Thanks Alan,
Are you talking about "authorized_macs" file or mac mapped(Calling-Station-Id) to particular user in users file ?. If that's where you want to put MAC addresses, yes.
I have installed freeradius without sql integration for testing. 1, changed # Instead of "use_tunneled_reply", value to "if (1) {. 2, users file have following entry on top. testing Password := "password", Calling-Station-Id := "0cf346e648f3" Unauthorised devices with same login are granted access once authorised device is authenticated and server receive accounting-request is from unauthorised device. But when unauthorised devices try to connect for the first time, we see access-reject. I'm not sure if this happen due to any stale sessions, as these android devices to do not have a wireless disconnect button to properly terminate accounting. unauthorised device mac - 06ad2e0b874b Thanks, truncated debug output, hope this does not include junk info for troubleshooting. ################################################################################# Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 49880 Listening on proxy address :: port 52573 Ready to process requests (0) Received Access-Request Id 233 from 10.225.251.10:52377 to 172.16.2.4:1812 length 187 (0) User-Name = "testing" (0) NAS-IP-Address = 10.225.251.10 (0) NAS-Port = 0 (0) NAS-Identifier = "172.16.6.62" (0) NAS-Port-Type = Wireless-802.11 (0) Calling-Station-Id = "0cf346e648f3" (0) Called-Station-Id = "removed" (0) Service-Type = Login-User (0) Framed-MTU = 1100 (0) EAP-Message = 0x0201000c0174657374696e67 (0) Aruba-Essid-Name = "wtf" (0) Aruba-Location-Id = "Building-A" (0) Aruba-AP-Group = "Cluster" (0) Message-Authenticator = 0x6b374ac5a93bce8c2437b87861837f2e (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testing", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 12 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x26ecb91326eebd98 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 233 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (0) EAP-Message = 0x010200160410b87d1a4e19320c5a96ecd9c38383c104 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x26ecb91326eebd9834dbb54fecf0e9db (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 234 from 10.225.251.10:52377 to 172.16.2.4:1812 length 201 (1) User-Name = "testing" (1) NAS-IP-Address = 10.225.251.10 (1) NAS-Port = 0 (1) NAS-Identifier = "172.16.6.62" (1) NAS-Port-Type = Wireless-802.11 (1) Calling-Station-Id = "0cf346e648f3" (1) Called-Station-Id = "removed" (1) Service-Type = Login-User (1) Framed-MTU = 1100 (1) EAP-Message = 0x0202000803191534 (1) State = 0x26ecb91326eebd9834dbb54fecf0e9db (1) Aruba-Essid-Name = "wtf" (1) Aruba-Location-Id = "Building-A" (1) Aruba-AP-Group = "Cluster" (1) Message-Authenticator = 0x54bb5e57cb31ffae2f7b88043cf81436 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "testing", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 8 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry testing at line 1 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x26ecb91326eebd98 (1) eap: Finished EAP session with state 0x26ecb91326eebd98 (1) eap: Previous EAP request found for state 0x26ecb91326eebd98, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 3 length 6 (1) eap: EAP session adding &reply:State = 0x26ecb91327efa098 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 234 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (1) EAP-Message = 0x010300061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x26ecb91327efa09834dbb54fecf0e9db (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 235 from 10.225.251.10:52377 to 172.16.2.4:1812 length 334 (2) User-Name = "testing" (2) NAS-IP-Address = 10.225.251.10 (2) NAS-Port = 0 (2) NAS-Identifier = "172.16.6.62" (2) NAS-Port-Type = Wireless-802.11 (2) Calling-Station-Id = "0cf346e648f3" (2) Called-Station-Id = "removed" (2) Service-Type = Login-User (2) Framed-MTU = 1100 (2) EAP-Message = 0x0203008d198000000083160301007e0100007a0303060aa89fafeaaf392589d5fe6fb92e44af5a6ecd2ee85b1aeacad97cb6f7b48a00001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d (2) State = 0x26ecb91327efa09834dbb54fecf0e9db (2) Aruba-Essid-Name = "wtf" (2) Aruba-Location-Id = "Building-A" (2) Aruba-AP-Group = "Cluster" (2) Message-Authenticator = 0xdbadf9ba93a059334f8680af0fe6c4b5 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "testing", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 141 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x26ecb91327efa098 (2) eap: Finished EAP session with state 0x26ecb91327efa098 (2) eap: Previous EAP request found for state 0x26ecb91327efa098, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 131 bytes (2) eap_peap: Got complete TLS record (131 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 007e] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 003d] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 02ed] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 014d] (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 1004 (2) eap: EAP session adding &reply:State = 0x26ecb91324e8a098 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 235 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (2) EAP-Message = 0x010403ec19c00000048f160303003d0200003903038d3a1204d1b8331e273aa41d6f940848b75a78c30a3530d9444f574e4752440100c02f000011ff01000100000b0004030001020017000016030302ed0b0002e90002e60002e3308202df308201c7a00302010202144332d5c60c9f4d943c5616923e (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x26ecb91324e8a09834dbb54fecf0e9db (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 236 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (3) User-Name = "testing" (3) NAS-IP-Address = 10.225.251.10 (3) NAS-Port = 0 (3) NAS-Identifier = "172.16.6.62" (3) NAS-Port-Type = Wireless-802.11 (3) Calling-Station-Id = "0cf346e648f3" (3) Called-Station-Id = "removed" (3) Service-Type = Login-User (3) Framed-MTU = 1100 (3) EAP-Message = 0x020400061900 (3) State = 0x26ecb91324e8a09834dbb54fecf0e9db (3) Aruba-Essid-Name = "wtf" (3) Aruba-Location-Id = "Building-A" (3) Aruba-AP-Group = "Cluster" (3) Message-Authenticator = 0x0ca5b03d33d32f13fa1d7fa508466f90 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "testing", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x26ecb91324e8a098 (3) eap: Finished EAP session with state 0x26ecb91324e8a098 (3) eap: Previous EAP request found for state 0x26ecb91324e8a098, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 5 length 179 (3) eap: EAP session adding &reply:State = 0x26ecb91325e9a098 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 236 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (3) EAP-Message = 0x010500b3190021c7f360b873becbfa70b91b337e04c5a6311621341a44518886b69767800fca211ab4ddd1e5e10d9cd553895b1b1d948973e3959e053e09fa38f0964c9063e0f7a0bb9d5933236b3b07bab59dd46b46b1bbdcc397f7be6c45bcc193ab1127f61adca3aa6a987813a4352f081dc792fd5d (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x26ecb91325e9a09834dbb54fecf0e9db (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 237 from 10.225.251.10:52377 to 172.16.2.4:1812 length 329 (4) User-Name = "testing" (4) NAS-IP-Address = 10.225.251.10 (4) NAS-Port = 0 (4) NAS-Identifier = "172.16.6.62" (4) NAS-Port-Type = Wireless-802.11 (4) Calling-Station-Id = "0cf346e648f3" (4) Called-Station-Id = "removed" (4) Service-Type = Login-User (4) Framed-MTU = 1100 (4) EAP-Message = 0x0205008819800000007e1603030046100000424104d51ed9058fa13b42818aeed7c2d686aac07c3682ee808b17625b4e1c511314e62eb452b1449b24311a9a55961f811a931966f08055b69ce5589356585ac9847a140303000101160303002800000000000000000a3e6bdb506872b81bc568b13f53b0 (4) State = 0x26ecb91325e9a09834dbb54fecf0e9db (4) Aruba-Essid-Name = "wtf" (4) Aruba-Location-Id = "Building-A" (4) Aruba-AP-Group = "Cluster" (4) Message-Authenticator = 0x72178224b9c9119753955ab0e5f3b71f (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "testing", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 5 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x26ecb91325e9a098 (4) eap: Finished EAP session with state 0x26ecb91325e9a098 (4) eap: Previous EAP request found for state 0x26ecb91325e9a098, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: TLS_accept: SSLv3/TLS write server done (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS read finished (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS write finished (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 6 length 57 (4) eap: EAP session adding &reply:State = 0x26ecb91322eaa098 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 237 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (4) EAP-Message = 0x0106003919001403030001011603030028dd27973f8182c94ca4f1925e99fd7a9230f8231af5e52990249dea19962109ae1227daa1aa18f296 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x26ecb91322eaa09834dbb54fecf0e9db (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 238 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (5) User-Name = "testing" (5) NAS-IP-Address = 10.225.251.10 (5) NAS-Port = 0 (5) NAS-Identifier = "172.16.6.62" (5) NAS-Port-Type = Wireless-802.11 (5) Calling-Station-Id = "0cf346e648f3" (5) Called-Station-Id = "removed" (5) Service-Type = Login-User (5) Framed-MTU = 1100 (5) EAP-Message = 0x020600061900 (5) State = 0x26ecb91322eaa09834dbb54fecf0e9db (5) Aruba-Essid-Name = "wtf" (5) Aruba-Location-Id = "Building-A" (5) Aruba-AP-Group = "Cluster" (5) Message-Authenticator = 0xcf603138502bf912302edf3d39c0bade (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "testing", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 6 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x26ecb91322eaa098 (5) eap: Finished EAP session with state 0x26ecb91322eaa098 (5) eap: Previous EAP request found for state 0x26ecb91322eaa098, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 7 length 40 (5) eap: EAP session adding &reply:State = 0x26ecb91323eba098 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 238 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (5) EAP-Message = 0x010700281900170303001ddd27973f8182c94d6975d89772745d4712cd702dfaa3c80366c524bb9b (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x26ecb91323eba09834dbb54fecf0e9db (5) Finished request Waking up in 4.8 seconds. (6) Received Access-Request Id 239 from 10.225.251.10:52377 to 172.16.2.4:1812 length 236 (6) User-Name = "testing" (6) NAS-IP-Address = 10.225.251.10 (6) NAS-Port = 0 (6) NAS-Identifier = "172.16.6.62" (6) NAS-Port-Type = Wireless-802.11 (6) Calling-Station-Id = "0cf346e648f3" (6) Called-Station-Id = "removed" (6) Service-Type = Login-User (6) Framed-MTU = 1100 (6) EAP-Message = 0x0207002b190017030300200000000000000001b79a353c2acffa5086f5d27b61130dc019f2fc2f117920c2 (6) State = 0x26ecb91323eba09834dbb54fecf0e9db (6) Aruba-Essid-Name = "wtf" (6) Aruba-Location-Id = "Building-A" (6) Aruba-AP-Group = "Cluster" (6) Message-Authenticator = 0x305948d9985d10f1fc907ab52fb03b57 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "testing", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 43 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x26ecb91323eba098 (6) eap: Finished EAP session with state 0x26ecb91323eba098 (6) eap: Previous EAP request found for state 0x26ecb91323eba098, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - testing (6) eap_peap: Got inner identity 'testing' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (6) eap_peap: Setting User-Name to testing (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "testing" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0207000c0174657374696e67 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "testing" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "testing", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 12 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 43 (6) eap: EAP session adding &reply:State = 0x2ea1368a2ea92c2a (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0108002b1a010800261084853adf713aeb5b9367bccd0e5ae601667265657261646975732d332e302e3136 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x2ea1368a2ea92c2ab71bf7409912d765 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0108002b1a010800261084853adf713aeb5b9367bccd0e5ae601667265657261646975732d332e302e3136 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x2ea1368a2ea92c2ab71bf7409912d765 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0108002b1a010800261084853adf713aeb5b9367bccd0e5ae601667265657261646975732d332e302e3136 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x2ea1368a2ea92c2ab71bf7409912d765 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 74 (6) eap: EAP session adding &reply:State = 0x26ecb91320e4a098 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 239 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (6) EAP-Message = 0x0108004a1900170303003fdd27973f8182c94ebae01294a307e163cb7811f64a56fb051792c4356b4bb2eaa2ba42fab24fd88c8e8d86d894a8bffddf1f32a9ce4f8a260a190661e0a4bb (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x26ecb91320e4a09834dbb54fecf0e9db (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 240 from 10.225.251.10:52377 to 172.16.2.4:1812 length 290 (7) User-Name = "testing" (7) NAS-IP-Address = 10.225.251.10 (7) NAS-Port = 0 (7) NAS-Identifier = "172.16.6.62" (7) NAS-Port-Type = Wireless-802.11 (7) Calling-Station-Id = "0cf346e648f3" (7) Called-Station-Id = "removed" (7) Service-Type = Login-User (7) Framed-MTU = 1100 (7) EAP-Message = 0x0208006119001703030056000000000000000255e3756b8198a325c561878777ec4d23e1317189f62014fa5f28ffc199956b64f7afd4cee0939fb0fe438e01f6fd074d24246fa6acd514ebdbc9e56f1d7cd50bf6782b0b1bb618564742e1f65e0d (7) State = 0x26ecb91320e4a09834dbb54fecf0e9db (7) Aruba-Essid-Name = "wtf" (7) Aruba-Location-Id = "Building-A" (7) Aruba-AP-Group = "Cluster" (7) Message-Authenticator = 0x249f707d7c4b10a7db58fa0192977675 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "testing", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 8 length 97 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x2ea1368a2ea92c2a (7) eap: Finished EAP session with state 0x26ecb91320e4a098 (7) eap: Previous EAP request found for state 0x26ecb91320e4a098, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x020800421a0208003d31f5f81f06d523e49c46444b5ea79bbc7f0000000000000000d4efc0e6e084153be5618a6dfdd5ad08a74e5d07c8d528c10074657374696e67 (7) eap_peap: Setting User-Name to testing (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x020800421a0208003d31f5f81f06d523e49c46444b5ea79bbc7f0000000000000000d4efc0e6e084153be5618a6dfdd5ad08a74e5d07c8d528c10074657374696e67 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "testing" (7) eap_peap: State = 0x2ea1368a2ea92c2ab71bf7409912d765 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x020800421a0208003d31f5f81f06d523e49c46444b5ea79bbc7f0000000000000000d4efc0e6e084153be5618a6dfdd5ad08a74e5d07c8d528c10074657374696e67 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "testing" (7) State = 0x2ea1368a2ea92c2ab71bf7409912d765 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "testing", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 8 length 66 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files: users: Matched entry testing at line 1 (7) [files] = ok (7) [expiration] = noop (7) [logintime] = noop (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x2ea1368a2ea92c2a (7) eap: Finished EAP session with state 0x2ea1368a2ea92c2a (7) eap: Previous EAP request found for state 0x2ea1368a2ea92c2a, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: testing (7) mschap: Client is using MS-CHAPv2 (7) mschap: Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # authenticate = ok (7) MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 9 length 51 (7) eap: EAP session adding &reply:State = 0x2ea1368a2fa82c2a (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x010900331a0308002e533d32334644333531354545374644334331383431303434413139373244324238353932313441464636 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x2ea1368a2fa82c2ab71bf7409912d765 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x010900331a0308002e533d32334644333531354545374644334331383431303434413139373244324238353932313441464636 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x2ea1368a2fa82c2ab71bf7409912d765 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x010900331a0308002e533d32334644333531354545374644334331383431303434413139373244324238353932313441464636 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x2ea1368a2fa82c2ab71bf7409912d765 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 9 length 82 (7) eap: EAP session adding &reply:State = 0x26ecb91321e5a098 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 240 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (7) EAP-Message = 0x0109005219001703030047dd27973f8182c94f61e31c86381c9ec1a5e493e2a1e053f284bea160e03e1ea47f03e0b7ea785681c214523240b4a271cdb9dfe8d8c3f23c007deb6e9ce44595120fecd4003694 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x26ecb91321e5a09834dbb54fecf0e9db (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 241 from 10.225.251.10:52377 to 172.16.2.4:1812 length 230 (8) User-Name = "testing" (8) NAS-IP-Address = 10.225.251.10 (8) NAS-Port = 0 (8) NAS-Identifier = "172.16.6.62" (8) NAS-Port-Type = Wireless-802.11 (8) Calling-Station-Id = "0cf346e648f3" (8) Called-Station-Id = "removed" (8) Service-Type = Login-User (8) Framed-MTU = 1100 (8) EAP-Message = 0x020900251900170303001a0000000000000003c6ffb6d7d0fe9efaa852faca49166d526817 (8) State = 0x26ecb91321e5a09834dbb54fecf0e9db (8) Aruba-Essid-Name = "wtf" (8) Aruba-Location-Id = "Building-A" (8) Aruba-AP-Group = "Cluster" (8) Message-Authenticator = 0x1222cf19f68850add1e1ced0f33858cb (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "testing", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 37 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x2ea1368a2fa82c2a (8) eap: Finished EAP session with state 0x26ecb91321e5a098 (8) eap: Previous EAP request found for state 0x26ecb91321e5a098, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: Setting User-Name to testing (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "testing" (8) eap_peap: State = 0x2ea1368a2fa82c2ab71bf7409912d765 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020900061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "testing" (8) State = 0x2ea1368a2fa82c2ab71bf7409912d765 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "testing", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) files: users: Matched entry testing at line 1 (8) [files] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x2ea1368a2fa82c2a (8) eap: Finished EAP session with state 0x2ea1368a2fa82c2a (8) eap: Previous EAP request found for state 0x2ea1368a2fa82c2a, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 9 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) post-auth { (8) if (1) { (8) if (1) -> TRUE (8) if (1) { (8) update reply { (8) User-Name !* ANY (8) Message-Authenticator !* ANY (8) EAP-Message !* ANY (8) Proxy-State !* ANY (8) MS-MPPE-Encryption-Types !* ANY (8) MS-MPPE-Encryption-Policy !* ANY (8) MS-MPPE-Send-Key !* ANY (8) MS-MPPE-Recv-Key !* ANY (8) } # update reply = noop (8) update { (8) No attributes updated (8) } # update = noop (8) } # if (1) = noop (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 10 length 46 (8) eap: EAP session adding &reply:State = 0x26ecb9132ee6a098 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 241 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (8) EAP-Message = 0x010a002e19001703030023dd27973f8182c9506b6c812b8d338645bb98f38584dc0f5ff7f6ca62583242b986081b (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x26ecb9132ee6a09834dbb54fecf0e9db (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 242 from 10.225.251.10:52377 to 172.16.2.4:1812 length 239 (9) User-Name = "testing" (9) NAS-IP-Address = 10.225.251.10 (9) NAS-Port = 0 (9) NAS-Identifier = "172.16.6.62" (9) NAS-Port-Type = Wireless-802.11 (9) Calling-Station-Id = "0cf346e648f3" (9) Called-Station-Id = "removed" (9) Service-Type = Login-User (9) Framed-MTU = 1100 (9) EAP-Message = 0x020a002e190017030300230000000000000004f6b4015bb76668d7defe5fbaa272b19d37cb7660b5f38334a55592 (9) State = 0x26ecb9132ee6a09834dbb54fecf0e9db (9) Aruba-Essid-Name = "wtf" (9) Aruba-Location-Id = "Building-A" (9) Aruba-AP-Group = "Cluster" (9) Message-Authenticator = 0xbfeb9e46ea138b7b564ba6f041b2ab71 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "testing", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 10 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x26ecb9132ee6a098 (9) eap: Finished EAP session with state 0x26ecb9132ee6a098 (9) eap: Previous EAP request found for state 0x26ecb9132ee6a098, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap: Sending EAP Success (code 3) ID 10 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (9) post-auth { (9) update { (9) No attributes updated (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 242 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (9) MS-MPPE-Recv-Key = 0x0ea59c83fc37bd0daeaa9242a6e0cf94e51dd3ece25ac81cfaffbc9946c94522 (9) MS-MPPE-Send-Key = 0x7a5be9e771c473a5ed942fa234930a4051f6461b0157dc51f5de7c2391d16022 (9) EAP-Message = 0x030a0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "testing" (9) Finished request Waking up in 4.8 seconds. (10) Received Accounting-Request Id 243 from 10.225.251.10:52377 to 172.16.2.4:1813 length 218 (10) Acct-Status-Type = Start (10) NAS-IP-Address = 10.225.251.10 (10) User-Name = "testing" (10) NAS-Port = 0 (10) NAS-Port-Type = Wireless-802.11 (10) Calling-Station-Id = "0cf346e648f3" (10) Called-Station-Id = "removed" (10) Framed-IP-Address = 10.225.251.61 (10) Acct-Multi-Session-Id = "0CF346E648F3-1679732014" (10) Acct-Session-Id = "F05C1986E387-0CF346E648F3-641EAD2F-9DA8F" (10) Acct-Delay-Time = 0 (10) Aruba-Essid-Name = "wtf" (10) Aruba-Location-Id = "Building-A" (10) Aruba-User-Vlan = 51 (10) Acct-Authentic = 0 (10) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (10) preacct { (10) [preprocess] = ok (10) policy acct_unique { (10) update request { (10) &Tmp-String-9 := "ai:" (10) } # update request = noop (10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (10) EXPAND %{hex:&Class} (10) --> (10) EXPAND ^%{hex:&Tmp-String-9} (10) --> ^61693a (10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (10) else { (10) update request { (10) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (10) --> f50bcba9a953cd64b2995ff219b0e0bc (10) &Acct-Unique-Session-Id := f50bcba9a953cd64b2995ff219b0e0bc (10) } # update request = noop (10) } # else = noop (10) } # policy acct_unique = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "testing", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) [files] = noop (10) } # preacct = ok (10) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (10) accounting { (10) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (10) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (10) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (10) detail: EXPAND %t (10) detail: --> Sat Mar 25 13:43:35 2023 (10) [detail] = ok (10) [unix] = ok (10) [exec] = noop (10) attr_filter.accounting_response: EXPAND %{User-Name} (10) attr_filter.accounting_response: --> testing (10) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (10) [attr_filter.accounting_response] = updated (10) } # accounting = updated (10) Sent Accounting-Response Id 243 from 172.16.2.4:1813 to 10.225.251.10:52377 length 0 (10) Finished request (10) Cleaning up request packet ID 243 with timestamp +29 Waking up in 4.7 seconds. (0) Cleaning up request packet ID 233 with timestamp +29 (1) Cleaning up request packet ID 234 with timestamp +29 (2) Cleaning up request packet ID 235 with timestamp +29 (3) Cleaning up request packet ID 236 with timestamp +29 (4) Cleaning up request packet ID 237 with timestamp +29 (5) Cleaning up request packet ID 238 with timestamp +29 (6) Cleaning up request packet ID 239 with timestamp +29 (7) Cleaning up request packet ID 240 with timestamp +29 (8) Cleaning up request packet ID 241 with timestamp +29 (9) Cleaning up request packet ID 242 with timestamp +29 Ready to process requests (11) Received Access-Request Id 244 from 10.225.251.10:52377 to 172.16.2.4:1812 length 187 (11) User-Name = "testing" (11) NAS-IP-Address = 10.225.251.10 (11) NAS-Port = 0 (11) NAS-Identifier = "172.16.6.62" (11) NAS-Port-Type = Wireless-802.11 (11) Calling-Station-Id = "06ad2e0b874b" (11) Called-Station-Id = "removed" (11) Service-Type = Login-User (11) Framed-MTU = 1100 (11) EAP-Message = 0x0201000c0174657374696e67 (11) Aruba-Essid-Name = "wtf" (11) Aruba-Location-Id = "Building-A" (11) Aruba-AP-Group = "Cluster" (11) Message-Authenticator = 0x226998c0a30b9bc73e64a5278ff8df75 (11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "testing", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) eap: Peer sent EAP Response (code 2) ID 1 length 12 (11) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) authenticate { (11) eap: Peer sent packet with method EAP Identity (1) (11) eap: Calling submodule eap_md5 to process data (11) eap_md5: Issuing MD5 Challenge (11) eap: Sending EAP Request (code 1) ID 2 length 22 (11) eap: EAP session adding &reply:State = 0xbb30d846bb32dce8 (11) [eap] = handled (11) } # authenticate = handled (11) Using Post-Auth-Type Challenge (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) Challenge { ... } # empty sub-section is ignored (11) Sent Access-Challenge Id 244 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (11) EAP-Message = 0x0102001604102aabbe281b9b4ef7b6791e1a0e2f0e84 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0xbb30d846bb32dce8d4ac4e5dffc91c7d (11) Finished request Waking up in 4.9 seconds. (12) Received Access-Request Id 245 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (12) User-Name = "testing" (12) NAS-IP-Address = 10.225.251.10 (12) NAS-Port = 0 (12) NAS-Identifier = "172.16.6.62" (12) NAS-Port-Type = Wireless-802.11 (12) Calling-Station-Id = "06ad2e0b874b" (12) Called-Station-Id = "removed" (12) Service-Type = Login-User (12) Framed-MTU = 1100 (12) EAP-Message = 0x020200060319 (12) State = 0xbb30d846bb32dce8d4ac4e5dffc91c7d (12) Aruba-Essid-Name = "wtf" (12) Aruba-Location-Id = "Building-A" (12) Aruba-AP-Group = "Cluster" (12) Message-Authenticator = 0x488b93679e0ff25cabd26b6cd61599b9 (12) session-state: No cached attributes (12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "testing", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 2 length 6 (12) eap: No EAP Start, assuming it's an on-going EAP conversation (12) [eap] = updated (12) files: users: Matched entry testing at line 1 (12) [files] = ok (12) [expiration] = noop (12) [logintime] = noop (12) pap: WARNING: Auth-Type already set. Not setting to PAP (12) [pap] = noop (12) } # authorize = updated (12) Found Auth-Type = eap (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) authenticate { (12) eap: Expiring EAP session with state 0xbb30d846bb32dce8 (12) eap: Finished EAP session with state 0xbb30d846bb32dce8 (12) eap: Previous EAP request found for state 0xbb30d846bb32dce8, released from the list (12) eap: Peer sent packet with method EAP NAK (3) (12) eap: Found mutually acceptable type PEAP (25) (12) eap: Calling submodule eap_peap to process data (12) eap_peap: Initiating new EAP-TLS session (12) eap_peap: [eaptls start] = request (12) eap: Sending EAP Request (code 1) ID 3 length 6 (12) eap: EAP session adding &reply:State = 0xbb30d846ba33c1e8 (12) [eap] = handled (12) } # authenticate = handled (12) Using Post-Auth-Type Challenge (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) Challenge { ... } # empty sub-section is ignored (12) Sent Access-Challenge Id 245 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (12) EAP-Message = 0x010300061920 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0xbb30d846ba33c1e8d4ac4e5dffc91c7d (12) Finished request Waking up in 4.9 seconds. (13) Received Access-Request Id 246 from 10.225.251.10:52377 to 172.16.2.4:1812 length 334 (13) User-Name = "testing" (13) NAS-IP-Address = 10.225.251.10 (13) NAS-Port = 0 (13) NAS-Identifier = "172.16.6.62" (13) NAS-Port-Type = Wireless-802.11 (13) Calling-Station-Id = "06ad2e0b874b" (13) Called-Station-Id = "removed" (13) Service-Type = Login-User (13) Framed-MTU = 1100 (13) EAP-Message = 0x0203008d198000000083160301007e0100007a0303ac80a1e0cfb54d63b1b8b1ebe9fd9a28499814f0094affe277d8f45891311a7b00001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d (13) State = 0xbb30d846ba33c1e8d4ac4e5dffc91c7d (13) Aruba-Essid-Name = "wtf" (13) Aruba-Location-Id = "Building-A" (13) Aruba-AP-Group = "Cluster" (13) Message-Authenticator = 0xe7149581d1b428b6b5bf8b4df035ca6e (13) session-state: No cached attributes (13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "testing", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) eap: Peer sent EAP Response (code 2) ID 3 length 141 (13) eap: Continuing tunnel setup (13) [eap] = ok (13) } # authorize = ok (13) Found Auth-Type = eap (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) authenticate { (13) eap: Expiring EAP session with state 0xbb30d846ba33c1e8 (13) eap: Finished EAP session with state 0xbb30d846ba33c1e8 (13) eap: Previous EAP request found for state 0xbb30d846ba33c1e8, released from the list (13) eap: Peer sent packet with method EAP PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: Continuing EAP-TLS (13) eap_peap: Peer indicated complete TLS record size will be 131 bytes (13) eap_peap: Got complete TLS record (131 bytes) (13) eap_peap: [eaptls verify] = length included (13) eap_peap: (other): before SSL initialization (13) eap_peap: TLS_accept: before SSL initialization (13) eap_peap: TLS_accept: before SSL initialization (13) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 007e] (13) eap_peap: TLS_accept: SSLv3/TLS read client hello (13) eap_peap: >>> send TLS 1.2 [length 003d] (13) eap_peap: TLS_accept: SSLv3/TLS write server hello (13) eap_peap: >>> send TLS 1.2 [length 02ed] (13) eap_peap: TLS_accept: SSLv3/TLS write certificate (13) eap_peap: >>> send TLS 1.2 [length 014d] (13) eap_peap: TLS_accept: SSLv3/TLS write key exchange (13) eap_peap: >>> send TLS 1.2 [length 0004] (13) eap_peap: TLS_accept: SSLv3/TLS write server done (13) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (13) eap_peap: In SSL Handshake Phase (13) eap_peap: In SSL Accept mode (13) eap_peap: [eaptls process] = handled (13) eap: Sending EAP Request (code 1) ID 4 length 1004 (13) eap: EAP session adding &reply:State = 0xbb30d846b934c1e8 (13) [eap] = handled (13) } # authenticate = handled (13) Using Post-Auth-Type Challenge (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) Challenge { ... } # empty sub-section is ignored (13) Sent Access-Challenge Id 246 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (13) EAP-Message = 0x010403ec19c00000048f160303003d020000390303ce804def818f33b72d5290f269346761c0174b90392d63cf444f574e4752440100c02f000011ff01000100000b0004030001020017000016030302ed0b0002e90002e60002e3308202df308201c7a00302010202144332d5c60c9f4d943c5616923e (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0xbb30d846b934c1e8d4ac4e5dffc91c7d (13) Finished request Waking up in 4.9 seconds. (14) Received Access-Request Id 247 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (14) User-Name = "testing" (14) NAS-IP-Address = 10.225.251.10 (14) NAS-Port = 0 (14) NAS-Identifier = "172.16.6.62" (14) NAS-Port-Type = Wireless-802.11 (14) Calling-Station-Id = "06ad2e0b874b" (14) Called-Station-Id = "removed" (14) Service-Type = Login-User (14) Framed-MTU = 1100 (14) EAP-Message = 0x020400061900 (14) State = 0xbb30d846b934c1e8d4ac4e5dffc91c7d (14) Aruba-Essid-Name = "wtf" (14) Aruba-Location-Id = "Building-A" (14) Aruba-AP-Group = "Cluster" (14) Message-Authenticator = 0x09a019e8b7748dd384ded96b90487c23 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "testing", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 4 length 6 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0xbb30d846b934c1e8 (14) eap: Finished EAP session with state 0xbb30d846b934c1e8 (14) eap: Previous EAP request found for state 0xbb30d846b934c1e8, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer ACKed our handshake fragment (14) eap_peap: [eaptls verify] = request (14) eap_peap: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 5 length 179 (14) eap: EAP session adding &reply:State = 0xbb30d846b835c1e8 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) Sent Access-Challenge Id 247 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (14) EAP-Message = 0x010500b319004b062413d146deea5af650c4d176b054f6bea9d1f35f00f7ee65ad4a65f229c64167c739a51b216a4a4f284063b0fab80a743fc68e912ffb12011fc9340b15e0b90037aebb2fc7dc8472e8fa37c8e89d5394268a92f2991493ce624c2722bc1df2f42342589abc220092edd96e78a1bb7b (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0xbb30d846b835c1e8d4ac4e5dffc91c7d (14) Finished request Waking up in 4.9 seconds. (15) Received Access-Request Id 248 from 10.225.251.10:52377 to 172.16.2.4:1812 length 329 (15) User-Name = "testing" (15) NAS-IP-Address = 10.225.251.10 (15) NAS-Port = 0 (15) NAS-Identifier = "172.16.6.62" (15) NAS-Port-Type = Wireless-802.11 (15) Calling-Station-Id = "06ad2e0b874b" (15) Called-Station-Id = "removed" (15) Service-Type = Login-User (15) Framed-MTU = 1100 (15) EAP-Message = 0x0205008819800000007e1603030046100000424104a0764b4f1161a0da2cb31cb2304059a4e88c3758d26baeafc5dce494af6b49009edd0e37c5c4c275958cd7f9f5d739094741d530dee468e859e5f38a4d0a785614030300010116030300280000000000000000e7a05889da33645bc83c4cb6667024 (15) State = 0xbb30d846b835c1e8d4ac4e5dffc91c7d (15) Aruba-Essid-Name = "wtf" (15) Aruba-Location-Id = "Building-A" (15) Aruba-AP-Group = "Cluster" (15) Message-Authenticator = 0x0f0a1f0a76d70586c876d8425371f243 (15) session-state: No cached attributes (15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) [preprocess] = ok (15) [chap] = noop (15) [mschap] = noop (15) [digest] = noop (15) suffix: Checking for suffix after "@" (15) suffix: No '@' in User-Name = "testing", looking up realm NULL (15) suffix: No such realm "NULL" (15) [suffix] = noop (15) eap: Peer sent EAP Response (code 2) ID 5 length 136 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # authorize = ok (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) authenticate { (15) eap: Expiring EAP session with state 0xbb30d846b835c1e8 (15) eap: Finished EAP session with state 0xbb30d846b835c1e8 (15) eap: Previous EAP request found for state 0xbb30d846b835c1e8, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: Continuing EAP-TLS (15) eap_peap: Peer indicated complete TLS record size will be 126 bytes (15) eap_peap: Got complete TLS record (126 bytes) (15) eap_peap: [eaptls verify] = length included (15) eap_peap: TLS_accept: SSLv3/TLS write server done (15) eap_peap: <<< recv TLS 1.2 [length 0046] (15) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (15) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (15) eap_peap: <<< recv TLS 1.2 [length 0010] (15) eap_peap: TLS_accept: SSLv3/TLS read finished (15) eap_peap: >>> send TLS 1.2 [length 0001] (15) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (15) eap_peap: >>> send TLS 1.2 [length 0010] (15) eap_peap: TLS_accept: SSLv3/TLS write finished (15) eap_peap: (other): SSL negotiation finished successfully (15) eap_peap: SSL Connection Established (15) eap_peap: [eaptls process] = handled (15) eap: Sending EAP Request (code 1) ID 6 length 57 (15) eap: EAP session adding &reply:State = 0xbb30d846bf36c1e8 (15) [eap] = handled (15) } # authenticate = handled (15) Using Post-Auth-Type Challenge (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) Challenge { ... } # empty sub-section is ignored (15) Sent Access-Challenge Id 248 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (15) EAP-Message = 0x01060039190014030300010116030300284201276eba70648c4775e39c857a1aa878536f8d697f772bb04b977b86c33e27d40197981b4f839a (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0xbb30d846bf36c1e8d4ac4e5dffc91c7d (15) Finished request Waking up in 4.9 seconds. (16) Received Access-Request Id 249 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (16) User-Name = "testing" (16) NAS-IP-Address = 10.225.251.10 (16) NAS-Port = 0 (16) NAS-Identifier = "172.16.6.62" (16) NAS-Port-Type = Wireless-802.11 (16) Calling-Station-Id = "06ad2e0b874b" (16) Called-Station-Id = "removed" (16) Service-Type = Login-User (16) Framed-MTU = 1100 (16) EAP-Message = 0x020600061900 (16) State = 0xbb30d846bf36c1e8d4ac4e5dffc91c7d (16) Aruba-Essid-Name = "wtf" (16) Aruba-Location-Id = "Building-A" (16) Aruba-AP-Group = "Cluster" (16) Message-Authenticator = 0x5d7556cb27c97467b088fe568724e3c2 (16) session-state: No cached attributes (16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "testing", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 6 length 6 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) authenticate { (16) eap: Expiring EAP session with state 0xbb30d846bf36c1e8 (16) eap: Finished EAP session with state 0xbb30d846bf36c1e8 (16) eap: Previous EAP request found for state 0xbb30d846bf36c1e8, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: Peer ACKed our handshake fragment. handshake is finished (16) eap_peap: [eaptls verify] = success (16) eap_peap: [eaptls process] = success (16) eap_peap: Session established. Decoding tunneled attributes (16) eap_peap: PEAP state TUNNEL ESTABLISHED (16) eap: Sending EAP Request (code 1) ID 7 length 40 (16) eap: EAP session adding &reply:State = 0xbb30d846be37c1e8 (16) [eap] = handled (16) } # authenticate = handled (16) Using Post-Auth-Type Challenge (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) Challenge { ... } # empty sub-section is ignored (16) Sent Access-Challenge Id 249 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (16) EAP-Message = 0x010700281900170303001d4201276eba70648d3b620ce7536e8c53900d37371466508abf55213857 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0xbb30d846be37c1e8d4ac4e5dffc91c7d (16) Finished request Waking up in 4.8 seconds. (17) Received Access-Request Id 250 from 10.225.251.10:52377 to 172.16.2.4:1812 length 236 (17) User-Name = "testing" (17) NAS-IP-Address = 10.225.251.10 (17) NAS-Port = 0 (17) NAS-Identifier = "172.16.6.62" (17) NAS-Port-Type = Wireless-802.11 (17) Calling-Station-Id = "06ad2e0b874b" (17) Called-Station-Id = "removed" (17) Service-Type = Login-User (17) Framed-MTU = 1100 (17) EAP-Message = 0x0207002b1900170303002000000000000000017ab663bea468e74c54fb1cec7c5bf9ee306ceff0c6d2f249 (17) State = 0xbb30d846be37c1e8d4ac4e5dffc91c7d (17) Aruba-Essid-Name = "wtf" (17) Aruba-Location-Id = "Building-A" (17) Aruba-AP-Group = "Cluster" (17) Message-Authenticator = 0x14d294600ff184197766e4e7d44c7d13 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [chap] = noop (17) [mschap] = noop (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "testing", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 7 length 43 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) authenticate { (17) eap: Expiring EAP session with state 0xbb30d846be37c1e8 (17) eap: Finished EAP session with state 0xbb30d846be37c1e8 (17) eap: Previous EAP request found for state 0xbb30d846be37c1e8, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: Continuing EAP-TLS (17) eap_peap: [eaptls verify] = ok (17) eap_peap: Done initial handshake (17) eap_peap: [eaptls process] = ok (17) eap_peap: Session established. Decoding tunneled attributes (17) eap_peap: PEAP state WAITING FOR INNER IDENTITY (17) eap_peap: Identity - testing (17) eap_peap: Got inner identity 'testing' (17) eap_peap: Setting default EAP type for tunneled EAP session (17) eap_peap: Got tunneled request (17) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (17) eap_peap: Setting User-Name to testing (17) eap_peap: Sending tunneled request to inner-tunnel (17) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (17) eap_peap: User-Name = "testing" (17) Virtual server inner-tunnel received request (17) EAP-Message = 0x0207000c0174657374696e67 (17) FreeRADIUS-Proxied-To = 127.0.0.1 (17) User-Name = "testing" (17) WARNING: Outer and inner identities are the same. User privacy is compromised. (17) server inner-tunnel { (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [chap] = noop (17) [mschap] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "testing", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) update control { (17) &Proxy-To-Realm := LOCAL (17) } # update control = noop (17) eap: Peer sent EAP Response (code 2) ID 7 length 12 (17) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (17) authenticate { (17) eap: Peer sent packet with method EAP Identity (1) (17) eap: Calling submodule eap_mschapv2 to process data (17) eap_mschapv2: Issuing Challenge (17) eap: Sending EAP Request (code 1) ID 8 length 43 (17) eap: EAP session adding &reply:State = 0xee7e375dee762d2c (17) [eap] = handled (17) } # authenticate = handled (17) } # server inner-tunnel (17) Virtual server sending reply (17) EAP-Message = 0x0108002b1a01080026104a0033ce0718110cf2abb2b7768e5d1e667265657261646975732d332e302e3136 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0xee7e375dee762d2c9ed555c269b92565 (17) eap_peap: Got tunneled reply code 11 (17) eap_peap: EAP-Message = 0x0108002b1a01080026104a0033ce0718110cf2abb2b7768e5d1e667265657261646975732d332e302e3136 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0xee7e375dee762d2c9ed555c269b92565 (17) eap_peap: Got tunneled reply RADIUS code 11 (17) eap_peap: EAP-Message = 0x0108002b1a01080026104a0033ce0718110cf2abb2b7768e5d1e667265657261646975732d332e302e3136 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0xee7e375dee762d2c9ed555c269b92565 (17) eap_peap: Got tunneled Access-Challenge (17) eap: Sending EAP Request (code 1) ID 8 length 74 (17) eap: EAP session adding &reply:State = 0xbb30d846bd38c1e8 (17) [eap] = handled (17) } # authenticate = handled (17) Using Post-Auth-Type Challenge (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) Challenge { ... } # empty sub-section is ignored (17) Sent Access-Challenge Id 250 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (17) EAP-Message = 0x0108004a1900170303003f4201276eba70648e8aa60e9cc363cf6285913d08cfba8a1b001a814fca6b0a1fa428123f8cfa8dd46a9a3f3c9a28f8eac9286e7fe6efb84e54768028883f30 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0xbb30d846bd38c1e8d4ac4e5dffc91c7d (17) Finished request Waking up in 4.7 seconds. (18) Received Access-Request Id 251 from 10.225.251.10:52377 to 172.16.2.4:1812 length 290 (18) User-Name = "testing" (18) NAS-IP-Address = 10.225.251.10 (18) NAS-Port = 0 (18) NAS-Identifier = "172.16.6.62" (18) NAS-Port-Type = Wireless-802.11 (18) Calling-Station-Id = "06ad2e0b874b" (18) Called-Station-Id = "removed" (18) Service-Type = Login-User (18) Framed-MTU = 1100 (18) EAP-Message = 0x02080061190017030300560000000000000002bd616127f9f4538bdfc0c4c3a370af2d4395e40d18319e3d2b9ba513cda95c8d728e01a017dd652dec6cc8677efc8468f3703880a0f2205707186895b0ecb61099e571ce149c5e61c8a9c310158e (18) State = 0xbb30d846bd38c1e8d4ac4e5dffc91c7d (18) Aruba-Essid-Name = "wtf" (18) Aruba-Location-Id = "Building-A" (18) Aruba-AP-Group = "Cluster" (18) Message-Authenticator = 0x828d76d65586579076d531392c3accd6 (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) [chap] = noop (18) [mschap] = noop (18) [digest] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "testing", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) eap: Peer sent EAP Response (code 2) ID 8 length 97 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) authenticate { (18) eap: Expiring EAP session with state 0xee7e375dee762d2c (18) eap: Finished EAP session with state 0xbb30d846bd38c1e8 (18) eap: Previous EAP request found for state 0xbb30d846bd38c1e8, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: Continuing EAP-TLS (18) eap_peap: [eaptls verify] = ok (18) eap_peap: Done initial handshake (18) eap_peap: [eaptls process] = ok (18) eap_peap: Session established. Decoding tunneled attributes (18) eap_peap: PEAP state phase2 (18) eap_peap: EAP method MSCHAPv2 (26) (18) eap_peap: Got tunneled request (18) eap_peap: EAP-Message = 0x020800421a0208003d31c1786ac1466cb5941e97a205bc31cbb800000000000000009fadb90f90a03108ff6d84284c102dfef3b2db1e77b9b6a50074657374696e67 (18) eap_peap: Setting User-Name to testing (18) eap_peap: Sending tunneled request to inner-tunnel (18) eap_peap: EAP-Message = 0x020800421a0208003d31c1786ac1466cb5941e97a205bc31cbb800000000000000009fadb90f90a03108ff6d84284c102dfef3b2db1e77b9b6a50074657374696e67 (18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (18) eap_peap: User-Name = "testing" (18) eap_peap: State = 0xee7e375dee762d2c9ed555c269b92565 (18) Virtual server inner-tunnel received request (18) EAP-Message = 0x020800421a0208003d31c1786ac1466cb5941e97a205bc31cbb800000000000000009fadb90f90a03108ff6d84284c102dfef3b2db1e77b9b6a50074657374696e67 (18) FreeRADIUS-Proxied-To = 127.0.0.1 (18) User-Name = "testing" (18) State = 0xee7e375dee762d2c9ed555c269b92565 (18) WARNING: Outer and inner identities are the same. User privacy is compromised. (18) server inner-tunnel { (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [chap] = noop (18) [mschap] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "testing", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) update control { (18) &Proxy-To-Realm := LOCAL (18) } # update control = noop (18) eap: Peer sent EAP Response (code 2) ID 8 length 66 (18) eap: No EAP Start, assuming it's an on-going EAP conversation (18) [eap] = updated (18) files: users: Matched entry testing at line 1 (18) [files] = ok (18) [expiration] = noop (18) [logintime] = noop (18) pap: WARNING: Auth-Type already set. Not setting to PAP (18) [pap] = noop (18) } # authorize = updated (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (18) authenticate { (18) eap: Expiring EAP session with state 0xee7e375dee762d2c (18) eap: Finished EAP session with state 0xee7e375dee762d2c (18) eap: Previous EAP request found for state 0xee7e375dee762d2c, released from the list (18) eap: Peer sent packet with method EAP MSCHAPv2 (26) (18) eap: Calling submodule eap_mschapv2 to process data (18) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (18) eap_mschapv2: authenticate { (18) mschap: Found Cleartext-Password, hashing to create NT-Password (18) mschap: Found Cleartext-Password, hashing to create LM-Password (18) mschap: Creating challenge hash with username: testing (18) mschap: Client is using MS-CHAPv2 (18) mschap: Adding MS-CHAPv2 MPPE keys (18) [mschap] = ok (18) } # authenticate = ok (18) MSCHAP Success (18) eap: Sending EAP Request (code 1) ID 9 length 51 (18) eap: EAP session adding &reply:State = 0xee7e375def772d2c (18) [eap] = handled (18) } # authenticate = handled (18) } # server inner-tunnel (18) Virtual server sending reply (18) EAP-Message = 0x010900331a0308002e533d31333238314544374343433133353831374141323541453745374537434235454330363736363833 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0xee7e375def772d2c9ed555c269b92565 (18) eap_peap: Got tunneled reply code 11 (18) eap_peap: EAP-Message = 0x010900331a0308002e533d31333238314544374343433133353831374141323541453745374537434235454330363736363833 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: State = 0xee7e375def772d2c9ed555c269b92565 (18) eap_peap: Got tunneled reply RADIUS code 11 (18) eap_peap: EAP-Message = 0x010900331a0308002e533d31333238314544374343433133353831374141323541453745374537434235454330363736363833 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: State = 0xee7e375def772d2c9ed555c269b92565 (18) eap_peap: Got tunneled Access-Challenge (18) eap: Sending EAP Request (code 1) ID 9 length 82 (18) eap: EAP session adding &reply:State = 0xbb30d846bc39c1e8 (18) [eap] = handled (18) } # authenticate = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) Sent Access-Challenge Id 251 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (18) EAP-Message = 0x01090052190017030300474201276eba70648fc8e92f391280d5fe3c398af80b47b9c5e66793fc7999a5cbd618c8f37c5c1b7142f79c39782f0cda89c8c5f308c8fcc2101e943996179e0d1066c184925566 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0xbb30d846bc39c1e8d4ac4e5dffc91c7d (18) Finished request Waking up in 4.7 seconds. (19) Received Access-Request Id 252 from 10.225.251.10:52377 to 172.16.2.4:1812 length 230 (19) User-Name = "testing" (19) NAS-IP-Address = 10.225.251.10 (19) NAS-Port = 0 (19) NAS-Identifier = "172.16.6.62" (19) NAS-Port-Type = Wireless-802.11 (19) Calling-Station-Id = "06ad2e0b874b" (19) Called-Station-Id = "removed" (19) Service-Type = Login-User (19) Framed-MTU = 1100 (19) EAP-Message = 0x020900251900170303001a00000000000000034ab686ec9309d5efe6560664c3957f46370b (19) State = 0xbb30d846bc39c1e8d4ac4e5dffc91c7d (19) Aruba-Essid-Name = "wtf" (19) Aruba-Location-Id = "Building-A" (19) Aruba-AP-Group = "Cluster" (19) Message-Authenticator = 0x2198a78e45accbd8224cc6014c7db134 (19) session-state: No cached attributes (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) [chap] = noop (19) [mschap] = noop (19) [digest] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "testing", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) eap: Peer sent EAP Response (code 2) ID 9 length 37 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) authenticate { (19) eap: Expiring EAP session with state 0xee7e375def772d2c (19) eap: Finished EAP session with state 0xbb30d846bc39c1e8 (19) eap: Previous EAP request found for state 0xbb30d846bc39c1e8, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: Continuing EAP-TLS (19) eap_peap: [eaptls verify] = ok (19) eap_peap: Done initial handshake (19) eap_peap: [eaptls process] = ok (19) eap_peap: Session established. Decoding tunneled attributes (19) eap_peap: PEAP state phase2 (19) eap_peap: EAP method MSCHAPv2 (26) (19) eap_peap: Got tunneled request (19) eap_peap: EAP-Message = 0x020900061a03 (19) eap_peap: Setting User-Name to testing (19) eap_peap: Sending tunneled request to inner-tunnel (19) eap_peap: EAP-Message = 0x020900061a03 (19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (19) eap_peap: User-Name = "testing" (19) eap_peap: State = 0xee7e375def772d2c9ed555c269b92565 (19) Virtual server inner-tunnel received request (19) EAP-Message = 0x020900061a03 (19) FreeRADIUS-Proxied-To = 127.0.0.1 (19) User-Name = "testing" (19) State = 0xee7e375def772d2c9ed555c269b92565 (19) WARNING: Outer and inner identities are the same. User privacy is compromised. (19) server inner-tunnel { (19) session-state: No cached attributes (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [chap] = noop (19) [mschap] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "testing", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) update control { (19) &Proxy-To-Realm := LOCAL (19) } # update control = noop (19) eap: Peer sent EAP Response (code 2) ID 9 length 6 (19) eap: No EAP Start, assuming it's an on-going EAP conversation (19) [eap] = updated (19) files: users: Matched entry testing at line 1 (19) [files] = ok (19) [expiration] = noop (19) [logintime] = noop (19) pap: WARNING: Auth-Type already set. Not setting to PAP (19) [pap] = noop (19) } # authorize = updated (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (19) authenticate { (19) eap: Expiring EAP session with state 0xee7e375def772d2c (19) eap: Finished EAP session with state 0xee7e375def772d2c (19) eap: Previous EAP request found for state 0xee7e375def772d2c, released from the list (19) eap: Peer sent packet with method EAP MSCHAPv2 (26) (19) eap: Calling submodule eap_mschapv2 to process data (19) eap: Sending EAP Success (code 3) ID 9 length 4 (19) eap: Freeing handler (19) [eap] = ok (19) } # authenticate = ok (19) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (19) post-auth { (19) if (1) { (19) if (1) -> TRUE (19) if (1) { (19) update reply { (19) User-Name !* ANY (19) Message-Authenticator !* ANY (19) EAP-Message !* ANY (19) Proxy-State !* ANY (19) MS-MPPE-Encryption-Types !* ANY (19) MS-MPPE-Encryption-Policy !* ANY (19) MS-MPPE-Send-Key !* ANY (19) MS-MPPE-Recv-Key !* ANY (19) } # update reply = noop (19) update { (19) No attributes updated (19) } # update = noop (19) } # if (1) = noop (19) } # post-auth = noop (19) } # server inner-tunnel (19) Virtual server sending reply (19) eap_peap: Got tunneled reply code 2 (19) eap_peap: Got tunneled reply RADIUS code 2 (19) eap_peap: Tunneled authentication was successful (19) eap_peap: SUCCESS (19) eap: Sending EAP Request (code 1) ID 10 length 46 (19) eap: EAP session adding &reply:State = 0xbb30d846b33ac1e8 (19) [eap] = handled (19) } # authenticate = handled (19) Using Post-Auth-Type Challenge (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) Challenge { ... } # empty sub-section is ignored (19) Sent Access-Challenge Id 252 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (19) EAP-Message = 0x010a002e190017030300234201276eba7064902d47ab407d6aea6dee89c758ae90760829c985d2bffc780063b0d8 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0xbb30d846b33ac1e8d4ac4e5dffc91c7d (19) Finished request Waking up in 4.6 seconds. (20) Received Access-Request Id 253 from 10.225.251.10:52377 to 172.16.2.4:1812 length 239 (20) User-Name = "testing" (20) NAS-IP-Address = 10.225.251.10 (20) NAS-Port = 0 (20) NAS-Identifier = "172.16.6.62" (20) NAS-Port-Type = Wireless-802.11 (20) Calling-Station-Id = "06ad2e0b874b" (20) Called-Station-Id = "removed" (20) Service-Type = Login-User (20) Framed-MTU = 1100 (20) EAP-Message = 0x020a002e190017030300230000000000000004e58fb57b705b3663b5b6addcd7d8a8d04dc22802a8dfe380422c66 (20) State = 0xbb30d846b33ac1e8d4ac4e5dffc91c7d (20) Aruba-Essid-Name = "wtf" (20) Aruba-Location-Id = "Building-A" (20) Aruba-AP-Group = "Cluster" (20) Message-Authenticator = 0xc49072610d2b6fb631f2905d88ae6abf (20) session-state: No cached attributes (20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [preprocess] = ok (20) [chap] = noop (20) [mschap] = noop (20) [digest] = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "testing", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) eap: Peer sent EAP Response (code 2) ID 10 length 46 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # authorize = ok (20) Found Auth-Type = eap (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) authenticate { (20) eap: Expiring EAP session with state 0xbb30d846b33ac1e8 (20) eap: Finished EAP session with state 0xbb30d846b33ac1e8 (20) eap: Previous EAP request found for state 0xbb30d846b33ac1e8, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: Continuing EAP-TLS (20) eap_peap: [eaptls verify] = ok (20) eap_peap: Done initial handshake (20) eap_peap: [eaptls process] = ok (20) eap_peap: Session established. Decoding tunneled attributes (20) eap_peap: PEAP state send tlv success (20) eap_peap: Received EAP-TLV response (20) eap_peap: Success (20) eap: Sending EAP Success (code 3) ID 10 length 4 (20) eap: Freeing handler (20) [eap] = ok (20) } # authenticate = ok (20) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (20) post-auth { (20) update { (20) No attributes updated (20) } # update = noop (20) [exec] = noop (20) policy remove_reply_message_if_eap { (20) if (&reply:EAP-Message && &reply:Reply-Message) { (20) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (20) else { (20) [noop] = noop (20) } # else = noop (20) } # policy remove_reply_message_if_eap = noop (20) } # post-auth = noop (20) Sent Access-Accept Id 253 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (20) MS-MPPE-Recv-Key = 0x8283e35b99b7b882bd65c95ec9192f5cecdda69b747efeebc9a46e2e9116023c (20) MS-MPPE-Send-Key = 0xee65f3c0cb02806b88fb67d9496cf06c4a4834e6e2e4c6dcb2fa2d92d7db171f (20) EAP-Message = 0x030a0004 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) User-Name = "testing" (20) Finished request Waking up in 4.6 seconds. (21) Received Accounting-Request Id 254 from 10.225.251.10:52377 to 172.16.2.4:1813 length 218 (21) Acct-Status-Type = Start (21) NAS-IP-Address = 10.225.251.10 (21) User-Name = "testing" (21) NAS-Port = 0 (21) NAS-Port-Type = Wireless-802.11 (21) Calling-Station-Id = "06ad2e0b874b" (21) Called-Station-Id = "removed" (21) Framed-IP-Address = 10.225.251.60 (21) Acct-Multi-Session-Id = "06AD2E0B874B-1679732048" (21) Acct-Session-Id = "F05C1986E387-06AD2E0B874B-641EAD51-695AE" (21) Acct-Delay-Time = 0 (21) Aruba-Essid-Name = "wtf" (21) Aruba-Location-Id = "Building-A" (21) Aruba-User-Vlan = 51 (21) Acct-Authentic = 0 (21) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (21) preacct { (21) [preprocess] = ok (21) policy acct_unique { (21) update request { (21) &Tmp-String-9 := "ai:" (21) } # update request = noop (21) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (21) EXPAND %{hex:&Class} (21) --> (21) EXPAND ^%{hex:&Tmp-String-9} (21) --> ^61693a (21) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (21) else { (21) update request { (21) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (21) --> 972d51b6ddd250023babc6265b81f320 (21) &Acct-Unique-Session-Id := 972d51b6ddd250023babc6265b81f320 (21) } # update request = noop (21) } # else = noop (21) } # policy acct_unique = noop (21) suffix: Checking for suffix after "@" (21) suffix: No '@' in User-Name = "testing", looking up realm NULL (21) suffix: No such realm "NULL" (21) [suffix] = noop (21) [files] = noop (21) } # preacct = ok (21) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (21) accounting { (21) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (21) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (21) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (21) detail: EXPAND %t (21) detail: --> Sat Mar 25 13:44:09 2023 (21) [detail] = ok (21) [unix] = ok (21) [exec] = noop (21) attr_filter.accounting_response: EXPAND %{User-Name} (21) attr_filter.accounting_response: --> testing (21) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (21) [attr_filter.accounting_response] = updated (21) } # accounting = updated (21) Sent Accounting-Response Id 254 from 172.16.2.4:1813 to 10.225.251.10:52377 length 0 (21) Finished request (21) Cleaning up request packet ID 254 with timestamp +63 Waking up in 4.6 seconds. (11) Cleaning up request packet ID 244 with timestamp +63 (12) Cleaning up request packet ID 245 with timestamp +63 (13) Cleaning up request packet ID 246 with timestamp +63 (14) Cleaning up request packet ID 247 with timestamp +63 (15) Cleaning up request packet ID 248 with timestamp +63 (16) Cleaning up request packet ID 249 with timestamp +63 (17) Cleaning up request packet ID 250 with timestamp +63 (18) Cleaning up request packet ID 251 with timestamp +63 (19) Cleaning up request packet ID 252 with timestamp +63 (20) Cleaning up request packet ID 253 with timestamp +63 Ready to process requests (22) Received Accounting-Request Id 255 from 10.225.251.10:52377 to 172.16.2.4:1813 length 242 (22) Acct-Status-Type = Interim-Update (22) NAS-IP-Address = 10.225.251.10 (22) User-Name = "testing" (22) NAS-Port = 0 (22) NAS-Port-Type = Wireless-802.11 (22) Calling-Station-Id = "0cf346e648f3" (22) Called-Station-Id = "removed" (22) Framed-IP-Address = 10.225.251.61 (22) Acct-Multi-Session-Id = "0CF346E648F3-1679732014" (22) Acct-Session-Id = "F05C1986E387-0CF346E648F3-641EAD2F-9DA8F" (22) Acct-Delay-Time = 0 (22) Aruba-Essid-Name = "wtf" (22) Aruba-Location-Id = "Building-A" (22) Aruba-User-Vlan = 51 (22) Acct-Input-Octets = 40285 (22) Acct-Output-Octets = 5625 (22) Acct-Input-Packets = 370 (22) Acct-Output-Packets = 31 (22) Acct-Session-Time = 51 (22) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (22) preacct { (22) [preprocess] = ok (22) policy acct_unique { (22) update request { (22) &Tmp-String-9 := "ai:" (22) } # update request = noop (22) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (22) EXPAND %{hex:&Class} (22) --> (22) EXPAND ^%{hex:&Tmp-String-9} (22) --> ^61693a (22) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (22) else { (22) update request { (22) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (22) --> f50bcba9a953cd64b2995ff219b0e0bc (22) &Acct-Unique-Session-Id := f50bcba9a953cd64b2995ff219b0e0bc (22) } # update request = noop (22) } # else = noop (22) } # policy acct_unique = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "testing", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) [files] = noop (22) } # preacct = ok (22) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (22) accounting { (22) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (22) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (22) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (22) detail: EXPAND %t (22) detail: --> Sat Mar 25 13:44:26 2023 (22) [detail] = ok (22) [unix] = noop (22) [exec] = noop (22) attr_filter.accounting_response: EXPAND %{User-Name} (22) attr_filter.accounting_response: --> testing (22) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (22) [attr_filter.accounting_response] = updated (22) } # accounting = updated (22) Sent Accounting-Response Id 255 from 172.16.2.4:1813 to 10.225.251.10:52377 length 0 (22) Finished request (22) Cleaning up request packet ID 255 with timestamp +80 Ready to process requests (23) Received Accounting-Request Id 1 from 10.225.251.10:52377 to 172.16.2.4:1813 length 242 (23) Acct-Status-Type = Interim-Update (23) NAS-IP-Address = 10.225.251.10 (23) User-Name = "testing" (23) NAS-Port = 0 (23) NAS-Port-Type = Wireless-802.11 (23) Calling-Station-Id = "06ad2e0b874b" (23) Called-Station-Id = "removed" (23) Framed-IP-Address = 10.225.251.60 (23) Acct-Multi-Session-Id = "06AD2E0B874B-1679732048" (23) Acct-Session-Id = "F05C1986E387-06AD2E0B874B-641EAD51-695AE" (23) Acct-Delay-Time = 0 (23) Aruba-Essid-Name = "wtf" (23) Aruba-Location-Id = "Building-A" (23) Aruba-User-Vlan = 51 (23) Acct-Input-Octets = 13616 (23) Acct-Output-Octets = 2231 (23) Acct-Input-Packets = 403 (23) Acct-Output-Packets = 14 (23) Acct-Session-Time = 18 (23) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (23) preacct { (23) [preprocess] = ok (23) policy acct_unique { (23) update request { (23) &Tmp-String-9 := "ai:" (23) } # update request = noop (23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (23) EXPAND %{hex:&Class} (23) --> (23) EXPAND ^%{hex:&Tmp-String-9} (23) --> ^61693a (23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (23) else { (23) update request { (23) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (23) --> 972d51b6ddd250023babc6265b81f320 (23) &Acct-Unique-Session-Id := 972d51b6ddd250023babc6265b81f320 (23) } # update request = noop (23) } # else = noop (23) } # policy acct_unique = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "testing", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) [files] = noop (23) } # preacct = ok (23) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (23) accounting { (23) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (23) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (23) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (23) detail: EXPAND %t (23) detail: --> Sat Mar 25 13:44:26 2023 (23) [detail] = ok (23) [unix] = noop (23) [exec] = noop (23) attr_filter.accounting_response: EXPAND %{User-Name} (23) attr_filter.accounting_response: --> testing (23) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (23) [attr_filter.accounting_response] = updated (23) } # accounting = updated (23) Sent Accounting-Response Id 1 from 172.16.2.4:1813 to 10.225.251.10:52377 length 0 (23) Finished request (23) Cleaning up request packet ID 1 with timestamp +80 Ready to process requests On Wednesday, 22 March, 2023, 09:25:13 pm IST, Alan DeKok <aland@deployingradius.com> wrote: On Mar 22, 2023, at 11:44 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC.
Are you talking about "authorized_macs" file or mac mapped(Calling-Station-Id) to particular user in users file ?.
If that's where you want to put MAC addresses, yes.
The devices MAC comes in the RADIUS packet. So it is trivial to match a user to a particular device.
Is it not possible to grab Calling-Station-Id from Access-Request and check against db ?.
That's not what I said.
Somewhere i read additional checks can be done with Calling-Station-Id when using PPP. Does this feature only work with PPP / SLIP ?.
No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html