Hi Phil! do you need something additional from me? Thx, Robert -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+robert.penz=tirol.gv.at@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv.at@lists.freeradius.org] Im Auftrag von PENZ Robert Gesendet: Dienstag, 28. Mai 2013 17:50 An: FreeRadius users mailing list Betreff: AW: AW: Override EAP invalid result in authentication section
You can't do that. EAP is a challenge-response protocol; you can't force it to "succeed" - the remote peer will think it failed and drop the link.
ok, so I can't succeed with the NAK stuff. I understand that now. But if the last step (the verification of the CRL with the verify { client} directive fails or the certificate is expired) the challenge-response is at its end. At this point the switch gets an Accept or Reject. I only want to fail soft to get the PC into a remediation network.
What you want to do isn't possible in general. Instead, you need to look into "auth failed VLAN" support on your network equipment - this generally only works for wired connections though.
I'm using the "auth failed VLAN", its for guests (= MAC addresses that are not in the DB). But I don't want e.g. company notebooks which were too long not in the network (certificate expired, ...) to fail into the guest network, because then I can't bring the client back to full compliance automatically.
Also, please stop posting partial debugs with the wrong options; it's "radiusd -X" and a full debug. The timestamps are just noise, and you've removed most of the debug so it's not possible to infer the full auth processing and offer you more specific advice.
sorry I wanted to get more output with the additional -xx, and wanted to past only the relevant part of the config so you don't need to look at the full config. Here is the full current config + log: # /usr/sbin/radiusd -d /etc/raddb -X FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Sep 24 2012 at 17:14:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/dvtlocal.conf including configuration file /etc/raddb/proxy.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/local including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/xxxxxx.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 768000 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Acct-Type = Status-Server Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/xxxxxx.tirol.local.pem" certificate_file = "/etc/raddb/certs/xxxxxx.tirol.local.pem" CA_file = "/etc/raddb/certs/xxxxxx.pem" private_key_password = "xxxxxx" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { tmpdir = "/var/tmp/radiusd" client = "/usr/local/sbin/clrtest/ /etc/raddb/certs/.temp/ %{TLS-Client-Cert-Filename}" # deliberately error to provoke fail } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/raddb/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Instantiating module "ok" from file /etc/raddb/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Loading virtual module rewrite.calling_station_id Module: Instantiating module "noop" from file /etc/raddb/modules/always always noop { rcode = "noop" simulcount = 0 mpp = no } Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /etc/raddb/modules/detail.log detail auth_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "3306" login = "xxxxxx" password = "xxxxxx" radius_db = "xxxxxx" read_groups = no sqltrace = no sqltracefile = "/var/log/radius/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{Calling-Station-Id}" default_user_profile = "" nas_query = xxxxxx authorize_check_query = xxxxxx authorize_reply_query = xxxxxx authorize_group_check_query = "" authorize_group_reply_query = "" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "" accounting_start_query_alt = "" accounting_stop_query = "" accounting_stop_query_alt = "" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to xxxxxx@localhost:3306/xxxxxx rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT stacksseq, mgntip, stackname, "Switch", secret FROM tstacks rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=xxxxxx,shortname=xxxxxx,secret=xxxxxx ... rlm_sql (sql): Released sql socket id: 4 Module: Loading virtual module do_not_respond Module: Instantiating module "reject" from file /etc/raddb/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_sql_log Module: Instantiating module "sql_log" from file /etc/raddb/modules/sql_log sql_log { path = "/var/log/radius/radacct/sql-relay" Post-Auth = xxxxxxxx sql_user_name = "%{%{User-Name}:-DEFAULT}" utf8 = yes safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. # Only MAC Authentication rad_recv: Access-Request packet from host xxxxxx port 48570, id=45, length=101 User-Name = "xxxxxx" User-Password = "xxxxxx" NAS-IP-Address = xxxxxx Service-Type = Login-User Calling-Station-Id = "xxxxxx" NAS-Port-Id = "1:15" NAS-Port = 1015 NAS-Port-Type = Ethernet # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> xxxxxx expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx ++++[request] returns notfound ++++[noop] returns noop +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop +++ ... skipping else for request 0: Preceding "if" was taken ++- policy rewrite.calling_station_id returns noop [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] expand: %t -> Tue May 28 17:31:47 2013 ++[auth_log] returns ok ++- entering policy redundant {...} [sql] expand: %{Calling-Station-Id} -> xxxxxx [sql] sql_set_user escaped user --> 'xxxxxx' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: xxxxx [sql] User found in radcheck table [sql] expand: xxxxx rlm_sql (sql): Released sql socket id: 3 +++[sql] returns ok ++- policy redundant returns ok ++? if (!ok) ? Evaluating !(ok) -> FALSE ++? if (!ok) -> FALSE ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> TRUE ++? if (!EAP-Message) -> TRUE ++- entering if (!EAP-Message) {...} +++[control] returns ok ++- if (!EAP-Message) returns ok ++ ... skipping else for request 0: Preceding "if" was taken Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [xxxxxx/xxxxxx] (from client xxxxxx port 1015 cli xxxxxx) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql_log] Processing sql_log_postauth [sql_log] expand: %{User-Name} -> xxxxxx [sql_log] expand: %{%{User-Name}:-DEFAULT} -> xxxxxx [sql_log] sql_set_user escaped user --> 'xxxxxx' [sql_log] expand: xxxxx [sql_log] expand: /var/log/radius/radacct/sql-relay -> /var/log/radius/radacct/sql-relay ++[sql_log] returns ok Sending Access-Accept of id 45 to xxxxxx port 48570 Extreme-Netlogin-Extended-Vlan = "UvlanRemediation" Finished request 0. Going to the next request Waking up in 4.9 seconds. # EAP-TLS Request which fails deliberately at verify script rad_recv: Accounting-Request packet from host xxxxxx port 34903, id=97, length=115 Acct-Status-Type = Start User-Name = "xxxxxx" NAS-IP-Address = xxxxxx Acct-Session-Id = "Tue May 28, 2013 17:31:47" Service-Type = Login-User NAS-Port = 1015 NAS-Port-Type = Ethernet Tunnel-Private-Group-Id:0 = "1561" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Acct-Delay-Time = 0 # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1015,Client-IP-Address = xxxxxx,NAS-IP-Address = xxxxxx,Acct-Session-Id = "Tue May 28, 2013 17:31:47",User-Name = "xxxxxx"' [acct_unique] Acct-Unique-Session-ID = "566059eaf92291ca". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "xxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [sql_log] Processing sql_log_accounting [sql_log] expand: %{User-Name} -> xxxxxx [sql_log] expand: %{%{User-Name}:-DEFAULT} -> xxxxxx [sql_log] sql_set_user escaped user --> 'xxxxxx' [sql_log] expand: %{Acct-Delay-Time} -> 0 [sql_log] expand: xxxxxxxxx [sql_log] expand: /var/log/radius/radacct/sql-relay -> /var/log/radius/radacct/sql-relay ++[sql_log] returns ok Sending Accounting-Response of id 97 to xxxxxx port 34903 Finished request 1. Cleaning up request 1 ID 97 with timestamp +6 Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxxxxx port 48570, id=46, length=152 User-Name = "host/xxxxxx.tirol.local" EAP-Message = 0x0273002101686f73742f4456542d334e31344e344a2e7469726f6c2e6c6f63616c NAS-IP-Address = xxxxxx Service-Type = Login-User Calling-Station-Id = "xxxxxx" NAS-Port-Id = "1:15" NAS-Port = 1015 NAS-Port-Type = Ethernet Message-Authenticator = 0x469f68fbf45f1533243eb7eb71b01743 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> xxxxxx expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx ++++[request] returns notfound ++++[noop] returns noop +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop +++ ... skipping else for request 2: Preceding "if" was taken ++- policy rewrite.calling_station_id returns noop [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] expand: %t -> Tue May 28 17:31:47 2013 ++[auth_log] returns ok ++- entering policy redundant {...} [sql] expand: %{Calling-Station-Id} -> xxxxxx [sql] sql_set_user escaped user --> 'xxxxxx' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: xxxxxxxxx [sql] User found in radcheck table [sql] expand: xxxxxxxxxx rlm_sql (sql): Released sql socket id: 2 +++[sql] returns ok ++- policy redundant returns ok ++? if (!ok) ? Evaluating !(ok) -> FALSE ++? if (!ok) -> FALSE ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 115 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} +++? if (EAP-Type == "NAK") ? Evaluating (EAP-Type == "NAK") -> FALSE +++? if (EAP-Type == "NAK") -> FALSE +++- entering else else {...} ++++[control] returns handled +++- else else returns handled ++- else else returns handled Sending Access-Challenge of id 46 to xxxxxx port 48570 EAP-Message = 0x017400060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4cc0b8cd4cb4b553bc1d190550109285 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxxxxx port 48570, id=47, length=242 User-Name = "host/xxxxxx.tirol.local" EAP-Message = 0x027400690d800000005f160301005a01000056030151a4cde3d59f34ad73db249b135a4c0c929759d7c9d1b7ec86d074bbd4c7c21f000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 NAS-IP-Address = xxxxxx Service-Type = Login-User Calling-Station-Id = "xxxxxx" NAS-Port-Id = "1:15" NAS-Port = 1015 NAS-Port-Type = Ethernet State = 0x4cc0b8cd4cb4b553bc1d190550109285 Message-Authenticator = 0xac93cb6d0ec9e493ad777bf996f85fcc # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> xxxxxx expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx ++++[request] returns notfound ++++[noop] returns noop +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop +++ ... skipping else for request 3: Preceding "if" was taken ++- policy rewrite.calling_station_id returns noop [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] expand: %t -> Tue May 28 17:31:47 2013 ++[auth_log] returns ok ++- entering policy redundant {...} [sql] expand: %{Calling-Station-Id} -> xxxxxx [sql] sql_set_user escaped user --> 'xxxxxx' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: xxxxxxxx [sql] User found in radcheck table [sql] expand: xxxxxxxx rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- policy redundant returns ok ++? if (!ok) ? Evaluating !(ok) -> FALSE ++? if (!ok) -> FALSE ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 116 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 95 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 005a], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0bd7], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0060], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} +++? if (EAP-Type == "NAK") ? Evaluating (EAP-Type == "NAK") -> FALSE +++? if (EAP-Type == "NAK") -> FALSE +++- entering else else {...} ++++[control] returns handled +++- else else returns handled ++- else else returns handled Sending Access-Challenge of id 47 to xxxxxx port 48570 EAP-Message = 0x017504000dc000000c7716030100310200002d030151a4cde3202752856258ca711aed70cdc673f06ec86a44b5cf72c2824bd28a7200002f000005ff010001001603010bd70b000bd3000bd00007133082070f308205f7a003020102020a6a4ecce40000000192a1300d06092a864886f70d0101050500304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f74204341301e170d3132303331343039303030345a170d3137303331333039303030345a3081a8310b3009060355040613024154310e300c06 EAP-Message = 0x0355040813055469726f6c3112301006035504071309496e6e73627275636b312a3028060355040a13214456542d446174656e2d566572617262656974756e672d5469726f6c20476d6248312a3028060355040b13214456542d446174656e2d566572617262656974756e672d5469726f6c20476d6248311d301b06035504031314766d6163617530312e7469726f6c2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c3af2441653145945b95a4be7e0a1ff52300be4980b2791a9bfb11ebf212b77e434a698e28c3b1567b6860cba7209990b22c47ce0204c46768d3b1b6b87edbe38a0190d735e0 EAP-Message = 0xabb65e151efea8a09898e6bcf9ca6c3b2c247a7fed19f08988ff472b8cc1aee5e9f84edf94fbb4adcac25f37eb0b31d6c19286ff2e891f9a59632a58d42fce681de9100ba189c4717d7eb32d23a71f5a1535017f4073fb5cf536ac61f94d9a8631eec76fcbd90a2411c72ec00eb812ff1c550616121ab2c5f3281ae2a8345bf9da89bdd87bcc64961140bb99e64544f8800092429d68d78017b2c5d39d82aeae2b0cf5bc28fb47975725de26b8de8c5c608637657482d38133790203010001a38203913082038d300b0603551d0f0404030205a0301d0603551d0e04160414727a8ec35267a642744baeb1a6c67bb40d510234303c06092b0601040182 EAP-Message = 0x371507042f302d06252b060104018237150883e4ff7f82dcc104f1913085ddc64382eaa0205d83a0a22583a0a15d020164020109301f0603551d23041830168014f42d3cfb8c85acd11b38899741763faba6a125493082015c0603551d1f048201533082014f3082014ba0820147a08201438681be6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f7425323043412c434e3d63612c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f636572746966696361 EAP-Message = 0x74655265766f636174696f6e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4cc0b8cd4db5b553bc1d190550109285 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxxxxx port 48570, id=48, length=143 User-Name = "host/xxxxxx.tirol.local" EAP-Message = 0x027500060d00 NAS-IP-Address = xxxxxx Service-Type = Login-User Calling-Station-Id = "xxxxxx" NAS-Port-Id = "1:15" NAS-Port = 1015 NAS-Port-Type = Ethernet State = 0x4cc0b8cd4db5b553bc1d190550109285 Message-Authenticator = 0x780cd08f27fa930221e2e50e5224a558 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> xxxxxx expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx ++++[request] returns notfound ++++[noop] returns noop +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop +++ ... skipping else for request 4: Preceding "if" was taken ++- policy rewrite.calling_station_id returns noop [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] expand: %t -> Tue May 28 17:31:47 2013 ++[auth_log] returns ok ++- entering policy redundant {...} [sql] expand: %{Calling-Station-Id} -> xxxxxx [sql] sql_set_user escaped user --> 'xxxxxx' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: xxxxxx [sql] User found in radcheck table [sql] expand: xxxxxx rlm_sql (sql): Released sql socket id: 0 +++[sql] returns ok ++- policy redundant returns ok ++? if (!ok) ? Evaluating !(ok) -> FALSE ++? if (!ok) -> FALSE ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 117 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} +++? if (EAP-Type == "NAK") ? Evaluating (EAP-Type == "NAK") -> FALSE +++? if (EAP-Type == "NAK") -> FALSE +++- entering else else {...} ++++[control] returns handled +++- else else returns handled ++- else else returns handled Sending Access-Challenge of id 48 to xxxxxx port 48570 EAP-Message = 0x017604000dc000000c774c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748641687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f544c52253230456e7465727072697365253230526f6f7425323043412e63726c863d66696c653a2f2f5c5c63612e7469726f6c2e6c6f63616c5c43657274456e726f6c6c5c544c5220456e746572707269736520526f6f742043412e63726c3082015606082b0601050507010104820148308201443081bb06082b060105050730028681ae6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f EAP-Message = 0x7425323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479305c06082b060105050730018650687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f63612e7469726f6c2e6c6f63616c5f544c52253230456e7465727072697365253230526f6f7425323043412e637274302606082b06010505073001861a68747470 EAP-Message = 0x3a2f2f63612e7469726f6c2e6c6f63616c2f6f637370301d0603551d250416301406082b0601050507030206082b06010505070301302706092b060104018237150a041a3018300a06082b06010505070302300a06082b06010505070301300d06092a864886f70d010105050003820101003d09dba412217ff9f195dff3b2c0bcf275b1f5799fce6afac526ed38b5840decb746d984cf4859acb0ce996d0b5531489c06d51528d3190c58284a02a8e6288792864066239cc3deb7879ae6bc6253974ea9a96f0c4347875f999e48c139cbcca394eeec88d4e1fcff14e7b982f5d060f4e88e9809c0bf97b59a6e3e76f23b0af46eaba2a6290e6a7f25ab EAP-Message = 0x3d2f1ce80f22c198be073748dbf52aea27604d7e96c851409df39e14a537622dfe17af405cce9f7e11e081e79bc630b7b53bef30b4f78cab5f7aa48bbf0f5f7ef96a00263b94c7fe8c058e79d0fdc8be2caab2e431b167a0c7aef17ffd1e1aaf5015bb755f1e6ae1f4409d724779a399312b2bc4fb0004b7308204b33082039ba0030201020210008d4d5ae04328a34ed7943615edcfa8300d06092a864886f70d0101050500304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f74204341301e170d3035 EAP-Message = 0x303430353131353134365a17 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4cc0b8cd4eb6b553bc1d190550109285 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxxxxx port 48570, id=49, length=143 User-Name = "host/xxxxxx.tirol.local" EAP-Message = 0x027600060d00 NAS-IP-Address = xxxxxx Service-Type = Login-User Calling-Station-Id = "xxxxxx" NAS-Port-Id = "1:15" NAS-Port = 1015 NAS-Port-Type = Ethernet State = 0x4cc0b8cd4eb6b553bc1d190550109285 Message-Authenticator = 0xf87e621dfa7f0b6cd5153d24919a4262 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> xxxxxx expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx ++++[request] returns notfound ++++[noop] returns noop +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop +++ ... skipping else for request 5: Preceding "if" was taken ++- policy rewrite.calling_station_id returns noop [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] expand: %t -> Tue May 28 17:31:47 2013 ++[auth_log] returns ok ++- entering policy redundant {...} [sql] expand: %{Calling-Station-Id} -> xxxxxx [sql] sql_set_user escaped user --> 'xxxxxx' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: xxxxx [sql] User found in radcheck table [sql] expand: xxxxx rlm_sql (sql): Released sql socket id: 4 +++[sql] returns ok ++- policy redundant returns ok ++? if (!ok) ? Evaluating !(ok) -> FALSE ++? if (!ok) -> FALSE ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 118 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} +++? if (EAP-Type == "NAK") ? Evaluating (EAP-Type == "NAK") -> FALSE +++? if (EAP-Type == "NAK") -> FALSE +++- entering else else {...} ++++[control] returns handled +++- else else returns handled ++- else else returns handled Sending Access-Challenge of id 49 to xxxxxx port 48570 EAP-Message = 0x017704000dc000000c770d3235303430353132303032355a304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d74ea54dcaac05385372620935817bca181ca24f7b745a550d83a5d3a3b71c2c8cdc4193e7390ac4fa8b61c4154f9f64be8618bf2044324f14c4fcb60783b10989cfd11c5f0f237b283cdd1e20bda5d9eddaba43e2f3467c0de54940ab19ed0701dded9e46ca4dbb9dece84eed962b963cdcc8 EAP-Message = 0x751c54ce566150c42b7833be7f1a0d01a3c1c40232cd2d095881a8f10c7c12de5c336796b0b3c55a8ccaf90c5ad660e052032aa686f584fe71b5c2c1eee240d668e80b07883f62dcf24f0e466c9c1ed48c3c6e98cacbcb989c7ed20f50463baae477958761f5f835bce99ce04d23b8d4d6d02afeeb9fc80c147a2375c7bf37dc7d232174ec010ae3fbd1baa34b0203010001a382018930820185301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414f42d3cfb8c85acd11b38899741763faba6a125493082011d0603551d1f0482011430820110 EAP-Message = 0x3082010ca0820108a08201048681be6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f7425323043412c434e3d63612c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748641687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f544c52253230456e7465727072 EAP-Message = 0x697365253230526f6f7425323043412e63726c301006092b06010401823715010403020100300d06092a864886f70d01010505000382010100490680b41668ce244b8b08168253df143a496665e3f1f33e1e3374397f14e6bb02d4316f2df09f2df5e8d385a36e3f5c388a823028683d97a1c478df21f4e00e068a76c8c3b71e4a87c93d486bff815aaeec76acf495a330e245ba5d3c761fbd0052188b3fa1fe259e3040b8f6b0231447e118bff040a866a5c36569262820f5a3243e77aa6fbe68e1ef5d5e97f37e608ed539c1397df03f366f22f6c247b3539847c604f2f8aac960b4610006133035ff25f1593214ee556048ec358a1ffda0418a77b6 EAP-Message = 0x9d17e6bfbcad8d663f29d6ea Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4cc0b8cd4fb7b553bc1d190550109285 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxxxxx port 48570, id=50, length=143 User-Name = "host/xxxxxx.tirol.local" EAP-Message = 0x027700060d00 NAS-IP-Address = xxxxxx Service-Type = Login-User Calling-Station-Id = "xxxxxx" NAS-Port-Id = "1:15" NAS-Port = 1015 NAS-Port-Type = Ethernet State = 0x4cc0b8cd4fb7b553bc1d190550109285 Message-Authenticator = 0x95829ba607a1a2c61d36d0c87642d49d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> xxxxxx expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx ++++[request] returns notfound ++++[noop] returns noop +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop +++ ... skipping else for request 6: Preceding "if" was taken ++- policy rewrite.calling_station_id returns noop [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] expand: %t -> Tue May 28 17:31:47 2013 ++[auth_log] returns ok ++- entering policy redundant {...} [sql] expand: %{Calling-Station-Id} -> xxxxxx [sql] sql_set_user escaped user --> 'xxxxxx' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: xxxxx [sql] User found in radcheck table [sql] expand: xxxxx rlm_sql (sql): Released sql socket id: 3 +++[sql] returns ok ++- policy redundant returns ok ++? if (!ok) ? Evaluating !(ok) -> FALSE ++? if (!ok) -> FALSE ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 119 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} +++? if (EAP-Type == "NAK") ? Evaluating (EAP-Type == "NAK") -> FALSE +++? if (EAP-Type == "NAK") -> FALSE +++- entering else else {...} ++++[control] returns handled +++- else else returns handled ++- else else returns handled Sending Access-Challenge of id 50 to xxxxxx port 48570 EAP-Message = 0x0178009f0d8000000c77d31d2c5f00fcb5663f6a461a05f0c5267bad8b41424c61c850a6087361b97e6cfc469816ccf07c99b5b5591152702a7616030100600d00005802010200530051304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f742043410e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4cc0b8cd48b8b553bc1d190550109285 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host xxxxxx port 48570, id=51, length=1639 User-Name = "host/xxxxxx.tirol.local" EAP-Message = 0x027805d40dc0000007c816030107880b0005f80005f50005f2308205ee308204d6a003020102020a1dd5793c00000001fed8300d06092a864886f70d0101050500304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f74204341301e170d3133303232363132313030315a170d3134303232363132313030315a30223120301e060355040313174456542d334e31344e344a2e7469726f6c2e6c6f63616c30819f300d06092a864886f70d010101050003818d0030818902818100c5be2126aec1ff7b30e6 EAP-Message = 0x3c70bb6add171f925af3072ecf8cea28abb03d0aa04e6dac47c8612e2ea39bf4db8619566e09b6a48251c3254d80efa99abc420d41b3e71951a2d09132ca7fa88b0fb9b9da96828890454de107b16e27c780a9977e8bd456713b3b9488e259e0491089f3de389d60bffdba38fad7229947f523afe0970203010001a382037b30820377303c06092b0601040182371507042f302d06252b060104018237150883e4ff7f82dcc104f1913085ddc64382eaa0205d8687a30983d8cc4402016502010030130603551d25040c300a06082b06010505070302300b0603551d0f0404030205a0301b06092b060104018237150a040e300c300a06082b06010505 EAP-Message = 0x070302301d0603551d0e041604141195d3b08c1b1b258a8f4e60d3721337bb8b1740301f0603551d23041830168014f42d3cfb8c85acd11b38899741763faba6a125493082015c0603551d1f048201533082014f3082014ba0820147a08201438681be6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f7425323043412c434e3d63612c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f62 EAP-Message = 0x6173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748641687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f544c52253230456e7465727072697365253230526f6f7425323043412e63726c863d66696c653a2f2f5c5c63612e7469726f6c2e6c6f63616c5c43657274456e726f6c6c5c544c5220456e746572707269736520526f6f742043412e63726c3082015606082b0601050507010104820148308201443081bb06082b060105050730028681ae6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f7425323043412c434e3d4149412c434e EAP-Message = 0x3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479305c06082b060105050730018650687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f63612e7469726f6c2e6c6f63616c5f544c52253230456e7465727072697365253230526f6f7425323043412e637274302606082b06010505073001861a687474703a2f2f63612e7469726f6c2e6c6f6361 EAP-Message = 0x6c2f6f637370300d06092a864886f70d01010505000382010100bbd070c97f3cf36f66d6cf8e5c3ddbe8c1129b12f2db35b8e246f9e7a718d87edb4de95e0e323dd3da45512a3ecde36ba178893a24909cbe1c0996f53993e4f28687dace13ad57734e8ee04447e4a637d03785c9cb3674dfe3eec5154b055fcfcb4240544da028667c44046f96487fd481eac219354519b2d2eaaf6aa8e298eb547c7a41f559e4a63a828b0450f14461fb5b5c620c6f4d627d8472538de3af77eba65f019f67d2dbd606f842186e51688e23b006cefe79b5e4c38043cce95b48074a4efbc4e0ae2d86 NAS-IP-Address = xxxxxx Service-Type = Login-User Calling-Station-Id = "xxxxxx" NAS-Port-Id = "1:15" NAS-Port = 1015 NAS-Port-Type = Ethernet State = 0x4cc0b8cd48b8b553bc1d190550109285 Message-Authenticator = 0xb0f9c303a89861c7febd447fbda87bee # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> xxxxxx expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx ++++[request] returns notfound ++++[noop] returns noop +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop +++ ... skipping else for request 7: Preceding "if" was taken ++- policy rewrite.calling_station_id returns noop [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] expand: %t -> Tue May 28 17:31:47 2013 ++[auth_log] returns ok ++- entering policy redundant {...} [sql] expand: %{Calling-Station-Id} -> xxxxxx [sql] sql_set_user escaped user --> 'xxxxxx' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: xxxxxx [sql] User found in radcheck table [sql] expand: xxxxxx rlm_sql (sql): Released sql socket id: 2 +++[sql] returns ok ++- policy redundant returns ok ++? if (!ok) ? Evaluating !(ok) -> FALSE ++? if (!ok) -> FALSE ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 120 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1992 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} +++? if (EAP-Type == "NAK") ? Evaluating (EAP-Type == "NAK") -> FALSE +++? if (EAP-Type == "NAK") -> FALSE +++- entering else else {...} ++++[control] returns handled +++- else else returns handled ++- else else returns handled Sending Access-Challenge of id 51 to xxxxxx port 48570 EAP-Message = 0x017900060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4cc0b8cd49b9b553bc1d190550109285 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host xxxxxx port 48570, id=52, length=657 User-Name = "host/xxxxxx.tirol.local" EAP-Message = 0x027902040d004048e02a79ebcd9e85ac6b426cb1cecc7c379052bb28a1c35065c9f7db85686f527185aa7ed6245c1ac179594aef391059086758d3b23f100001020100a87fe43fc47e3058ab6f8f7d26a9b1ee3d4c0191daa01a69c1ab8af666352aa5a2642f05fa0bae2eb354f3196fc745c766d098198686351b010b9dd143c63d1f3f9b67ebd274facb6c7fd44e167e8d06d8c3c8add4b24b7cae3384dd2c963ce1faf0582697430ad75fc2c8b20ae3430623bbccace6f42b8baa679dbf48ab1f68afcbd449e11a4b7539f914ae98d55fbaa59d80e3d6bc75a22e5390d70198ff446fc2a29bb07a9892285ad0c257806478e37af9a6663d9c01cfc9 EAP-Message = 0x8415bd1fd3adf2c80245e57d7db17392f73cd9b4e359bedfd060819201845b45e3a1c00853e59318bc79e322501a75e28a8d5bb8a9f2a163d4336a577e8459a45bbb782c09860f000082008091a8336a24f4705691940666e3e449b0adec4d6ac3e5783f4e11a18ec3ec9346ed0e39d3eb9f3ea6bf80da24511749e81faba9d9f67594f84cf6498eca548142ac5ff55a84e7f90027969ea1f7bba5043b526bbf03c5c5e1bb1d3354e6a133d65f486c208d81c2b479ddcec24c9cb4ed52d54d230dd9a0d146591eb1c955039c14030100010116030100303fb0dc239c5a1d72a542e08c8f4cf5184f8bd5e6a09094bf9567b7552701c63653b48a9bc4a2 EAP-Message = 0x882c05af515396286fef NAS-IP-Address = xxxxxx Service-Type = Login-User Calling-Station-Id = "xxxxxx" NAS-Port-Id = "1:15" NAS-Port = 1015 NAS-Port-Type = Ethernet State = 0x4cc0b8cd49b9b553bc1d190550109285 Message-Authenticator = 0xf59144ca01da73bd38c95d7f8ec7fd06 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> xxxxxx expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx ++++[request] returns notfound ++++[noop] returns noop +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop +++ ... skipping else for request 8: Preceding "if" was taken ++- policy rewrite.calling_station_id returns noop [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528 [auth_log] expand: %t -> Tue May 28 17:31:47 2013 ++[auth_log] returns ok ++- entering policy redundant {...} [sql] expand: %{Calling-Station-Id} -> xxxxxx [sql] sql_set_user escaped user --> 'xxxxxx' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: xxxxx [sql] User found in radcheck table [sql] expand: xxxxx rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- policy redundant returns ok ++? if (!ok) ? Evaluating !(ok) -> FALSE ++? if (!ok) -> FALSE ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 121 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 05fc], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = host/xxxxxx.tirol.local [tls] --> BUF-Name = TLR Enterprise Root CA [tls] --> subject = /DC=local/DC=tirol/CN=TLR Enterprise Root CA [tls] --> issuer = /DC=local/DC=tirol/CN=TLR Enterprise Root CA [tls] --> verify return:1 that failing is on purpose! [tls] Verifying client certificate: /usr/local/sbin/clrtest/ /etc/raddb/certs/.temp/ %{TLS-Client-Cert-Filename} [tls] expand: %{TLS-Client-Cert-Filename} -> /var/tmp/radiusd/radiusd.client.XXSj2Dlm Exec-Program output: Exec-Program: FAILED to execute /usr/local/sbin/clrtest/: Not a directory Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /usr/local/sbin/clrtest/: Not a directory Exec-Program: returned: 1 rlm_eap_tls: Certificate CN (xxxxxx.tirol.local) fails external verification! [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = host/xxxxxx.tirol.local [tls] --> BUF-Name = xxxxxx.tirol.local [tls] --> subject = /CN=xxxxxx.tirol.local [tls] --> issuer = /DC=local/DC=tirol/CN=TLR Enterprise Root CA [tls] --> verify return:0 [tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown TLS Alert write:fatal:certificate unknown TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} +++? if (EAP-Type == "NAK") ? Evaluating (EAP-Type == "NAK") -> FALSE +++? if (EAP-Type == "NAK") -> FALSE +++- entering else else {...} ++++[control] returns invalid +++- else else returns invalid ++- else else returns invalid Failed to authenticate the user. Login incorrect (TLS Alert write:fatal:certificate unknown): [host/xxxxxx.tirol.local/<via Auth-Type = EAP>] (from client xxxxxx port 1015 cli xxxxxx) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [sql_log] Processing sql_log_postauth [sql_log] expand: %{User-Name} -> host/xxxxxx.tirol.local [sql_log] expand: %{%{User-Name}:-DEFAULT} -> host/xxxxxx.tirol.local [sql_log] sql_set_user escaped user --> 'host/xxxxxx.tirol.local' [sql_log] expand: INSERT INTO tlogauthentication (hostname, mac, nas, portid, porttype, reply, authtype, reason, createtimestamp, createuser) VALUES ('xxxxxx.tirol.local', '%{Calling-Station-Id}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%{reply:Packet-Type}', if('%{EAP-Type}' != '','%{EAP-Type}','MAC'), '%{control:MACAU-Reason}', '%S', 'radsqlrelay') -> INSERT INTO tlogauthentication (hostname, mac, nas, portid, porttype, reply, authtype, reason, createtimestamp, createuser) VALUES ('xxxxxx.tirol.local', 'xxxxxx', 'xxxxxx', '1015', 'Ethernet', 'Access-Reject', if('EAP-TLS' != '','EAP-TLS','MAC'), 'Zertifikat ungueltig (z.b. revoked/abgelaufen)', '2013-05-28 17:31:47', 'radsqlrelay') [sql_log] expand: /var/log/radius/radacct/sql-relay -> /var/log/radius/radacct/sql-relay ++[sql_log] returns ok ++[reply] returns ok Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 52 to xxxxxx port 48570 EAP-Message = 0x04790004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html