freeradius confuses switch
Hello, In tcpdump I see the radius packets in the following order: switch -> freeradius: access-request (1), id: 0x2d freeradius -> switch: access-reject (3), id: 0x2d freeradius -> switch: access-accept (2), id: 0x2c In the last packet the switch receives all proper vlan attributes. In the tplink switch CLI I see it does *not* change the port state from unauthorized to authorized. Upgrading the switch to latest firmware did not change anything. I am not sure is the switch working correctly because of the access-reject package? Regards, Christoph
On 09/05/2025 08:56, Christoph Egger via Freeradius-Users wrote:
switch -> freeradius: access-request (1), id: 0x2d freeradius -> switch: access-reject (3), id: 0x2d freeradius -> switch: access-accept (2), id: 0x2c
FreeRADIUS never sends a reject followed by an accept for the same request. As always, what does the full debug output show? -- Matthew
Am 09.05.25 um 10:55 schrieb Matthew Newton via Freeradius-Users:
On 09/05/2025 08:56, Christoph Egger via Freeradius-Users wrote:
switch -> freeradius: access-request (1), id: 0x2d freeradius -> switch: access-reject (3), id: 0x2d freeradius -> switch: access-accept (2), id: 0x2c
FreeRADIUS never sends a reject followed by an accept for the same request.
As always, what does the full debug output show?
Here it is the EAP-TTLS + PAP, after that the corresponding tcpdump: authentik-freeradius-1 | (45) Received Access-Request Id 46 from 172.16.1.1:49514 to 172.16.1.2:1812 length 138 authentik-freeradius-1 | (45) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (45) EAP-Message = 0x02020016016170706c655f6c616e5f74686174736d65 authentik-freeradius-1 | (45) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (45) NAS-Port = 3 authentik-freeradius-1 | (45) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (45) Service-Type = Framed-User authentik-freeradius-1 | (45) if (&User-Name =~ / /) { authentik-freeradius-1 | (45) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (45) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (45) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (45) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (45) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (45) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (45) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (45) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (45) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (45) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (45) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (45) } # if (&User-Name) = notfound authentik-freeradius-1 | (45) suffix: No such realm "NULL" authentik-freeradius-1 | (45) [suffix] = noop authentik-freeradius-1 | (45) eap: Peer sent EAP Response (code 2) ID 2 length 22 authentik-freeradius-1 | (45) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize authentik-freeradius-1 | (45) [eap] = ok authentik-freeradius-1 | (45) } # authorize = ok authentik-freeradius-1 | (45) Found Auth-Type = eap authentik-freeradius-1 | (45) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (45) authenticate { authentik-freeradius-1 | (45) eap: Peer sent packet with method EAP Identity (1) authentik-freeradius-1 | (45) eap: Using default_eap_type = TTLS authentik-freeradius-1 | (45) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (45) eap_ttls: (TLS) TTLS -Initiating new session authentik-freeradius-1 | (45) eap: Sending EAP Request (code 1) ID 3 length 6 authentik-freeradius-1 | (45) eap: EAP session adding &reply:State = 0x2d378bd52d349ea4 authentik-freeradius-1 | (45) [eap] = handled authentik-freeradius-1 | (45) } # authenticate = handled authentik-freeradius-1 | (45) Using Post-Auth-Type Challenge authentik-freeradius-1 | (45) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (45) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (45) session-state: Saving cached attributes authentik-freeradius-1 | (45) Framed-MTU = 994 authentik-freeradius-1 | (45) Sent Access-Challenge Id 46 from 172.16.1.2:1812 to 172.16.1.1:49514 length 64 authentik-freeradius-1 | (45) EAP-Message = 0x010300061520 authentik-freeradius-1 | (45) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (45) State = 0x2d378bd52d349ea48c81890488f2e33c authentik-freeradius-1 | (45) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (46) Received Access-Request Id 47 from 172.16.1.1:49514 to 172.16.1.2:1812 length 295 authentik-freeradius-1 | (46) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (46) EAP-Message = 0x020300a115800000009716030300920100008e0303681dc4befd642d026911306f371557d5d2f4a94b96242867061ce633f5245fe800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 authentik-freeradius-1 | (46) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (46) NAS-Port = 3 authentik-freeradius-1 | (46) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (46) Service-Type = Framed-User authentik-freeradius-1 | (46) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (46) NAS-Port-Type = Ethernet authentik-freeradius-1 | (46) State = 0x2d378bd52d349ea48c81890488f2e33c authentik-freeradius-1 | (46) Message-Authenticator = 0x6dd431248b2fbe0228d157c2fa27a529 authentik-freeradius-1 | (46) Restoring &session-state authentik-freeradius-1 | (46) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (46) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (46) authorize { authentik-freeradius-1 | (46) policy filter_username { authentik-freeradius-1 | (46) if (&User-Name) { authentik-freeradius-1 | (46) if (&User-Name) -> TRUE authentik-freeradius-1 | (46) if (&User-Name) { authentik-freeradius-1 | (46) if (&User-Name =~ / /) { authentik-freeradius-1 | (46) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (46) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (46) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (46) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (46) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (46) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (46) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (46) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (46) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (46) } # if (&User-Name) = notfound authentik-freeradius-1 | (46) } # policy filter_username = notfound authentik-freeradius-1 | (46) [preprocess] = ok authentik-freeradius-1 | (46) [chap] = noop authentik-freeradius-1 | (46) [mschap] = noop authentik-freeradius-1 | (46) [digest] = noop authentik-freeradius-1 | (46) suffix: Checking for suffix after "@" authentik-freeradius-1 | (46) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (46) suffix: No such realm "NULL" authentik-freeradius-1 | (46) [suffix] = noop authentik-freeradius-1 | (46) eap: Peer sent EAP Response (code 2) ID 3 length 161 authentik-freeradius-1 | (46) eap: Continuing tunnel setup authentik-freeradius-1 | (46) [eap] = ok authentik-freeradius-1 | (46) } # authorize = ok authentik-freeradius-1 | (46) Found Auth-Type = eap authentik-freeradius-1 | (46) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (46) authenticate { authentik-freeradius-1 | (46) eap: Removing EAP session with state 0x2d378bd52d349ea4 authentik-freeradius-1 | (46) eap: Previous EAP request found for state 0x2d378bd52d349ea4, released from the list authentik-freeradius-1 | (46) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (46) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (46) eap_ttls: Authenticate authentik-freeradius-1 | (46) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes authentik-freeradius-1 | (46) eap_ttls: (TLS) EAP Got all data (151 bytes) authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - In Handshake Phase authentik-freeradius-1 | (46) eap: Sending EAP Request (code 1) ID 4 length 1000 authentik-freeradius-1 | (46) eap: EAP session adding &reply:State = 0x2d378bd52c339ea4 authentik-freeradius-1 | (46) [eap] = handled authentik-freeradius-1 | (46) } # authenticate = handled authentik-freeradius-1 | (46) Using Post-Auth-Type Challenge authentik-freeradius-1 | (46) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (46) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (46) session-state: Saving cached attributes authentik-freeradius-1 | (46) Framed-MTU = 994 authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (46) Sent Access-Challenge Id 47 from 172.16.1.2:1812 to 172.16.1.1:49514 length 1064 authentik-freeradius-1 | (46) EAP-Message = 0x010403e815c000000fb4160303003d02000039030388fff48d047feef3d5ff00a05d375edda874c47f374df3e3444f574e4752440100c030000011ff01000100000b000403000102001700001603030d120b000d0e000d0b00062b308206273082040fa003020102020101300d06092a864886f70d01010b0500308187310b3009060355040613024445310b300906035504080c024257310c300a06035504070c035348413111300f060355040a0c0852656c6576616e743121301f06092a864886f70d010901161269744076696e65796172642d7368612e64653127302506035504030c1e52656c6576616e7420436572746966696361746520417574686f72697479301e170d3235303432393132333934305a170d3235303732383132333934305a3079310b3009060355040613024445310b300906035504080c0242573111300f060355040a0c0852656c6576616e743127302506035504030c1e52656c6576616e742043657274696669636174652041757468 authentik-freeradius-1 | (46) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (46) State = 0x2d378bd52c339ea48c81890488f2e33c authentik-freeradius-1 | (46) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (47) Received Access-Request Id 48 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140 authentik-freeradius-1 | (47) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (47) EAP-Message = 0x020400061500 authentik-freeradius-1 | (47) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (47) NAS-Port = 3 authentik-freeradius-1 | (47) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (47) Service-Type = Framed-User authentik-freeradius-1 | (47) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (47) NAS-Port-Type = Ethernet authentik-freeradius-1 | (47) State = 0x2d378bd52c339ea48c81890488f2e33c authentik-freeradius-1 | (47) Message-Authenticator = 0x8ba8cf973db7dbf690257fd18897e523 authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (47) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (47) authorize { authentik-freeradius-1 | (47) policy filter_username { authentik-freeradius-1 | (47) if (&User-Name) { authentik-freeradius-1 | (47) if (&User-Name) -> TRUE authentik-freeradius-1 | (47) if (&User-Name) { authentik-freeradius-1 | (47) if (&User-Name =~ / /) { authentik-freeradius-1 | (47) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (47) } # if (&User-Name) = notfound authentik-freeradius-1 | (47) } # policy filter_username = notfound authentik-freeradius-1 | (47) [preprocess] = ok authentik-freeradius-1 | (47) [chap] = noop authentik-freeradius-1 | (47) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (47) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (47) Sent Access-Challenge Id 48 from 172.16.1.2:1812 to 172.16.1.1:49514 length 1064 authentik-freeradius-1 | (47) EAP-Message = 0x010503e815c000000fb42f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c30180603551d200411300f300d060b2b0601040182be68010302301d0603551d0e041604144a7e2994148f5496048c2dc652719f5c7607bc98301f0603551d23041830168014701806d2e6c468e75987bb23a0b1d9f88d709ac4300d06092a864886f70d01010b0500038202010093980ec717a88f949a6937eb2936cd0debc7605e805a0b8630abbc62f35350a0fff1a7886d653db8558319b1bc2d2c31bfea23208c6426ca6f3e50e2572dc7d7a6d90c97a3ef13a70dac554e6549f528a113d0e2a20391b34f295a38966530b917f843450cff4f133d4478bdac234d2a688305ffe69e3220319337fe4903fcc7240c57c33a2c988bb015733f4175045e6d7af21979a035f0a9e10da845b181fd32ae894991b560372a07ebdb52499f94e2f94e271260f08711830b89d8e9ca8873d822f14d1cccd8a24be1e9cbd773 authentik-freeradius-1 | (47) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (47) State = 0x2d378bd52f329ea48c81890488f2e33c authentik-freeradius-1 | (47) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (48) Received Access-Request Id 49 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140 authentik-freeradius-1 | (48) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (48) EAP-Message = 0x020500061500 authentik-freeradius-1 | (48) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (48) NAS-Port = 3 authentik-freeradius-1 | (48) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (48) Service-Type = Framed-User authentik-freeradius-1 | (48) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (48) NAS-Port-Type = Ethernet authentik-freeradius-1 | (48) State = 0x2d378bd52f329ea48c81890488f2e33c authentik-freeradius-1 | (48) Message-Authenticator = 0x7e9c351c6e0c60bec88aae42cbfd7a82 authentik-freeradius-1 | (48) Restoring &session-state authentik-freeradius-1 | (48) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (48) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (48) authorize { authentik-freeradius-1 | (48) policy filter_username { authentik-freeradius-1 | (48) if (&User-Name) { authentik-freeradius-1 | (48) if (&User-Name) -> TRUE authentik-freeradius-1 | (48) if (&User-Name) { authentik-freeradius-1 | (48) if (&User-Name =~ / /) { authentik-freeradius-1 | (48) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (48) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (48) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (48) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (48) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (48) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (48) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (48) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (48) } # if (&User-Name) = notfound authentik-freeradius-1 | (48) } # policy filter_username = notfound authentik-freeradius-1 | (48) [preprocess] = ok authentik-freeradius-1 | (48) [chap] = noop authentik-freeradius-1 | (48) [mschap] = noop authentik-freeradius-1 | (48) [digest] = noop authentik-freeradius-1 | (48) suffix: Checking for suffix after "@" authentik-freeradius-1 | (48) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (48) suffix: No such realm "NULL" authentik-freeradius-1 | (48) [suffix] = noop authentik-freeradius-1 | (48) eap: Peer sent EAP Response (code 2) ID 5 length 6 authentik-freeradius-1 | (48) eap: Continuing tunnel setup authentik-freeradius-1 | (48) [eap] = ok authentik-freeradius-1 | (48) } # authorize = ok authentik-freeradius-1 | (48) Found Auth-Type = eap authentik-freeradius-1 | (48) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (48) authenticate { authentik-freeradius-1 | (48) eap: Removing EAP session with state 0x2d378bd52f329ea4 authentik-freeradius-1 | (48) eap: Previous EAP request found for state 0x2d378bd52f329ea4, released from the list authentik-freeradius-1 | (48) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (48) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (48) eap_ttls: Authenticate authentik-freeradius-1 | (48) eap_ttls: (TLS) Peer ACKed our handshake fragment authentik-freeradius-1 | (48) eap: Sending EAP Request (code 1) ID 6 length 1000 authentik-freeradius-1 | (48) eap: EAP session adding &reply:State = 0x2d378bd52e319ea4 authentik-freeradius-1 | (48) [eap] = handled authentik-freeradius-1 | (48) } # authenticate = handled authentik-freeradius-1 | (48) Using Post-Auth-Type Challenge authentik-freeradius-1 | (48) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (48) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (48) session-state: Saving cached attributes authentik-freeradius-1 | (48) Framed-MTU = 994 authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (48) Sent Access-Challenge Id 49 from 172.16.1.2:1812 to 172.16.1.1:49514 length 1064 authentik-freeradius-1 | (48) EAP-Message = 0x010603e815c000000fb43127302506035504030c1e52656c6576616e7420436572746966696361746520417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a0282020100e55d87d38cf2c678cd5e9b9cf81d94b6b91cd6463f8d77ec2fc375c2b6b502157c3ead93d845cda3997b1f428ee037cc776726254b9d4746fbf022bbf59228b2b912925af38f8647bc270e8052662caf474f4607aabb9b484b4b3cecfeafd6c483f7f3f77680ae050a7708020d92bda2c75a55113d207dc9511d2e1cac2e4b6dbed4f86a604e08dca9285f4edaf786c6e35f10f91bdad17e23ab955aa3e0f8c29fccedd093d20811fe24aefdc0b7635cb7c9e89a0dbe073a4e7f16180c21594c71660ccf797685939894048d34a8140428b943cb915289a0fc98b52316853f150037f925946cf9be5bfbdebd22bd12041ba4234091b663c0660b86a509bde5ed5116c928fea2bd51297cd2b1c47b076fe41b4a0daf19d765a1e6da397ce03b2816cedd authentik-freeradius-1 | (48) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (48) State = 0x2d378bd52e319ea48c81890488f2e33c authentik-freeradius-1 | (48) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (49) Received Access-Request Id 50 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140 authentik-freeradius-1 | (49) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (49) EAP-Message = 0x020600061500 authentik-freeradius-1 | (49) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (49) NAS-Port = 3 authentik-freeradius-1 | (49) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (49) Service-Type = Framed-User authentik-freeradius-1 | (49) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (49) NAS-Port-Type = Ethernet authentik-freeradius-1 | (49) Message-Authenticator = 0x813ff55ff1a4a9e8af7bfd6b291b0e9b authentik-freeradius-1 | (49) Restoring &session-state authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (49) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (49) authorize { authentik-freeradius-1 | (49) policy filter_username { authentik-freeradius-1 | (49) if (&User-Name) { authentik-freeradius-1 | (49) if (&User-Name) -> TRUE authentik-freeradius-1 | (49) if (&User-Name) { authentik-freeradius-1 | (49) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (49) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (49) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (49) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (49) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (49) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (49) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (49) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (49) } # if (&User-Name) = notfound authentik-freeradius-1 | (49) } # policy filter_username = notfound authentik-freeradius-1 | (50) Received Access-Request Id 51 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140 authentik-freeradius-1 | (50) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (50) EAP-Message = 0x020700061500 authentik-freeradius-1 | (50) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (50) NAS-Port = 3 authentik-freeradius-1 | (50) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (50) Service-Type = Framed-User authentik-freeradius-1 | (50) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (50) NAS-Port-Type = Ethernet authentik-freeradius-1 | (50) State = 0x2d378bd529309ea48c81890488f2e33c authentik-freeradius-1 | (50) Message-Authenticator = 0xf81e574264216b6dad0e74b30869f07f authentik-freeradius-1 | (50) Restoring &session-state authentik-freeradius-1 | (50) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (50) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (50) authorize { authentik-freeradius-1 | (50) policy filter_username { authentik-freeradius-1 | (50) if (&User-Name) { authentik-freeradius-1 | (50) if (&User-Name) -> TRUE authentik-freeradius-1 | (50) if (&User-Name) { authentik-freeradius-1 | (50) if (&User-Name =~ / /) { authentik-freeradius-1 | (50) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (50) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (50) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (50) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (50) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (50) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (50) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (50) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (50) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (50) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (50) } # if (&User-Name) = notfound authentik-freeradius-1 | (50) } # policy filter_username = notfound authentik-freeradius-1 | (50) [preprocess] = ok authentik-freeradius-1 | (50) [chap] = noop authentik-freeradius-1 | (50) [mschap] = noop authentik-freeradius-1 | (50) [digest] = noop authentik-freeradius-1 | (50) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (50) suffix: No such realm "NULL" authentik-freeradius-1 | (50) [suffix] = noop authentik-freeradius-1 | (50) eap: Peer sent EAP Response (code 2) ID 7 length 6 authentik-freeradius-1 | (50) eap: Continuing tunnel setup authentik-freeradius-1 | (50) [eap] = ok authentik-freeradius-1 | (50) } # authorize = ok authentik-freeradius-1 | (50) Found Auth-Type = eap authentik-freeradius-1 | (50) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (50) authenticate { authentik-freeradius-1 | (50) eap: Removing EAP session with state 0x2d378bd529309ea4 authentik-freeradius-1 | (50) eap: Previous EAP request found for state 0x2d378bd529309ea4, released from the list authentik-freeradius-1 | (50) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (50) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (50) eap_ttls: Authenticate authentik-freeradius-1 | (50) eap_ttls: (TLS) Peer ACKed our handshake fragment authentik-freeradius-1 | (50) eap: Sending EAP Request (code 1) ID 8 length 70 authentik-freeradius-1 | (50) [eap] = handled authentik-freeradius-1 | (50) } # authenticate = handled authentik-freeradius-1 | (50) Using Post-Auth-Type Challenge authentik-freeradius-1 | (50) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (50) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (50) session-state: Saving cached attributes authentik-freeradius-1 | (50) Framed-MTU = 994 authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (50) Sent Access-Challenge Id 51 from 172.16.1.2:1812 to 172.16.1.1:49514 length 128 authentik-freeradius-1 | (50) EAP-Message = 0x01080046158000000fb4869667380632a4142079fb1f2ff5c8def2967978b74b3087d78a0bc118847696a8454a2a272af3d6cd31a29d59fbf04fcea73416030300040e000000 authentik-freeradius-1 | (50) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (50) State = 0x2d378bd5283f9ea48c81890488f2e33c authentik-freeradius-1 | (50) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (51) Received Access-Request Id 52 from 172.16.1.1:49514 to 172.16.1.2:1812 length 270 authentik-freeradius-1 | (51) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (51) EAP-Message = 0x0208008815800000007e160303004610000042410419ae54fd8e6d6cf9d33816dcca4bf092ad18d110ad1ca18ad0b68e5a397c0a604e49c6add9cb514acac0811f412580d3cef6aa3a37a814eedfebef46ec8f48aa1403030001011603030028f5828f0161eb6130a671794392becd9618fa618cb47c6265cadcaea18ccfc8b2b2e03cd124ea548b authentik-freeradius-1 | (51) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (51) NAS-Port = 3 authentik-freeradius-1 | (51) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (51) Service-Type = Framed-User authentik-freeradius-1 | (51) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (51) NAS-Port-Type = Ethernet authentik-freeradius-1 | (51) State = 0x2d378bd5283f9ea48c81890488f2e33c authentik-freeradius-1 | (51) Message-Authenticator = 0x31d9c558591c9fa84bb37e2443138f02 authentik-freeradius-1 | (51) Restoring &session-state authentik-freeradius-1 | (51) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (51) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (51) authorize { authentik-freeradius-1 | (51) policy filter_username { authentik-freeradius-1 | (51) if (&User-Name) { authentik-freeradius-1 | (51) if (&User-Name) -> TRUE authentik-freeradius-1 | (51) if (&User-Name) { authentik-freeradius-1 | (51) if (&User-Name =~ / /) { authentik-freeradius-1 | (51) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (51) [mschap] = noop authentik-freeradius-1 | (51) [digest] = noop authentik-freeradius-1 | (51) suffix: Checking for suffix after "@" authentik-freeradius-1 | (51) [suffix] = noop authentik-freeradius-1 | (51) eap: Peer sent EAP Response (code 2) ID 8 length 136 authentik-freeradius-1 | (51) [eap] = ok authentik-freeradius-1 | (51) } # authorize = ok authentik-freeradius-1 | (51) Found Auth-Type = eap authentik-freeradius-1 | (51) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (51) authenticate { authentik-freeradius-1 | (51) eap: Removing EAP session with state 0x2d378bd5283f9ea4 authentik-freeradius-1 | (51) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (51) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (51) eap_ttls: Authenticate authentik-freeradius-1 | (51) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes authentik-freeradius-1 | (51) eap_ttls: (TLS) EAP Got all data (126 bytes) authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Connection Established authentik-freeradius-1 | (51) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" authentik-freeradius-1 | (51) eap_ttls: TLS-Session-Version = "TLS 1.2" authentik-freeradius-1 | (51) eap: Sending EAP Request (code 1) ID 9 length 61 authentik-freeradius-1 | (51) eap: EAP session adding &reply:State = 0x2d378bd52b3e9ea4 authentik-freeradius-1 | (51) } # authenticate = handled authentik-freeradius-1 | (51) Using Post-Auth-Type Challenge authentik-freeradius-1 | (51) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (51) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (51) session-state: Saving cached attributes authentik-freeradius-1 | (51) Framed-MTU = 994 authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished" authentik-freeradius-1 | (51) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" authentik-freeradius-1 | (51) TLS-Session-Version = "TLS 1.2" authentik-freeradius-1 | (51) Sent Access-Challenge Id 52 from 172.16.1.2:1812 to 172.16.1.1:49514 length 119 authentik-freeradius-1 | (51) EAP-Message = 0x0109003d15800000003314030300010116030300281c6440dcdfdbf05f1f9394118125311533b66d6444bdb7f11ce8b2a04b349adc2bb5de540eb22132 authentik-freeradius-1 | (51) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (51) State = 0x2d378bd52b3e9ea48c81890488f2e33c authentik-freeradius-1 | (51) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (52) Received Access-Request Id 53 from 172.16.1.1:49514 to 172.16.1.2:1812 length 217 authentik-freeradius-1 | (52) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (52) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (52) Service-Type = Framed-User authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) } # policy filter_username = notfound authentik-freeradius-1 | (52) [preprocess] = ok authentik-freeradius-1 | (52) [chap] = noop authentik-freeradius-1 | (52) [mschap] = noop authentik-freeradius-1 | (52) [digest] = noop authentik-freeradius-1 | (52) suffix: Checking for suffix after "@" authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/proxy-inner-tunnel authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) eap: No EAP-Message, not doing EAP authentik-freeradius-1 | (52) Expecting proxy response no later than 29.667705 seconds from now authentik-freeradius-1 | Waking up in 4.6 seconds. authentik-freeradius-1 | (45) Cleaning up request packet ID 46 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (46) Cleaning up request packet ID 47 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (47) Cleaning up request packet ID 48 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (48) Cleaning up request packet ID 49 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (49) Cleaning up request packet ID 50 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (50) Cleaning up request packet ID 51 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (53) Received Access-Request Id 54 from 172.16.1.1:49514 to 172.16.1.2:1812 length 199 authentik-freeradius-1 | (53) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (53) EAP-Message = 0x020900531580000000491703030044f5828f0161eb61316a55dc0318f1460b3b7334667f0071641ae2e702ff03769d06cb5b770a0b91a2406baea074cc3469f3bb06a9b829d90524f48ca3d56d8dc94c46827d authentik-freeradius-1 | (53) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (53) NAS-Port = 3 authentik-freeradius-1 | (53) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (53) Service-Type = Framed-User authentik-freeradius-1 | (53) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (53) NAS-Port-Type = Ethernet authentik-freeradius-1 | (53) Message-Authenticator = 0xfdd12d739d02d46620b603b2b5201094 authentik-freeradius-1 | (53) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (53) authorize { authentik-freeradius-1 | (53) policy filter_username { authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name) -> TRUE authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (53) } # if (&User-Name) = notfound authentik-freeradius-1 | (53) } # policy filter_username = notfound authentik-freeradius-1 | (53) [preprocess] = ok authentik-freeradius-1 | (53) [chap] = noop authentik-freeradius-1 | (53) [mschap] = noop authentik-freeradius-1 | (53) [digest] = noop authentik-freeradius-1 | (53) suffix: Checking for suffix after "@" authentik-freeradius-1 | (53) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (53) suffix: No such realm "NULL" authentik-freeradius-1 | (53) eap: Continuing tunnel setup authentik-freeradius-1 | (53) [eap] = ok authentik-freeradius-1 | (53) } # authorize = ok authentik-freeradius-1 | (53) Found Auth-Type = eap authentik-freeradius-1 | (53) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (53) authenticate { authentik-freeradius-1 | (53) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet. authentik-freeradius-1 | (53) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client. authentik-freeradius-1 | (53) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request authentik-freeradius-1 | Waking up in 0.6 seconds. authentik-freeradius-1 | (53) Sending delayed response authentik-freeradius-1 | (53) Sent Access-Reject Id 54 from 172.16.1.2:1812 to 172.16.1.1:49514 length 38 authentik-freeradius-1 | Waking up in 3.9 seconds. authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) The packet does not contain Message-Authenticator, which is a security issue authentik-freeradius-1 | (52) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) Clearing existing &reply: attributes authentik-freeradius-1 | (52) Found Auth-Type = eap authentik-freeradius-1 | (52) Found Auth-Type = Accept authentik-freeradius-1 | (52) ERROR: Warning: Found 2 auth-types on request for user 'apple_lan_thatsme' authentik-freeradius-1 | (52) Auth-Type = Accept, accepting the user authentik-freeradius-1 | (52) # Executing section post-auth from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (52) post-auth { authentik-freeradius-1 | (52) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { authentik-freeradius-1 | (52) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE authentik-freeradius-1 | (52) update { authentik-freeradius-1 | (52) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHello' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Certificate' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, Finished' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Finished' authentik-freeradius-1 | (52) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' authentik-freeradius-1 | (52) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' authentik-freeradius-1 | (52) } # update = noop authentik-freeradius-1 | (52) reply_log: EXPAND /opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d authentik-freeradius-1 | (52) reply_log: --> /opt/var/log/radius/radacct/172.16.1.1/reply-detail-20250509 authentik-freeradius-1 | (52) reply_log: /opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /opt/var/log/radius/radacct/172.16.1.1/reply-detail-20250509 authentik-freeradius-1 | (52) reply_log: EXPAND %t authentik-freeradius-1 | (52) reply_log: --> Fri May 9 09:02:54 2025 authentik-freeradius-1 | (52) [reply_log] = ok authentik-freeradius-1 | (52) [exec] = noop authentik-freeradius-1 | (52) policy remove_reply_message_if_eap { authentik-freeradius-1 | (52) if (&reply:EAP-Message && &reply:Reply-Message) { authentik-freeradius-1 | (52) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE authentik-freeradius-1 | (52) else { authentik-freeradius-1 | (52) [noop] = noop authentik-freeradius-1 | (52) } # else = noop authentik-freeradius-1 | (52) } # policy remove_reply_message_if_eap = noop authentik-freeradius-1 | (52) if (EAP-Key-Name && &reply:EAP-Session-Id) { authentik-freeradius-1 | rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" authentik-freeradius-1 | rlm_ldap (ldap): Opening additional connection (15), 1 of 32 pending slots used authentik-freeradius-1 | rlm_ldap (ldap): Connecting to ldap://outpost-ldap:3389 authentik-freeradius-1 | rlm_ldap (ldap): Waiting for bind result... authentik-freeradius-1 | rlm_ldap (ldap): Bind successful authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) EXPAND (&(objectClass=posixAccount)(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})) authentik-freeradius-1 | (52) --> (&(objectClass=posixAccount)(cn=christoph)) authentik-freeradius-1 | (52) Performing search in "ou=users,dc=ldap,dc=example,dc=com" with filter "(&(objectClass=posixAccount)(cn=christoph))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) User object found at DN "cn=christoph,ou=users,dc=ldap,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Teamboss)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Teamboss)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamboss)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | rlm_ldap (ldap): Waiting for bind result... authentik-freeradius-1 | rlm_ldap (ldap): Bind successful authentik-freeradius-1 | (52) User is not a member of "RelVY_Teamboss" authentik-freeradius-1 | (52) if (LDAP-Group == "RelVY_Teamboss") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_1") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Orgaleitung_1" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Orgaleitung_1)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Orgaleitung_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Orgaleitung_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_1") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_2") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Orgaleitung_2" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Orgaleitung_2)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Orgaleitung_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Orgaleitung_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_2") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_1" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_1") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_2") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_2" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein_2)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_2" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_2") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_3") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_3" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16) authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_3" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_3") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_4") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_4" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein_4)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein_4)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_4)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_4" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_4") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_Vorsitz") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_Vorsitz" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein_Vorsitz)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein_Vorsitz)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_Vorsitz)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_Vorsitz" authentik-freeradius-1 | (52) --> (&(cn=RelVY_Teamleader_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamleader_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) User is not a member of "RelVY_Teamleader_2" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_2") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Team_2") { authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) User is not a member of "RelVY_Team_2" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Team_2") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_1") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Teamleader_1" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Teamleader_1)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Teamleader_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamleader_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) User found in group object "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_1") -> TRUE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_1") { authentik-freeradius-1 | (52) update reply { authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamleader_1)(member=*christoph*))", scope "one" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) EXPAND %{%{ldap:ldap:///ou=groups,dc=ldap,dc=example,dc=com?Tunnel-Private-Group-Id?one?(&(cn=RelVY_Teamleader_1)(member=*%{&control:User-Name}*))}:-20} authentik-freeradius-1 | (52) --> 11 authentik-freeradius-1 | (52) &Tunnel-Private-Group-Id = 11 authentik-freeradius-1 | (52) } # update reply = noop authentik-freeradius-1 | (52) } # elsif (LDAP-Group == "RelVY_Teamleader_1") = noop authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping else: Preceding "if" was taken authentik-freeradius-1 | (52) [updated] = updated authentik-freeradius-1 | (52) } # post-auth = updated authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from 172.16.1.2:1812 to 172.16.1.1:49514 length 60 authentik-freeradius-1 | (52) Framed-MTU += 994 authentik-freeradius-1 | (52) Tunnel-Type = VLAN authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (52) Finished request authentik-freeradius-1 | Waking up in 2.0 seconds. authentik-freeradius-1 | (53) Cleaning up request packet ID 54 with timestamp +11392 due to cleanup_delay was reached authentik-freeradius-1 | Waking up in 2.9 seconds. authentik-freeradius-1 | (52) Cleaning up request packet ID 53 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | Ready to process requests Here is the corresponding tcpdump: 11:02:54.478033 IP (tos 0x0, ttl 64, id 16203, offset 0, flags [DF], proto UDP (17), length 166) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 138 Access-Request (1), id: 0x2e, Authenticator: 4b738f889cbc442647b2c2e8536f3ccf User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 24, Value: Response (2), id 2, len 22 Type Identity (1), Identity: apple_lan_thatsme NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet Message-Authenticator Attribute (80), length: 18, Value: .....O.Z'.x. .g. 11:02:54.479542 IP (tos 0x0, ttl 63, id 29929, offset 0, flags [DF], proto UDP (17), length 92) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 64 Access-Challenge (11), id: 0x2e, Authenticator: d7071e95b29ff0017add0f037e666954 Message-Authenticator Attribute (80), length: 18, Value: ...-.. ).@...9.. EAP-Message Attribute (79), length: 8, Value: Request (1), id 3, len 6 Type TTLS (21) TTLSv0 flags [Start bit] 0x20 State Attribute (24), length: 18, Value: -7..-4.........< 11:02:54.485256 IP (tos 0x0, ttl 64, id 16204, offset 0, flags [DF], proto UDP (17), length 323) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 295 Access-Request (1), id: 0x2f, Authenticator: 4b738f889cbc442647b2c2e8536f3ccf User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 163, Value: Response (2), id 3, len 161 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 151 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..-4.........< Message-Authenticator Attribute (80), length: 18, Value: m.1$./..(.W..'.) 11:02:54.495593 IP (tos 0x0, ttl 63, id 29939, offset 0, flags [DF], proto UDP (17), length 1092) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064 Access-Challenge (11), id: 0x2f, Authenticator: 3fbed79113c4ccfc7b70b06bfe90ddc6 Message-Authenticator Attribute (80), length: 18, Value: ......>.?......> EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 243, Value: EAP fragment? State Attribute (24), length: 18, Value: -7..,3.........< 11:02:54.508580 IP (tos 0x0, ttl 64, id 16206, offset 0, flags [DF], proto UDP (17), length 168) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140 Access-Request (1), id: 0x30, Authenticator: 3328535e7b536cf9b318055d8dce19fa User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 8, Value: Response (2), id 4, len 6 Type TTLS (21) TTLSv0 flags [none] 0x00 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..,3.........< Message-Authenticator Attribute (80), length: 18, Value: ....=....%.....# 11:02:54.510434 IP (tos 0x0, ttl 63, id 29954, offset 0, flags [DF], proto UDP (17), length 1092) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064 Access-Challenge (11), id: 0x30, Authenticator: f1155949a826c03d78b88c8716492fc5 Message-Authenticator Attribute (80), length: 18, Value: ^.Q.Vj.{.q_..... EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 243, Value: EAP fragment? State Attribute (24), length: 18, Value: -7../2.........< 11:02:54.513539 IP (tos 0x0, ttl 64, id 16207, offset 0, flags [DF], proto UDP (17), length 168) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140 Access-Request (1), id: 0x31, Authenticator: 3328535e7b536cf9b318055d8dce19fa User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 8, Value: Response (2), id 5, len 6 Type TTLS (21) TTLSv0 flags [none] 0x00 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7../2.........< Message-Authenticator Attribute (80), length: 18, Value: ~.5.n.`....B..z. 11:02:54.514849 IP (tos 0x0, ttl 63, id 29957, offset 0, flags [DF], proto UDP (17), length 1092) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064 Access-Challenge (11), id: 0x31, Authenticator: 4c61ec5020319a7800baf316893e7018 Message-Authenticator Attribute (80), length: 18, Value: .$+R.R..d..o.s2. EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 243, Value: EAP fragment? State Attribute (24), length: 18, Value: -7...1.........< 11:02:54.518103 IP (tos 0x0, ttl 64, id 16208, offset 0, flags [DF], proto UDP (17), length 168) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140 Access-Request (1), id: 0x32, Authenticator: 3328535e7b536cf9b318055d8dce19fa User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 8, Value: Response (2), id 6, len 6 Type TTLS (21) TTLSv0 flags [none] 0x00 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7...1.........< Message-Authenticator Attribute (80), length: 18, Value: .?._.....{.k)... 11:02:54.519623 IP (tos 0x0, ttl 63, id 29960, offset 0, flags [DF], proto UDP (17), length 1092) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064 Access-Challenge (11), id: 0x32, Authenticator: 678824bd907c75c8b2d8dc6ff22aeb60 Message-Authenticator Attribute (80), length: 18, Value: ........Y..{.... EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 243, Value: EAP fragment? State Attribute (24), length: 18, Value: -7..)0.........< 11:02:54.522606 IP (tos 0x0, ttl 64, id 16209, offset 0, flags [DF], proto UDP (17), length 168) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140 Access-Request (1), id: 0x33, Authenticator: 3328535e7b536cf9b318055d8dce19fa User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 8, Value: Response (2), id 7, len 6 Type TTLS (21) TTLSv0 flags [none] 0x00 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..)0.........< Message-Authenticator Attribute (80), length: 18, Value: ..WBd!km..t..i.. 11:02:54.523961 IP (tos 0x0, ttl 63, id 29962, offset 0, flags [DF], proto UDP (17), length 156) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 128 Access-Challenge (11), id: 0x33, Authenticator: 0304fcd86e7f86ba4c2a0b92bd96ae44 Message-Authenticator Attribute (80), length: 18, Value: h..o..../f..V... EAP-Message Attribute (79), length: 72, Value: Request (1), id 8, len 70 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 4020 State Attribute (24), length: 18, Value: -7..(?.........< 11:02:54.535647 IP (tos 0x0, ttl 64, id 16210, offset 0, flags [DF], proto UDP (17), length 298) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 270 Access-Request (1), id: 0x34, Authenticator: 4fd8cd77ef97eaabb05b6a6788b19ff9 User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 138, Value: Response (2), id 8, len 136 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 126 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..(?.........< Message-Authenticator Attribute (80), length: 18, Value: 1..XY...K.~$C... 11:02:54.539823 IP (tos 0x0, ttl 63, id 29975, offset 0, flags [DF], proto UDP (17), length 147) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 119 Access-Challenge (11), id: 0x34, Authenticator: 2d0dcced9b854c9b21bc8f66158d5f53 Message-Authenticator Attribute (80), length: 18, Value: ..$.3..#...:..U. EAP-Message Attribute (79), length: 63, Value: Request (1), id 9, len 61 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 51 State Attribute (24), length: 18, Value: -7..+>.........< 11:02:54.542691 IP (tos 0x0, ttl 64, id 16211, offset 0, flags [DF], proto UDP (17), length 245) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 217 Access-Request (1), id: 0x35, Authenticator: 4fd8cd77ef97eaabb05b6a6788b19ff9 User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 85, Value: Response (2), id 9, len 83 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 73 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..+>.........< Message-Authenticator Attribute (80), length: 18, Value: x....g.q..R..... 11:02:59.486633 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell SG3206X-M2.example.com, length 46 11:02:59.486636 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.0.1 is-at 00:00:5e:00:01:02 (oui IANA), length 28 11:02:59.537570 IP (tos 0x0, ttl 64, id 16391, offset 0, flags [DF], proto UDP (17), length 227) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 199 Access-Request (1), id: 0x36, Authenticator: 1c90635e4f03a9b669a2402965fc8e41 User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 85, Value: Response (2), id 9, len 83 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 73 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet Message-Authenticator Attribute (80), length: 18, Value: ..-s...f .... .. 11:03:00.540835 IP (tos 0x0, ttl 63, id 34812, offset 0, flags [DF], proto UDP (17), length 66) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 38 Access-Reject (3), id: 0x36, Authenticator: d657e1caadf330afa206db0ffe469c17 Message-Authenticator Attribute (80), length: 18, Value: pK.._.....JN.j\0 11:03:02.449220 IP (tos 0x0, ttl 63, id 35102, offset 0, flags [DF], proto UDP (17), length 88) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 60 Access-Accept (2), id: 0x35, Authenticator: dfd3f8ac0586d2551621d599d5a00839 Message-Authenticator Attribute (80), length: 18, Value: .d.U.....q.K.... Framed-MTU Attribute (12), length: 6, Value: 994 Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 Tunnel-Private-Group-ID Attribute (81), length: 4, Value: 11
On 09/05/2025 11:08, Christoph Egger wrote:
Am 09.05.25 um 10:55 schrieb Matthew Newton via Freeradius-Users:
On 09/05/2025 08:56, Christoph Egger via Freeradius-Users wrote:
switch -> freeradius: access-request (1), id: 0x2d freeradius -> switch: access-reject (3), id: 0x2d freeradius -> switch: access-accept (2), id: 0x2c
FreeRADIUS never sends a reject followed by an accept for the same request.
As always, what does the full debug output show?
11:02:59.537570 IP (tos 0x0, ttl 64, id 16391, offset 0, flags [DF], proto UDP (17), length 227) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 199 Access-Request (1), id: 0x36, Authenticator: 1c90635e4f03a9b669a2402965fc8e41 User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
request ID 54 (0x36)
11:03:00.540835 IP (tos 0x0, ttl 63, id 34812, offset 0, flags [DF], proto UDP (17), length 66) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 38 Access-Reject (3), id: 0x36, Authenticator: d657e1caadf330afa206db0ffe469c17
response to request ID 54
11:03:02.449220 IP (tos 0x0, ttl 63, id 35102, offset 0, flags [DF], proto UDP (17), length 88) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 60 Access-Accept (2), id: 0x35, Authenticator: dfd3f8ac0586d2551621d599d5a00839
response to request ID 53 (0x35)
Here it is the EAP-TTLS + PAP, after that the corresponding tcpdump:
... Request ID 53 (number 52), weird looking request, maybe it's an odd form of mac auth bypass?
authentik-freeradius-1 | (52) Received Access-Request Id 53 from 172.16.1.1:49514 to 172.16.1.2:1812 length 217 authentik-freeradius-1 | (52) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (52) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (52) Service-Type = Framed-User authentik-freeradius-1 | (52) # Executing section authorize from file / opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) } # policy filter_username = notfound authentik-freeradius-1 | (52) [preprocess] = ok authentik-freeradius-1 | (52) [chap] = noop authentik-freeradius-1 | (52) [mschap] = noop authentik-freeradius-1 | (52) [digest] = noop authentik-freeradius-1 | (52) suffix: Checking for suffix after "@" authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/proxy-inner-tunnel authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) eap: No EAP-Message, not doing EAP authentik-freeradius-1 | (52) Expecting proxy response no later than 29.667705 seconds from now
waiting for proxy ... request ID 53 (number 53), EAP...
authentik-freeradius-1 | (53) Received Access-Request Id 54 from 172.16.1.1:49514 to 172.16.1.2:1812 length 199 authentik-freeradius-1 | (53) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (53) EAP-Message = 0x020900531580000000491703030044f5828f0161eb61316a55dc0318f1460b3b7334667f0071641ae2e702ff03769d06cb5b770a0b91a2406baea074cc3469f3bb06a9b829d90524f48ca3d56d8dc94c46827d authentik-freeradius-1 | (53) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (53) NAS-Port = 3 authentik-freeradius-1 | (53) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (53) Service-Type = Framed-User authentik-freeradius-1 | (53) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (53) NAS-Port-Type = Ethernet authentik-freeradius-1 | (53) Message-Authenticator = 0xfdd12d739d02d46620b603b2b5201094 authentik-freeradius-1 | (53) # Executing section authorize from file / opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (53) authorize { authentik-freeradius-1 | (53) policy filter_username { authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name) -> TRUE authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (53) } # if (&User-Name) = notfound authentik-freeradius-1 | (53) } # policy filter_username = notfound authentik-freeradius-1 | (53) [preprocess] = ok authentik-freeradius-1 | (53) [chap] = noop authentik-freeradius-1 | (53) [mschap] = noop authentik-freeradius-1 | (53) [digest] = noop authentik-freeradius-1 | (53) suffix: Checking for suffix after "@" authentik-freeradius-1 | (53) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (53) suffix: No such realm "NULL" authentik-freeradius-1 | (53) eap: Continuing tunnel setup authentik-freeradius-1 | (53) [eap] = ok authentik-freeradius-1 | (53) } # authorize = ok authentik-freeradius-1 | (53) Found Auth-Type = eap authentik-freeradius-1 | (53) # Executing group from file /opt/etc/ raddb/sites-enabled/default authentik-freeradius-1 | (53) authenticate { authentik-freeradius-1 | (53) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet. authentik-freeradius-1 | (53) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client. authentik-freeradius-1 | (53) eap: Either EAP-request timed out OR EAP- response to an unknown EAP-request
...but it's a broken client, FreeRADIUS gives up.
authentik-freeradius-1 | Waking up in 0.6 seconds. authentik-freeradius-1 | (53) Sending delayed response authentik-freeradius-1 | (53) Sent Access-Reject Id 54 from 172.16.1.2:1812 to 172.16.1.1:49514 length 38 authentik-freeradius-1 | Waking up in 3.9 seconds. authentik-freeradius-1 |
Cleaning up the previous auth after response from proxy server:
(52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) The packet does not contain Message- Authenticator, which is a security issue authentik-freeradius-1 | (52) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) Clearing existing &reply: attributes authentik-freeradius-1 | (52) Found Auth-Type = eap authentik-freeradius-1 | (52) Found Auth-Type = Accept authentik-freeradius-1 | (52) ERROR: Warning: Found 2 auth-types on request for user 'apple_lan_thatsme' authentik-freeradius-1 | (52) Auth-Type = Accept, accepting the user authentik-freeradius-1 | (52) # Executing section post-auth from file / opt/etc/raddb/sites-enabled/default ...
authentik-freeradius-1 | (52) } # post-auth = updated authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from 172.16.1.2:1812 to 172.16.1.1:49514 length 60 authentik-freeradius-1 | (52) Framed-MTU += 994 authentik-freeradius-1 | (52) Tunnel-Type = VLAN authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (52) Finished request
Looks like your NAS is broken, sending invalid requests, or not waiting for the first one to finish before sending another. -- Matthew
Am 09.05.25 um 12:33 schrieb Matthew Newton via Freeradius-Users:
On 09/05/2025 11:08, Christoph Egger wrote:
Am 09.05.25 um 10:55 schrieb Matthew Newton via Freeradius-Users:
On 09/05/2025 08:56, Christoph Egger via Freeradius-Users wrote:
switch -> freeradius: access-request (1), id: 0x2d freeradius -> switch: access-reject (3), id: 0x2d freeradius -> switch: access-accept (2), id: 0x2c
FreeRADIUS never sends a reject followed by an accept for the same request.
As always, what does the full debug output show?
11:02:59.537570 IP (tos 0x0, ttl 64, id 16391, offset 0, flags [DF], proto UDP (17), length 227) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 199 Access-Request (1), id: 0x36, Authenticator: 1c90635e4f03a9b669a2402965fc8e41 User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
request ID 54 (0x36)
11:03:00.540835 IP (tos 0x0, ttl 63, id 34812, offset 0, flags [DF], proto UDP (17), length 66) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 38 Access-Reject (3), id: 0x36, Authenticator: d657e1caadf330afa206db0ffe469c17
response to request ID 54
11:03:02.449220 IP (tos 0x0, ttl 63, id 35102, offset 0, flags [DF], proto UDP (17), length 88) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 60 Access-Accept (2), id: 0x35, Authenticator: dfd3f8ac0586d2551621d599d5a00839
response to request ID 53 (0x35)
Here it is the EAP-TTLS + PAP, after that the corresponding tcpdump:
...
Request ID 53 (number 52), weird looking request, maybe it's an odd form of mac auth bypass?
MAB is disabled.
authentik-freeradius-1 | (52) Received Access-Request Id 53 from 172.16.1.1:49514 to 172.16.1.2:1812 length 217 authentik-freeradius-1 | (52) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (52) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (52) Service-Type = Framed-User authentik-freeradius-1 | (52) # Executing section authorize from file / opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) } # policy filter_username = notfound authentik-freeradius-1 | (52) [preprocess] = ok authentik-freeradius-1 | (52) [chap] = noop authentik-freeradius-1 | (52) [mschap] = noop authentik-freeradius-1 | (52) [digest] = noop authentik-freeradius-1 | (52) suffix: Checking for suffix after "@" authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/proxy-inner-tunnel authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) eap: No EAP-Message, not doing EAP authentik-freeradius-1 | (52) Expecting proxy response no later than 29.667705 seconds from now
waiting for proxy
...
request ID 53 (number 53), EAP...
authentik-freeradius-1 | (53) Received Access-Request Id 54 from 172.16.1.1:49514 to 172.16.1.2:1812 length 199 authentik-freeradius-1 | (53) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (53) EAP-Message = 0x020900531580000000491703030044f5828f0161eb61316a55dc0318f1460b3b7334667f0071641ae2e702ff03769d06cb5b770a0b91a2406baea074cc3469f3bb06a9b829d90524f48ca3d56d8dc94c46827d authentik-freeradius-1 | (53) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (53) NAS-Port = 3 authentik-freeradius-1 | (53) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (53) Service-Type = Framed-User authentik-freeradius-1 | (53) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (53) NAS-Port-Type = Ethernet authentik-freeradius-1 | (53) Message-Authenticator = 0xfdd12d739d02d46620b603b2b5201094 authentik-freeradius-1 | (53) # Executing section authorize from file / opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (53) authorize { authentik-freeradius-1 | (53) policy filter_username { authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name) -> TRUE authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (53) } # if (&User-Name) = notfound authentik-freeradius-1 | (53) } # policy filter_username = notfound authentik-freeradius-1 | (53) [preprocess] = ok authentik-freeradius-1 | (53) [chap] = noop authentik-freeradius-1 | (53) [mschap] = noop authentik-freeradius-1 | (53) [digest] = noop authentik-freeradius-1 | (53) suffix: Checking for suffix after "@" authentik-freeradius-1 | (53) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (53) suffix: No such realm "NULL" authentik-freeradius-1 | (53) eap: Continuing tunnel setup authentik-freeradius-1 | (53) [eap] = ok authentik-freeradius-1 | (53) } # authorize = ok authentik-freeradius-1 | (53) Found Auth-Type = eap authentik-freeradius-1 | (53) # Executing group from file /opt/etc/ raddb/sites-enabled/default authentik-freeradius-1 | (53) authenticate { authentik-freeradius-1 | (53) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet. authentik-freeradius-1 | (53) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client. authentik-freeradius-1 | (53) eap: Either EAP-request timed out OR EAP- response to an unknown EAP-request
...but it's a broken client, FreeRADIUS gives up.
The client is a MacBook (Sonoma) configured to use EAP-TTLS+PAP only. Without any configuration it does EAP-TLS.
authentik-freeradius-1 | Waking up in 0.6 seconds. authentik-freeradius-1 | (53) Sending delayed response authentik-freeradius-1 | (53) Sent Access-Reject Id 54 from 172.16.1.2:1812 to 172.16.1.1:49514 length 38 authentik-freeradius-1 | Waking up in 3.9 seconds. authentik-freeradius-1 |
Cleaning up the previous auth after response from proxy server:
(52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) The packet does not contain Message- Authenticator, which is a security issue authentik-freeradius-1 | (52) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) Clearing existing &reply: attributes authentik-freeradius-1 | (52) Found Auth-Type = eap authentik-freeradius-1 | (52) Found Auth-Type = Accept authentik-freeradius-1 | (52) ERROR: Warning: Found 2 auth-types on request for user 'apple_lan_thatsme' authentik-freeradius-1 | (52) Auth-Type = Accept, accepting the user authentik-freeradius-1 | (52) # Executing section post-auth from file / opt/etc/raddb/sites-enabled/default ...
authentik-freeradius-1 | (52) } # post-auth = updated authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from 172.16.1.2:1812 to 172.16.1.1:49514 length 60 authentik-freeradius-1 | (52) Framed-MTU += 994 authentik-freeradius-1 | (52) Tunnel-Type = VLAN authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (52) Finished request
Looks like your NAS is broken, sending invalid requests, ...
I don't know why docker-compose logs does not show everything at the end. The last part here again: authentik-freeradius-1 | (52) } # post-auth = updated authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from 172.16.1.2:1812 to 172.16.1.1:49514 length 60 authentik-freeradius-1 | (52) Framed-MTU += 994 authentik-freeradius-1 | (52) Tunnel-Type = VLAN authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (52) Tunnel-Private-Group-Id = "11" authentik-freeradius-1 | (52) Finished request authentik-freeradius-1 | Waking up in 2.0 seconds. authentik-freeradius-1 | (53) Cleaning up request packet ID 54 with timestamp +11392 due to cleanup_delay was reached authentik-freeradius-1 | Waking up in 2.9 seconds. authentik-freeradius-1 | (52) Cleaning up request packet ID 53 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | Ready to process requests
... or not waiting for the first one to finish before sending another.
I suppose that is the case. How can I tell freeradius to wait for the first one?
On May 9, 2025, at 6:55 AM, Christoph Egger via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Request ID 53 (number 52), weird looking request, maybe it's an odd form of mac auth bypass?
MAB is disabled.
That doesn't matter. FreeRADIUS doesn't invent Access-Request packets. If the NAS is sending an Access-Request packet, it's because the NAS is configured to send Access-Request packets.
authentik-freeradius-1 | (52) Received Access-Request Id 53 from 172.16.1.1:49514 to 172.16.1.2:1812 length 217
PLEASE just post the output of "radiusd -X". We don't need to see the machine name on every debug line. It's useless. And DON'T post tcpdumps. They're useless. The documentation makes all of this VERY clear: http://wiki.freeradius.org/list-help.
How can I tell freeradius to wait for the first one?
You don't. The supplicant and NAS are in charge of when packets are sent. If they send packets in the wrong other, they're broken. You can't fix a broken supplicant / NAS by poking the RADIUS server. As Matthew said:
Looks like your NAS is broken, sending invalid requests, or not waiting for the first one to finish before sending another.
When you see a message like that, your response should be "Hmm... I guess I have to fix the NAS". Your response should not be to ignore that summary, and then ask how to "fix" FreeRADIUS. Alan DeKok.
On 09/05/2025 11:55, Christoph Egger wrote:
How can I tell freeradius to wait for the first one?
You don't. FreeRADIUS is correctly responding to the requests it's getting. You fix the NAS that's sending the requests, or the end device. This might be because the first proxying is taking too long, so the NAS times out, and sends another request. If that's the case you need to fix the server you're proxying to. But there's nothing wrong with how FreeRADIUS is working here, and no updating the settings there will fix the problem. -- Matthew
Am 09.05.25 um 13:45 schrieb Matthew Newton via Freeradius-Users:
On 09/05/2025 11:55, Christoph Egger wrote:
How can I tell freeradius to wait for the first one?
You don't. FreeRADIUS is correctly responding to the requests it's getting. You fix the NAS that's sending the requests, or the end device.
This might be because the first proxying is taking too long, so the NAS times out, and sends another request. If that's the case you need to fix the server you're proxying to.
But there's nothing wrong with how FreeRADIUS is working here, and no updating the settings there will fix the problem.
The NAS (that is the switch) default timeout is 5 seconds and default retransmit value is 3. I reconfigured the switch to the max-timeout of 9 seconds and retransmit to max value 3. The reject now is gone. Thank you for your help.
participants (3)
-
Alan DeKok -
Christoph Egger -
Matthew Newton