(1) Received Access-Request Id 119 from 192.168.17.20:41064 to 192.168.16.111:1812 length 320 (1) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-E8-50-8B-47-D5-3E-5C-95-22-FC-00-03-53-F6" (1) Acct-Session-Id = "ee3ffee4-000054cb" (1) NAS-Port = 17276 (1) NAS-Port-Type = Wireless-802.11 (1) NAS-Identifier = "SSO Wireless" (1) NAS-IP-Address = 192.168.17.100 (1) Framed-MTU = 1496 (1) User-Name = "" (1) Calling-Station-Id = "E8-50-8B-47-D5-3E" (1) Called-Station-Id = "D8-9D-67-4E-87-C6" (1) Service-Type = Framed-User (1) EAP-Message = 0x0280000b016e74726f6e65 (1) Colubris-AVPair = "ssid=Weefee" (1) Colubris-AVPair = "incoming-vlan-id=10" (1) Colubris-AVPair = "group=" (1) Colubris-AVPair = "phytype=IEEE802dot11n" (1) Attr-26.8744.250 = 0x00000001 (1) Attr-26.8744.249 = 0x0a0b6f51 (1) Message-Authenticator = 0x8b5772d01566963b72b17fcb965cff2c (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 128 length 11 (1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Peer sent packet with method EAP Identity (1) (1) eap: Calling submodule eap_md5 to process data (1) eap_md5: Issuing MD5 Challenge (1) eap: Sending EAP Request (code 1) ID 129 length 22 (1) eap: EAP session adding &reply:State = 0x72a278e872237c3d (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 119 from 192.168.16.111:1812 to 192.168.17.20:41064 length 0 (1) EAP-Message = 0x018100160410820ecc5f6973abd1ce25641db0c0283c (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x72a278e872237c3d1ffaa038e8b9e01d (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 18 from 192.168.17.20:41064 to 192.168.16.111:1812 length 333 (2) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-E8-50-8B-47-D5-3E-5C-95-22-FC-00-03-53-F6" (2) Acct-Session-Id = "ee3ffee4-000054cb" (2) NAS-Port = 17276 (2) NAS-Port-Type = Wireless-802.11 (2) NAS-Identifier = "SSO Wireless" (2) NAS-IP-Address = 192.168.17.100 (2) Framed-MTU = 1496 (2) User-Name = "" (2) Calling-Station-Id = "E8-50-8B-47-D5-3E" (2) Called-Station-Id = "D8-9D-67-4E-87-C6" (2) Service-Type = Framed-User (2) EAP-Message = 0x028100060315 (2) State = 0x72a278e872237c3d1ffaa038e8b9e01d (2) Colubris-AVPair = "ssid=Weefee" (2) Colubris-AVPair = "incoming-vlan-id=10" (2) Colubris-AVPair = "group=" (2) Colubris-AVPair = "phytype=IEEE802dot11n" (2) Attr-26.8744.250 = 0x00000001 (2) Attr-26.8744.249 = 0x0a0b6f51 (2) Message-Authenticator = 0x80bc5798f8c41f1a0da53e96ba944ca4 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 129 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 587 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 586 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 585 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (8), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (8) (2) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap: --> (uid=) (2) ldap: Performing search in "dc=,dc=" with filter "(uid=)", scope "sub" (2) ldap: Waiting for search result... (2) ldap: User object found at DN "uid=,ou=IT,ou=Users,dc=,dc=" (2) ldap: Processing user attributes (2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (8) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (9), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (2) [ldap] = ok (2) if ((ok || updated) && User-Password) { (2) if ((ok || updated) && User-Password) -> FALSE (2) [expiration] = noop (2) [logintime] = noop (2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x72a278e872237c3d (2) eap: Finished EAP session with state 0x72a278e872237c3d (2) eap: Previous EAP request found for state 0x72a278e872237c3d, released from the list (2) eap: Peer sent packet with method EAP NAK (3) (2) eap: Found mutually acceptable type TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Initiating new EAP-TLS session (2) eap_ttls: [eaptls start] = request (2) eap: Sending EAP Request (code 1) ID 130 length 6 (2) eap: EAP session adding &reply:State = 0x72a278e873206d3d (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 18 from 192.168.16.111:1812 to 192.168.17.20:41064 length 0 (2) EAP-Message = 0x018200061520 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x72a278e873206d3d1ffaa038e8b9e01d (2) Finished request Waking up in 3.7 seconds. (3) Received Access-Request Id 51 from 192.168.17.20:41064 to 192.168.16.111:1812 length 498 (3) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-E8-50-8B-47-D5-3E-5C-95-22-FC-00-03-53-F6" (3) Acct-Session-Id = "ee3ffee4-000054cb" (3) NAS-Port = 17276 (3) NAS-Port-Type = Wireless-802.11 (3) NAS-Identifier = "SSO Wireless" (3) NAS-IP-Address = 192.168.17.100 (3) Framed-MTU = 1496 (3) User-Name = "" (3) Calling-Station-Id = "E8-50-8B-47-D5-3E" (3) Called-Station-Id = "D8-9D-67-4E-87-C6" (3) Service-Type = Framed-User (3) EAP-Message = 0x028200ab150016030100a00100009c03037f87860ec543e77362f2da8c38e7036f000a3b966289a49fd900c0b92bdc1a5200003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff (3) State = 0x72a278e873206d3d1ffaa038e8b9e01d (3) Colubris-AVPair = "ssid=Weefee" (3) Colubris-AVPair = "incoming-vlan-id=10" (3) Colubris-AVPair = "group=" (3) Colubris-AVPair = "phytype=IEEE802dot11n" (3) Attr-26.8744.250 = 0x00000001 (3) Attr-26.8744.249 = 0x0a0b6f51 (3) Message-Authenticator = 0x9f8108a448b008f838708553495c1c06 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 130 length 171 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x72a278e873206d3d (3) eap: Finished EAP session with state 0x72a278e873206d3d (3) eap: Previous EAP request found for state 0x72a278e873206d3d, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: [eaptls verify] = ok (3) eap_ttls: Done initial handshake (3) eap_ttls: (other): before SSL initialization (3) eap_ttls: TLS_accept: before SSL initialization (3) eap_ttls: TLS_accept: before SSL initialization (3) eap_ttls: <<< recv TLS 1.2 [length 00a0] (3) eap_ttls: TLS_accept: SSLv3/TLS read client hello (3) eap_ttls: >>> send TLS 1.2 [length 003d] (3) eap_ttls: TLS_accept: SSLv3/TLS write server hello (3) eap_ttls: >>> send TLS 1.2 [length 0836] (3) eap_ttls: TLS_accept: SSLv3/TLS write certificate (3) eap_ttls: >>> send TLS 1.2 [length 014d] (3) eap_ttls: TLS_accept: SSLv3/TLS write key exchange (3) eap_ttls: >>> send TLS 1.2 [length 0004] (3) eap_ttls: TLS_accept: SSLv3/TLS write server done (3) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done (3) eap_ttls: In SSL Handshake Phase (3) eap_ttls: In SSL Accept mode (3) eap_ttls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 131 length 1004 (3) eap: EAP session adding &reply:State = 0x72a278e870216d3d (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 51 from 192.168.16.111:1812 to 192.168.17.20:41064 length 0 (3) EAP-Message = 0x018303ec15c0000009d8160303003d0200003903032e161698e648eb84595a77f9ec45fed2b0b3aa3f0b3da6c3c2f3ed4f60cda8db00c030000011ff01000100000b0004030001020017000016030308360b00083200082f0003a33082039f30820287a003020102020101300d06092a864886f70d0101 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x72a278e870216d3d1ffaa038e8b9e01d (3) Finished request Waking up in 3.7 seconds. (4) Received Access-Request Id 70 from 192.168.17.20:41064 to 192.168.16.111:1812 length 333 (4) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-E8-50-8B-47-D5-3E-5C-95-22-FC-00-03-53-F6" (4) Acct-Session-Id = "ee3ffee4-000054cb" (4) NAS-Port = 17276 (4) NAS-Port-Type = Wireless-802.11 (4) NAS-Identifier = "SSO Wireless" (4) NAS-IP-Address = 192.168.17.100 (4) Framed-MTU = 1496 (4) User-Name = "" (4) Calling-Station-Id = "E8-50-8B-47-D5-3E" (4) Called-Station-Id = "D8-9D-67-4E-87-C6" (4) Service-Type = Framed-User (4) EAP-Message = 0x028300061500 (4) State = 0x72a278e870216d3d1ffaa038e8b9e01d (4) Colubris-AVPair = "ssid=Weefee" (4) Colubris-AVPair = "incoming-vlan-id=10" (4) Colubris-AVPair = "group=" (4) Colubris-AVPair = "phytype=IEEE802dot11n" (4) Attr-26.8744.250 = 0x00000001 (4) Attr-26.8744.249 = 0x0a0b6f51 (4) Message-Authenticator = 0x3a3cce991647a6aaee6fd2ca9d17501d (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 131 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x72a278e870216d3d (4) eap: Finished EAP session with state 0x72a278e870216d3d (4) eap: Previous EAP request found for state 0x72a278e870216d3d, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: Continuing EAP-TLS (4) eap_ttls: Peer ACKed our handshake fragment (4) eap_ttls: [eaptls verify] = request (4) eap_ttls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 132 length 1004 (4) eap: EAP session adding &reply:State = 0x72a278e871266d3d (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 70 from 192.168.16.111:1812 to 192.168.17.20:41064 length 0 (4) EAP-Message = 0x018403ec15c0000009d8862485855a324333242108341281d922a03f000486308204823082036aa003020102020900d69fb1aac1610490300d06092a864886f70d01010b05003074310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d657768 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x72a278e871266d3d1ffaa038e8b9e01d (4) Finished request Waking up in 3.7 seconds. (5) Received Access-Request Id 184 from 192.168.17.20:41064 to 192.168.16.111:1812 length 333 (5) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-E8-50-8B-47-D5-3E-5C-95-22-FC-00-03-53-F6" (5) Acct-Session-Id = "ee3ffee4-000054cb" (5) NAS-Port = 17276 (5) NAS-Port-Type = Wireless-802.11 (5) NAS-Identifier = "SSO Wireless" (5) NAS-IP-Address = 192.168.17.100 (5) Framed-MTU = 1496 (5) User-Name = "" (5) Calling-Station-Id = "E8-50-8B-47-D5-3E" (5) Called-Station-Id = "D8-9D-67-4E-87-C6" (5) Service-Type = Framed-User (5) EAP-Message = 0x028400061500 (5) State = 0x72a278e871266d3d1ffaa038e8b9e01d (5) Colubris-AVPair = "ssid=Weefee" (5) Colubris-AVPair = "incoming-vlan-id=10" (5) Colubris-AVPair = "group=" (5) Colubris-AVPair = "phytype=IEEE802dot11n" (5) Attr-26.8744.250 = 0x00000001 (5) Attr-26.8744.249 = 0x0a0b6f51 (5) Message-Authenticator = 0x3cd7961bf49a4bbf7ea78fb9b9c0f75c (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 132 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x72a278e871266d3d (5) eap: Finished EAP session with state 0x72a278e871266d3d (5) eap: Previous EAP request found for state 0x72a278e871266d3d, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: Peer ACKed our handshake fragment (5) eap_ttls: [eaptls verify] = request (5) eap_ttls: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 133 length 542 (5) eap: EAP session adding &reply:State = 0x72a278e876276d3d (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 184 from 192.168.16.111:1812 to 192.168.17.20:41064 length 0 (5) EAP-Message = 0x0185021e1580000009d8bc758a293755c9377b75cd7effbab806577281491f89078215beece00682cfda8731b8869d89283ec5f2a1df48169104a277a9be7803aa8fb26a2d479c04ff8f54ab234b55803f8d272f4b013e91b32f711fd4f226eece6c01508ec36c7f11c668e0cbd3511d66e02af0bb2875 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x72a278e876276d3d1ffaa038e8b9e01d (5) Finished request Waking up in 3.7 seconds. (6) Received Access-Request Id 167 from 192.168.17.20:41064 to 192.168.16.111:1812 length 459 (6) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-E8-50-8B-47-D5-3E-5C-95-22-FC-00-03-53-F6" (6) Acct-Session-Id = "ee3ffee4-000054cb" (6) NAS-Port = 17276 (6) NAS-Port-Type = Wireless-802.11 (6) NAS-Identifier = "SSO Wireless" (6) NAS-IP-Address = 192.168.17.100 (6) Framed-MTU = 1496 (6) User-Name = "" (6) Calling-Station-Id = "E8-50-8B-47-D5-3E" (6) Called-Station-Id = "D8-9D-67-4E-87-C6" (6) Service-Type = Framed-User (6) EAP-Message = 0x02850084150016030300461000004241044791ff947ad28327af6b438e98178feed47c40515f74d1363f4d16abad6b436c0570c2e187ad7a1a008b0e26c13a89b87aee42bb16e80e334676ab8cea4690a614030300010116030300280000000000000000211b36e01de3c0c52ee09a7a52632e6c97b0d3 (6) State = 0x72a278e876276d3d1ffaa038e8b9e01d (6) Colubris-AVPair = "ssid=Weefee" (6) Colubris-AVPair = "incoming-vlan-id=10" (6) Colubris-AVPair = "group=" (6) Colubris-AVPair = "phytype=IEEE802dot11n" (6) Attr-26.8744.250 = 0x00000001 (6) Attr-26.8744.249 = 0x0a0b6f51 (6) Message-Authenticator = 0xb0237df6c958cc6c4cfa9ecf1dc8c53f (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 133 length 132 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x72a278e876276d3d (6) eap: Finished EAP session with state 0x72a278e876276d3d (6) eap: Previous EAP request found for state 0x72a278e876276d3d, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: Continuing EAP-TLS (6) eap_ttls: [eaptls verify] = ok (6) eap_ttls: Done initial handshake (6) eap_ttls: TLS_accept: SSLv3/TLS write server done (6) eap_ttls: <<< recv TLS 1.2 [length 0046] (6) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (6) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (6) eap_ttls: <<< recv TLS 1.2 [length 0010] (6) eap_ttls: TLS_accept: SSLv3/TLS read finished (6) eap_ttls: >>> send TLS 1.2 [length 0001] (6) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (6) eap_ttls: >>> send TLS 1.2 [length 0010] (6) eap_ttls: TLS_accept: SSLv3/TLS write finished (6) eap_ttls: (other): SSL negotiation finished successfully (6) eap_ttls: SSL Connection Established (6) eap_ttls: [eaptls process] = handled (6) eap: Sending EAP Request (code 1) ID 134 length 61 (6) eap: EAP session adding &reply:State = 0x72a278e877246d3d (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 167 from 192.168.16.111:1812 to 192.168.17.20:41064 length 0 (6) EAP-Message = 0x0186003d158000000033140303000101160303002811eb728f3fe2ccafd699783d5a46342a3a1ee4d49b04f3a79a47f21e7b4a6bae035feb6fe8219508 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x72a278e877246d3d1ffaa038e8b9e01d (6) Finished request Waking up in 3.6 seconds. (7) Received Access-Request Id 101 from 192.168.17.20:41064 to 192.168.16.111:1812 length 402 (7) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-E8-50-8B-47-D5-3E-5C-95-22-FC-00-03-53-F6" (7) Acct-Session-Id = "ee3ffee4-000054cb" (7) NAS-Port = 17276 (7) NAS-Port-Type = Wireless-802.11 (7) NAS-Identifier = "SSO Wireless" (7) NAS-IP-Address = 192.168.17.100 (7) Framed-MTU = 1496 (7) User-Name = "" (7) Calling-Station-Id = "E8-50-8B-47-D5-3E" (7) Called-Station-Id = "D8-9D-67-4E-87-C6" (7) Service-Type = Framed-User (7) EAP-Message = 0x0286004b150017030300400000000000000001afa305b09bffc9f1703357817529b8d64f53a78cbf94739f0941caf63bc31a7c576cac9362b14492c9f9e33926149ba6615e4d6d63ef28cc (7) State = 0x72a278e877246d3d1ffaa038e8b9e01d (7) Colubris-AVPair = "ssid=Weefee" (7) Colubris-AVPair = "incoming-vlan-id=10" (7) Colubris-AVPair = "group=" (7) Colubris-AVPair = "phytype=IEEE802dot11n" (7) Attr-26.8744.250 = 0x00000001 (7) Attr-26.8744.249 = 0x0a0b6f51 (7) Message-Authenticator = 0xfd2469a7e7988f9f46ed4f15b4f3cd7f (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 134 length 75 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x72a278e877246d3d (7) eap: Finished EAP session with state 0x72a278e877246d3d (7) eap: Previous EAP request found for state 0x72a278e877246d3d, released from the list (7) eap: Peer sent packet with method EAP TTLS (21) (7) eap: Calling submodule eap_ttls to process data (7) eap_ttls: Authenticate (7) eap_ttls: Continuing EAP-TLS (7) eap_ttls: [eaptls verify] = ok (7) eap_ttls: Done initial handshake (7) eap_ttls: [eaptls process] = ok (7) eap_ttls: Session established. Proceeding to decode tunneled attributes (7) eap_ttls: Got tunneled request (7) eap_ttls: User-Name = "" (7) eap_ttls: User-Password = "" (7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_ttls: Sending tunneled request (7) Virtual server inner-tunnel received request (7) User-Name = "" (7) User-Password = "" (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: No EAP-Message, not doing EAP (7) [eap] = noop (7) [files] = noop rlm_ldap (ldap): Reserved connection (8) (7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (uid=) (7) ldap: Performing search in "dc=,dc=" with filter "(uid=)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "uid=,ou=IT,ou=Users,dc=,dc=" (7) ldap: Processing user attributes (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (8) Need 1 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (10), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) [ldap] = ok (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = ok (7) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (7) } # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) eap_ttls: Got tunneled Access-Reject (7) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (7) eap: Sending EAP Failure (code 4) ID 134 length 4 (7) eap: Failed in EAP select (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 101 from 192.168.16.111:1812 to 192.168.17.20:41064 length 44 (7) EAP-Message = 0x04860004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.0 seconds. (1) Cleaning up request packet ID 119 with timestamp +925 Waking up in 1.2 seconds. (2) Cleaning up request packet ID 18 with timestamp +925 (3) Cleaning up request packet ID 51 with timestamp +926 (4) Cleaning up request packet ID 70 with timestamp +926 (5) Cleaning up request packet ID 184 with timestamp +926 (6) Cleaning up request packet ID 167 with timestamp +926 Waking up in 0.6 seconds.