eap_md5: Issuing MD5 Challenge (10) eap: Sending EAP Request (code 1) ID 206 length 22 (10) eap: EAP session adding &reply:State = 0x13b4f8c8137afc0c (10) [eap] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Challenge { ... } # empty sub-section is ignored (10) Sent Access-Challenge Id 10 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (10) EAP-Message = 0x01ce001604109894d79a35a2fc5f9745add589aedd82 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x13b4f8c8137afc0caef2d3fb04d37962 (10) Finished request Waking up in 4.9 seconds. (11) Received Access-Request Id 11 from X.X.X.X:51991 to X.X.X.X:1812 length 270 (11) User-Name = "robert_plestenjak" (11) NAS-IP-Address = X.X.X.X (11) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) Calling-Station-Id = "18-F0-E4-3B-AA-02" (11) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (11) Acct-Session-Id = "6325D4B9D8CD9D01" (11) Acct-Multi-Session-Id = "33B691AA5B968946" (11) WLAN-Pairwise-Cipher = 1027076 (11) WLAN-Group-Cipher = 1027076 (11) WLAN-AKM-Suite = 1027073 (11) Meraki-Device-Name = "olai" (11) Framed-MTU = 1400 (11) EAP-Message = 0x02ce00060319 (11) State = 0x13b4f8c8137afc0caef2d3fb04d37962 (11) Message-Authenticator = 0xd17920bf05e0fcb93caee9ebdc02bb6e (11) session-state: No cached attributes (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) eap: Peer sent EAP Response (code 2) ID 206 length 6 (11) eap: No EAP Start, assuming it's an on-going EAP conversation (11) [eap] = updated (11) [files] = noop rlm_ldap (ldap): Reserved connection (2) (11) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (11) ldap: --> (uid=robert_plestenjak) (11) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (11) ldap: Waiting for search result... (11) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (11) ldap: Processing user attributes (11) ldap: control:Password-With-Header += 'XXX' rlm_ldap (ldap): Released connection (2) Need 4 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ldap): Connecting to ldaps://auth3.xlab.si:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (11) [ldap] = updated (11) if ((ok || updated) && User-Password) { (11) if ((ok || updated) && User-Password) -> FALSE (11) [expiration] = noop (11) [logintime] = noop (11) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (11) pap: Removing &control:Password-With-Header (11) pap: WARNING: Auth-Type already set. Not setting to PAP (11) [pap] = noop (11) } # authorize = updated (11) Found Auth-Type = eap (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap: Expiring EAP session with state 0x13b4f8c8137afc0c (11) eap: Finished EAP session with state 0x13b4f8c8137afc0c (11) eap: Previous EAP request found for state 0x13b4f8c8137afc0c, released from the list (11) eap: Peer sent packet with method EAP NAK (3) (11) eap: Found mutually acceptable type PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: Initiating new EAP-TLS session (11) eap_peap: [eaptls start] = request (11) eap: Sending EAP Request (code 1) ID 207 length 6 (11) eap: EAP session adding &reply:State = 0x13b4f8c8127be10c (11) [eap] = handled (11) } # authenticate = handled (11) Using Post-Auth-Type Challenge (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Challenge { ... } # empty sub-section is ignored (11) Sent Access-Challenge Id 11 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (11) EAP-Message = 0x01cf00061920 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0x13b4f8c8127be10caef2d3fb04d37962 (11) Finished request Waking up in 4.9 seconds. (12) Received Access-Request Id 12 from X.X.X.X:51991 to X.X.X.X:1812 length 413 (12) User-Name = "robert_plestenjak" (12) NAS-IP-Address = X.X.X.X (12) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (12) NAS-Port-Type = Wireless-802.11 (12) Service-Type = Framed-User (12) Calling-Station-Id = "18-F0-E4-3B-AA-02" (12) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (12) Acct-Session-Id = "6325D4B9D8CD9D01" (12) Acct-Multi-Session-Id = "33B691AA5B968946" (12) WLAN-Pairwise-Cipher = 1027076 (12) WLAN-Group-Cipher = 1027076 (12) WLAN-AKM-Suite = 1027073 (12) Meraki-Device-Name = "olai" (12) Framed-MTU = 1400 (12) EAP-Message = 0x02cf009519800000008b1603010086010000820303a92d448a03d30bd55ed9e4048a71e3b984078789666a59e4f0b55047909bfaa900002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403 (12) State = 0x13b4f8c8127be10caef2d3fb04d37962 (12) Message-Authenticator = 0x75773d8e25d838dba548709fa45c599d (12) session-state: No cached attributes (12) # Executing section authorize from file /etc/raddb/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 207 length 149 (12) eap: Continuing tunnel setup (12) [eap] = ok (12) } # authorize = ok (12) Found Auth-Type = eap (12) # Executing group from file /etc/raddb/sites-enabled/default (12) authenticate { (12) eap: Expiring EAP session with state 0x13b4f8c8127be10c (12) eap: Finished EAP session with state 0x13b4f8c8127be10c (12) eap: Previous EAP request found for state 0x13b4f8c8127be10c, released from the list (12) eap: Peer sent packet with method EAP PEAP (25) (12) eap: Calling submodule eap_peap to process data (12) eap_peap: Continuing EAP-TLS (12) eap_peap: Peer indicated complete TLS record size will be 139 bytes (12) eap_peap: Got complete TLS record (139 bytes) (12) eap_peap: [eaptls verify] = length included (12) eap_peap: (other): before/accept initialization (12) eap_peap: TLS_accept: before/accept initialization (12) eap_peap: <<< recv TLS 1.2 [length 0086] (12) eap_peap: TLS_accept: SSLv3 read client hello A (12) eap_peap: >>> send TLS 1.2 [length 0039] (12) eap_peap: TLS_accept: SSLv3 write server hello A (12) eap_peap: >>> send TLS 1.2 [length 08d3] (12) eap_peap: TLS_accept: SSLv3 write certificate A (12) eap_peap: >>> send TLS 1.2 [length 014d] (12) eap_peap: TLS_accept: SSLv3 write key exchange A (12) eap_peap: >>> send TLS 1.2 [length 0004] (12) eap_peap: TLS_accept: SSLv3 write server done A (12) eap_peap: TLS_accept: SSLv3 flush data (12) eap_peap: TLS_accept: SSLv3 read client certificate A (12) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (12) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (12) eap_peap: In SSL Handshake Phase (12) eap_peap: In SSL Accept mode (12) eap_peap: [eaptls process] = handled (12) eap: Sending EAP Request (code 1) ID 208 length 1004 (12) eap: EAP session adding &reply:State = 0x13b4f8c81164e10c (12) [eap] = handled (12) } # authenticate = handled (12) Using Post-Auth-Type Challenge (12) # Executing group from file /etc/raddb/sites-enabled/default (12) Challenge { ... } # empty sub-section is ignored (12) Sent Access-Challenge Id 12 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (12) EAP-Message = 0x01d003ec19c000000a7116030300390200003503039ce049344384b2cbc710136022def40542d08e2187ae8522a95d7ea0da1a504100c02f00000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0x13b4f8c81164e10caef2d3fb04d37962 (12) Finished request Waking up in 4.9 seconds. (13) Received Access-Request Id 13 from X.X.X.X:51991 to X.X.X.X:1812 length 270 (13) User-Name = "robert_plestenjak" (13) NAS-IP-Address = X.X.X.X (13) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (13) NAS-Port-Type = Wireless-802.11 (13) Service-Type = Framed-User (13) Calling-Station-Id = "18-F0-E4-3B-AA-02" (13) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (13) Acct-Session-Id = "6325D4B9D8CD9D01" (13) Acct-Multi-Session-Id = "33B691AA5B968946" (13) WLAN-Pairwise-Cipher = 1027076 (13) WLAN-Group-Cipher = 1027076 (13) WLAN-AKM-Suite = 1027073 (13) Meraki-Device-Name = "olai" (13) Framed-MTU = 1400 (13) EAP-Message = 0x02d000061900 (13) State = 0x13b4f8c81164e10caef2d3fb04d37962 (13) Message-Authenticator = 0xecee55183201a215ec44e13e79ca257c (13) session-state: No cached attributes (13) # Executing section authorize from file /etc/raddb/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) eap: Peer sent EAP Response (code 2) ID 208 length 6 (13) eap: Continuing tunnel setup (13) [eap] = ok (13) } # authorize = ok (13) Found Auth-Type = eap (13) # Executing group from file /etc/raddb/sites-enabled/default (13) authenticate { (13) eap: Expiring EAP session with state 0x13b4f8c81164e10c (13) eap: Finished EAP session with state 0x13b4f8c81164e10c (13) eap: Previous EAP request found for state 0x13b4f8c81164e10c, released from the list (13) eap: Peer sent packet with method EAP PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: Continuing EAP-TLS (13) eap_peap: Peer ACKed our handshake fragment (13) eap_peap: [eaptls verify] = request (13) eap_peap: [eaptls process] = handled (13) eap: Sending EAP Request (code 1) ID 209 length 1000 (13) eap: EAP session adding &reply:State = 0x13b4f8c81065e10c (13) [eap] = handled (13) } # authenticate = handled (13) Using Post-Auth-Type Challenge (13) # Executing group from file /etc/raddb/sites-enabled/default (13) Challenge { ... } # empty sub-section is ignored (13) Sent Access-Challenge Id 13 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (13) EAP-Message = 0x01d103e819402dbdf62800fd47c44b6189df90644cc345df23b390e938143137414b4dc3906a2aefff96f82551639cf9a10ead226ee8a9d0d7c4bf51bcca698315290b7a181527f2841445909d7d420004e8308204e4308203cca003020102020900d20da3179fcff6af300d06092a864886f70d01010b (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0x13b4f8c81065e10caef2d3fb04d37962 (13) Finished request Waking up in 4.9 seconds. (14) Received Access-Request Id 14 from X.X.X.X:51991 to X.X.X.X:1812 length 270 (14) User-Name = "robert_plestenjak" (14) NAS-IP-Address = X.X.X.X (14) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (14) NAS-Port-Type = Wireless-802.11 (14) Service-Type = Framed-User (14) Calling-Station-Id = "18-F0-E4-3B-AA-02" (14) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (14) Acct-Session-Id = "6325D4B9D8CD9D01" (14) Acct-Multi-Session-Id = "33B691AA5B968946" (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-Group-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027073 (14) Meraki-Device-Name = "olai" (14) Framed-MTU = 1400 (14) EAP-Message = 0x02d100061900 (14) State = 0x13b4f8c81065e10caef2d3fb04d37962 (14) Message-Authenticator = 0x6808057d61ed210c43b2e7f0ed27c6b0 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/raddb/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 209 length 6 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/raddb/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x13b4f8c81065e10c (14) eap: Finished EAP session with state 0x13b4f8c81065e10c (14) eap: Previous EAP request found for state 0x13b4f8c81065e10c, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer ACKed our handshake fragment (14) eap_peap: [eaptls verify] = request (14) eap_peap: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 210 length 691 (14) eap: EAP session adding &reply:State = 0x13b4f8c81766e10c (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/raddb/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) Sent Access-Challenge Id 14 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (14) EAP-Message = 0x01d202b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010082ec17a6a7053cdb07445b2a8258e5e5f0cad094486cb4a81527d41f7ff73f (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x13b4f8c81766e10caef2d3fb04d37962 (14) Finished request Waking up in 4.9 seconds. (15) Received Access-Request Id 15 from X.X.X.X:51991 to X.X.X.X:1812 length 400 (15) User-Name = "robert_plestenjak" (15) NAS-IP-Address = X.X.X.X (15) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (15) NAS-Port-Type = Wireless-802.11 (15) Service-Type = Framed-User (15) Calling-Station-Id = "18-F0-E4-3B-AA-02" (15) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (15) Acct-Session-Id = "6325D4B9D8CD9D01" (15) Acct-Multi-Session-Id = "33B691AA5B968946" (15) WLAN-Pairwise-Cipher = 1027076 (15) WLAN-Group-Cipher = 1027076 (15) WLAN-AKM-Suite = 1027073 (15) Meraki-Device-Name = "olai" (15) Framed-MTU = 1400 (15) EAP-Message = 0x02d2008819800000007e16030300461000004241046e9952972e88d85f4c8a0fec97f6921a748c8f3a9359e4c2f899fbfff13d0352d105d5dc817989b8830aa2e75623dbf2252b4df0338d9af3efac1ffbcb283d9714030300010116030300280000000000000000ba7043669f9c5cf21290c8c78fedd6 (15) State = 0x13b4f8c81766e10caef2d3fb04d37962 (15) Message-Authenticator = 0xdbfcb1ec8b36b3555264d93298e44ba3 (15) session-state: No cached attributes (15) # Executing section authorize from file /etc/raddb/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) [preprocess] = ok (15) [chap] = noop (15) [mschap] = noop (15) [digest] = noop (15) suffix: Checking for suffix after "@" (15) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (15) suffix: No such realm "NULL" (15) [suffix] = noop (15) eap: Peer sent EAP Response (code 2) ID 210 length 136 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # authorize = ok (15) Found Auth-Type = eap (15) # Executing group from file /etc/raddb/sites-enabled/default (15) authenticate { (15) eap: Expiring EAP session with state 0x13b4f8c81766e10c (15) eap: Finished EAP session with state 0x13b4f8c81766e10c (15) eap: Previous EAP request found for state 0x13b4f8c81766e10c, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: Continuing EAP-TLS (15) eap_peap: Peer indicated complete TLS record size will be 126 bytes (15) eap_peap: Got complete TLS record (126 bytes) (15) eap_peap: [eaptls verify] = length included (15) eap_peap: <<< recv TLS 1.2 [length 0046] (15) eap_peap: TLS_accept: SSLv3 read client key exchange A (15) eap_peap: TLS_accept: SSLv3 read certificate verify A (15) eap_peap: <<< recv TLS 1.2 [length 0001] (15) eap_peap: <<< recv TLS 1.2 [length 0010] (15) eap_peap: TLS_accept: SSLv3 read finished A (15) eap_peap: >>> send TLS 1.2 [length 0001] (15) eap_peap: TLS_accept: SSLv3 write change cipher spec A (15) eap_peap: >>> send TLS 1.2 [length 0010] (15) eap_peap: TLS_accept: SSLv3 write finished A (15) eap_peap: TLS_accept: SSLv3 flush data (15) eap_peap: (other): SSL negotiation finished successfully (15) eap_peap: SSL Connection Established (15) eap_peap: [eaptls process] = handled (15) eap: Sending EAP Request (code 1) ID 211 length 57 (15) eap: EAP session adding &reply:State = 0x13b4f8c81667e10c (15) [eap] = handled (15) } # authenticate = handled (15) Using Post-Auth-Type Challenge (15) # Executing group from file /etc/raddb/sites-enabled/default (15) Challenge { ... } # empty sub-section is ignored (15) Sent Access-Challenge Id 15 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (15) EAP-Message = 0x01d3003919001403030001011603030028c4d6cba0b48752b4673199c19d6aadd4b7ef802d79b2977018b55347e106ae975f42a0bae3224e60 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x13b4f8c81667e10caef2d3fb04d37962 (15) Finished request Waking up in 4.8 seconds. (16) Received Access-Request Id 16 from X.X.X.X:51991 to X.X.X.X:1812 length 270 (16) User-Name = "robert_plestenjak" (16) NAS-IP-Address = X.X.X.X (16) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (16) NAS-Port-Type = Wireless-802.11 (16) Service-Type = Framed-User (16) Calling-Station-Id = "18-F0-E4-3B-AA-02" (16) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (16) Acct-Session-Id = "6325D4B9D8CD9D01" (16) Acct-Multi-Session-Id = "33B691AA5B968946" (16) WLAN-Pairwise-Cipher = 1027076 (16) WLAN-Group-Cipher = 1027076 (16) WLAN-AKM-Suite = 1027073 (16) Meraki-Device-Name = "olai" (16) Framed-MTU = 1400 (16) EAP-Message = 0x02d300061900 (16) State = 0x13b4f8c81667e10caef2d3fb04d37962 (16) Message-Authenticator = 0x8a8f5afa9a3ca20b6a6e02804b573aeb (16) session-state: No cached attributes (16) # Executing section authorize from file /etc/raddb/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 211 length 6 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/raddb/sites-enabled/default (16) authenticate { (16) eap: Expiring EAP session with state 0x13b4f8c81667e10c (16) eap: Finished EAP session with state 0x13b4f8c81667e10c (16) eap: Previous EAP request found for state 0x13b4f8c81667e10c, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: Peer ACKed our handshake fragment. handshake is finished (16) eap_peap: [eaptls verify] = success (16) eap_peap: [eaptls process] = success (16) eap_peap: Session established. Decoding tunneled attributes (16) eap_peap: PEAP state TUNNEL ESTABLISHED (16) eap: Sending EAP Request (code 1) ID 212 length 40 (16) eap: EAP session adding &reply:State = 0x13b4f8c81560e10c (16) [eap] = handled (16) } # authenticate = handled (16) Using Post-Auth-Type Challenge (16) # Executing group from file /etc/raddb/sites-enabled/default (16) Challenge { ... } # empty sub-section is ignored (16) Sent Access-Challenge Id 16 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (16) EAP-Message = 0x01d400281900170303001dc4d6cba0b48752b596fbd582271ba5144d0b07e037cdeb3c8872832bf8 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x13b4f8c81560e10caef2d3fb04d37962 (16) Finished request Waking up in 4.8 seconds. (17) Received Access-Request Id 17 from X.X.X.X:51991 to X.X.X.X:1812 length 317 (17) User-Name = "robert_plestenjak" (17) NAS-IP-Address = X.X.X.X (17) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (17) NAS-Port-Type = Wireless-802.11 (17) Service-Type = Framed-User (17) Calling-Station-Id = "18-F0-E4-3B-AA-02" (17) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (17) Acct-Session-Id = "6325D4B9D8CD9D01" (17) Acct-Multi-Session-Id = "33B691AA5B968946" (17) WLAN-Pairwise-Cipher = 1027076 (17) WLAN-Group-Cipher = 1027076 (17) WLAN-AKM-Suite = 1027073 (17) Meraki-Device-Name = "olai" (17) Framed-MTU = 1400 (17) EAP-Message = 0x02d400351900170303002a0000000000000001d156dcb306795b1a5490d8115263cc725c1acd8c76588e31d9d4d985562c98bda7f5 (17) State = 0x13b4f8c81560e10caef2d3fb04d37962 (17) Message-Authenticator = 0xdffaa6c92233672ac826e8759d82c057 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/raddb/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [chap] = noop (17) [mschap] = noop (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 212 length 53 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/raddb/sites-enabled/default (17) authenticate { (17) eap: Expiring EAP session with state 0x13b4f8c81560e10c (17) eap: Finished EAP session with state 0x13b4f8c81560e10c (17) eap: Previous EAP request found for state 0x13b4f8c81560e10c, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: Continuing EAP-TLS (17) eap_peap: [eaptls verify] = ok (17) eap_peap: Done initial handshake (17) eap_peap: [eaptls process] = ok (17) eap_peap: Session established. Decoding tunneled attributes (17) eap_peap: PEAP state WAITING FOR INNER IDENTITY (17) eap_peap: Identity - robert_plestenjak (17) eap_peap: Got inner identity 'robert_plestenjak' (17) eap_peap: Setting default EAP type for tunneled EAP session (17) eap_peap: Got tunneled request (17) eap_peap: EAP-Message = 0x02d4001601726f626572745f706c657374656e6a616b (17) eap_peap: Setting User-Name to robert_plestenjak (17) eap_peap: Sending tunneled request to inner-tunnel (17) eap_peap: EAP-Message = 0x02d4001601726f626572745f706c657374656e6a616b (17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (17) eap_peap: User-Name = "robert_plestenjak" (17) Virtual server inner-tunnel received request (17) EAP-Message = 0x02d4001601726f626572745f706c657374656e6a616b (17) FreeRADIUS-Proxied-To = 127.0.0.1 (17) User-Name = "robert_plestenjak" (17) WARNING: Outer and inner identities are the same. User privacy is compromised. (17) server inner-tunnel { (17) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [chap] = noop (17) [mschap] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) update control { (17) &Proxy-To-Realm := LOCAL (17) } # update control = noop (17) eap: Peer sent EAP Response (code 2) ID 212 length 22 (17) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (17) authenticate { (17) eap: Peer sent packet with method EAP Identity (1) (17) eap: Calling submodule eap_mschapv2 to process data (17) eap_mschapv2: Issuing Challenge (17) eap: Sending EAP Request (code 1) ID 213 length 43 (17) eap: EAP session adding &reply:State = 0x8f45c9568f90d385 (17) [eap] = handled (17) } # authenticate = handled (17) } # server inner-tunnel (17) Virtual server sending reply (17) EAP-Message = 0x01d5002b1a01d50026103481537f998fa1371fd68721d06fd7c1667265657261646975732d332e302e3133 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x8f45c9568f90d3857e52bda50653607d (17) eap_peap: Got tunneled reply code 11 (17) eap_peap: EAP-Message = 0x01d5002b1a01d50026103481537f998fa1371fd68721d06fd7c1667265657261646975732d332e302e3133 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0x8f45c9568f90d3857e52bda50653607d (17) eap_peap: Got tunneled reply RADIUS code 11 (17) eap_peap: EAP-Message = 0x01d5002b1a01d50026103481537f998fa1371fd68721d06fd7c1667265657261646975732d332e302e3133 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0x8f45c9568f90d3857e52bda50653607d (17) eap_peap: Got tunneled Access-Challenge (17) eap: Sending EAP Request (code 1) ID 213 length 74 (17) eap: EAP session adding &reply:State = 0x13b4f8c81461e10c (17) [eap] = handled (17) } # authenticate = handled (17) Using Post-Auth-Type Challenge (17) # Executing group from file /etc/raddb/sites-enabled/default (17) Challenge { ... } # empty sub-section is ignored (17) Sent Access-Challenge Id 17 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (17) EAP-Message = 0x01d5004a1900170303003fc4d6cba0b48752b678685a1c20d35c1495eeb8b7b68d48af7559cb23b1794638500578a62c50725d1c13f70559dd2ab4ccbc5f333da3c269bb54861de08c5d (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x13b4f8c81461e10caef2d3fb04d37962 (17) Finished request Waking up in 4.8 seconds. (18) Received Access-Request Id 18 from X.X.X.X:51991 to X.X.X.X:1812 length 371 (18) User-Name = "robert_plestenjak" (18) NAS-IP-Address = X.X.X.X (18) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (18) NAS-Port-Type = Wireless-802.11 (18) Service-Type = Framed-User (18) Calling-Station-Id = "18-F0-E4-3B-AA-02" (18) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (18) Acct-Session-Id = "6325D4B9D8CD9D01" (18) Acct-Multi-Session-Id = "33B691AA5B968946" (18) WLAN-Pairwise-Cipher = 1027076 (18) WLAN-Group-Cipher = 1027076 (18) WLAN-AKM-Suite = 1027073 (18) Meraki-Device-Name = "olai" (18) Framed-MTU = 1400 (18) EAP-Message = 0x02d5006b1900170303006000000000000000020c47825d8d203487343c1cb7cf937baaa3da3ec65947d11d4899785cfde46b828ddf938c7d8be000eeaa66195bd54d33f0cac081834d0215acdfd165302a9c12f09e8c2df780ccda3057bcbf23228b4b9817ae6a78a96c2c (18) State = 0x13b4f8c81461e10caef2d3fb04d37962 (18) Message-Authenticator = 0x542d7969f2658b6f35989a19866db2dc (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/raddb/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) [chap] = noop (18) [mschap] = noop (18) [digest] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) eap: Peer sent EAP Response (code 2) ID 213 length 107 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/raddb/sites-enabled/default (18) authenticate { (18) eap: Expiring EAP session with state 0x8f45c9568f90d385 (18) eap: Finished EAP session with state 0x13b4f8c81461e10c (18) eap: Previous EAP request found for state 0x13b4f8c81461e10c, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: Continuing EAP-TLS (18) eap_peap: [eaptls verify] = ok (18) eap_peap: Done initial handshake (18) eap_peap: [eaptls process] = ok (18) eap_peap: Session established. Decoding tunneled attributes (18) eap_peap: PEAP state phase2 (18) eap_peap: EAP method MSCHAPv2 (26) (18) eap_peap: Got tunneled request (18) eap_peap: EAP-Message = 0x02d5004c1a02d5004731d8d694eb0e711635a2a5c6d011d44414000000000000000080648d3803f60d505ec6b8f76843d49dd4a6a7854eee97fa00726f626572745f706c657374656e6a616b (18) eap_peap: Setting User-Name to robert_plestenjak (18) eap_peap: Sending tunneled request to inner-tunnel (18) eap_peap: EAP-Message = 0x02d5004c1a02d5004731d8d694eb0e711635a2a5c6d011d44414000000000000000080648d3803f60d505ec6b8f76843d49dd4a6a7854eee97fa00726f626572745f706c657374656e6a616b (18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (18) eap_peap: User-Name = "robert_plestenjak" (18) eap_peap: State = 0x8f45c9568f90d3857e52bda50653607d (18) Virtual server inner-tunnel received request (18) EAP-Message = 0x02d5004c1a02d5004731d8d694eb0e711635a2a5c6d011d44414000000000000000080648d3803f60d505ec6b8f76843d49dd4a6a7854eee97fa00726f626572745f706c657374656e6a616b (18) FreeRADIUS-Proxied-To = 127.0.0.1 (18) User-Name = "robert_plestenjak" (18) State = 0x8f45c9568f90d3857e52bda50653607d (18) WARNING: Outer and inner identities are the same. User privacy is compromised. (18) server inner-tunnel { (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [chap] = noop (18) [mschap] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) update control { (18) &Proxy-To-Realm := LOCAL (18) } # update control = noop (18) eap: Peer sent EAP Response (code 2) ID 213 length 76 (18) eap: No EAP Start, assuming it's an on-going EAP conversation (18) [eap] = updated (18) [files] = noop rlm_ldap (ldap): Reserved connection (3) (18) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (18) ldap: --> (uid=robert_plestenjak) (18) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (18) ldap: Waiting for search result... (18) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (18) ldap: Processing user attributes (18) ldap: control:Password-With-Header += 'XXX' rlm_ldap (ldap): Released connection (3) (18) [ldap] = updated (18) [expiration] = noop (18) [logintime] = noop (18) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (18) pap: Removing &control:Password-With-Header (18) pap: WARNING: Auth-Type already set. Not setting to PAP (18) [pap] = noop (18) } # authorize = updated (18) Found Auth-Type = eap (18) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (18) authenticate { (18) eap: Expiring EAP session with state 0x8f45c9568f90d385 (18) eap: Finished EAP session with state 0x8f45c9568f90d385 (18) eap: Previous EAP request found for state 0x8f45c9568f90d385, released from the list (18) eap: Peer sent packet with method EAP MSCHAPv2 (26) (18) eap: Calling submodule eap_mschapv2 to process data (18) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (18) eap_mschapv2: authenticate { (18) mschap: Found Cleartext-Password, hashing to create NT-Password (18) mschap: Found Cleartext-Password, hashing to create LM-Password (18) mschap: Creating challenge hash with username: robert_plestenjak (18) mschap: Client is using MS-CHAPv2 (18) mschap: ERROR: MS-CHAP2-Response is incorrect (18) [mschap] = reject (18) } # authenticate = reject (18) eap: Sending EAP Failure (code 4) ID 213 length 4 (18) eap: Freeing handler (18) [eap] = reject (18) } # authenticate = reject (18) Failed to authenticate the user (18) Using Post-Auth-Type Reject (18) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (18) Post-Auth-Type REJECT { (18) attr_filter.access_reject: EXPAND %{User-Name} (18) attr_filter.access_reject: --> robert_plestenjak (18) attr_filter.access_reject: Matched entry DEFAULT at line 11 (18) [attr_filter.access_reject] = updated (18) update outer.session-state { (18) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (18) } # update outer.session-state = noop (18) } # Post-Auth-Type REJECT = updated (18) } # server inner-tunnel (18) Virtual server sending reply (18) MS-CHAP-Error = "\325E=691 R=1 C=2ca3a2ed3d4ef46ebff14aded477265f V=3 M=Authentication failed" (18) EAP-Message = 0x04d50004 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: Got tunneled reply code 3 (18) eap_peap: MS-CHAP-Error = "\325E=691 R=1 C=2ca3a2ed3d4ef46ebff14aded477265f V=3 M=Authentication failed" (18) eap_peap: EAP-Message = 0x04d50004 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: Got tunneled reply RADIUS code 3 (18) eap_peap: MS-CHAP-Error = "\325E=691 R=1 C=2ca3a2ed3d4ef46ebff14aded477265f V=3 M=Authentication failed" (18) eap_peap: EAP-Message = 0x04d50004 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: Tunneled authentication was rejected (18) eap_peap: FAILURE (18) eap: Sending EAP Request (code 1) ID 214 length 46 (18) eap: EAP session adding &reply:State = 0x13b4f8c81b62e10c (18) [eap] = handled (18) } # authenticate = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /etc/raddb/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) session-state: Saving cached attributes (18) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (18) Sent Access-Challenge Id 18 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (18) EAP-Message = 0x01d6002e19001703030023c4d6cba0b48752b7f8f87842178ba52177865f6c1cef5524f872ed8897901cb80d3a00 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x13b4f8c81b62e10caef2d3fb04d37962 (18) Finished request Waking up in 4.8 seconds. (19) Received Access-Request Id 19 from X.X.X.X:51991 to X.X.X.X:1812 length 310 (19) User-Name = "robert_plestenjak" (19) NAS-IP-Address = X.X.X.X (19) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (19) NAS-Port-Type = Wireless-802.11 (19) Service-Type = Framed-User (19) Calling-Station-Id = "18-F0-E4-3B-AA-02" (19) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (19) Acct-Session-Id = "6325D4B9D8CD9D01" (19) Acct-Multi-Session-Id = "33B691AA5B968946" (19) WLAN-Pairwise-Cipher = 1027076 (19) WLAN-Group-Cipher = 1027076 (19) WLAN-AKM-Suite = 1027073 (19) Meraki-Device-Name = "olai" (19) Framed-MTU = 1400 (19) EAP-Message = 0x02d6002e19001703030023000000000000000308fa96363a074f0d6a71b51ac3f369d6bb554270c5c198b63ca951 (19) State = 0x13b4f8c81b62e10caef2d3fb04d37962 (19) Message-Authenticator = 0xb04cbd1a88e53186c391121c6b9f62b1 (19) Restoring &session-state (19) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (19) # Executing section authorize from file /etc/raddb/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) [chap] = noop (19) [mschap] = noop (19) [digest] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) eap: Peer sent EAP Response (code 2) ID 214 length 46 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/raddb/sites-enabled/default (19) authenticate { (19) eap: Expiring EAP session with state 0x13b4f8c81b62e10c (19) eap: Finished EAP session with state 0x13b4f8c81b62e10c (19) eap: Previous EAP request found for state 0x13b4f8c81b62e10c, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: Continuing EAP-TLS (19) eap_peap: [eaptls verify] = ok (19) eap_peap: Done initial handshake (19) eap_peap: [eaptls process] = ok (19) eap_peap: Session established. Decoding tunneled attributes (19) eap_peap: PEAP state send tlv failure (19) eap_peap: Received EAP-TLV response (19) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (19) eap_peap: This means you need to read the PREVIOUS messages in the debug output (19) eap_peap: to find out the reason why the user was rejected (19) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (19) eap_peap: what went wrong, and how to fix the problem (19) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (19) eap: Sending EAP Failure (code 4) ID 214 length 4 (19) eap: Failed in EAP select (19) [eap] = invalid (19) } # authenticate = invalid (19) Failed to authenticate the user (19) Using Post-Auth-Type Reject (19) # Executing group from file /etc/raddb/sites-enabled/default (19) Post-Auth-Type REJECT { (19) attr_filter.access_reject: EXPAND %{User-Name} (19) attr_filter.access_reject: --> robert_plestenjak (19) attr_filter.access_reject: Matched entry DEFAULT at line 11 (19) [attr_filter.access_reject] = updated (19) [eap] = noop (19) policy remove_reply_message_if_eap { (19) if (&reply:EAP-Message && &reply:Reply-Message) { (19) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (19) else { (19) [noop] = noop (19) } # else = noop (19) } # policy remove_reply_message_if_eap = noop (19) } # Post-Auth-Type REJECT = updated (19) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (19) Sending delayed response (19) Sent Access-Reject Id 19 from X.X.X.X:1812 to X.X.X.X:51991 length 44 (19) EAP-Message = 0x04d60004 (19) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (10) Cleaning up request packet ID 10 with timestamp +25 (11) Cleaning up request packet ID 11 with timestamp +25 (12) Cleaning up request packet ID 12 with timestamp +25 (13) Cleaning up request packet ID 13 with timestamp +25 (14) Cleaning up request packet ID 14 with timestamp +25 (15) Cleaning up request packet ID 15 with timestamp +25 (16) Cleaning up request packet ID 16 with timestamp +25 (17) Cleaning up request packet ID 17 with timestamp +25 (18) Cleaning up request packet ID 18 with timestamp +25 (19) Cleaning up request packet ID 19 with timestamp +25 Ready to process requests