EAP-TTLS not working on windows 11 for a wired usage
Hello everyone, and thank you for your future help in solving this problem. I’m trying to implement, a FreeRADIUS server for a wired usage using EAP-TTLS/PAP protocol, I’m authorizing my users based on their credentials saved in the users file. I’ve created my certificates (CA and server) following the recommended guidelines. When I test EAP-TTLS/PAP with eapol_test, i’ve got a success message, the same goes when I authenticate on my laptop under Windows 11 OS, with EAP-PEAP, while previously disabling « check the identity of the server… ». And when I click on the connect button after sending my credentials, to acknowledge my certificate is not safe, I succeed to connect. But when I try to authenticate with EAP-TTLS/PAP, it fails when I click on « connect », I don’t have any following response to my Access-Challenge packets. I know there is an article on wiki.freeradius about certificate compatibility, but I’ve not been able to solve the problem even with it. FreeRADIUS Version 3.0.20 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/digest including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/rfc7542 including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipv4addr = 127.0.0.1 port = 1812 type = "auth" proto = "udp" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> shortname = "localhost" proto = "udp" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client private-network-1 { ipaddr = 10.101.0.20 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client swi-d1-p1-p173-001 { ipv4addr = 10.100.0.16 require_message_authenticator = no secret = <<< secret >>> shortname = "swi_nico_p173" nas_type = "cisco" virtual_server = "serveur_eap_ttls_pap" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client swi-d1-p173-002 { ipv4addr = 10.100.0.50 require_message_authenticator = no secret = <<< secret >>> shortname = "swi_said_edward_p173" nas_type = "cisco" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client test-network { ipaddr = 10.112.0.136 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = digest radiusd: #### Instantiating modules #### modules { # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_detail # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_exec # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = yes with_alvarion_vsa_hack = no } # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre ss}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes max_sessions = 16384 } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest instantiate { } # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.key" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "PROFILE=SYSTEM" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = yes override_cert_url = no url = http://127.0.0.1/ocsp/ use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = yes } # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:336 } # server inner-tunnel server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipv4addr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv4addr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on proxy address * port 56698 Ready to process requests (0) Received Accounting-Request Id 60 from 10.100.0.50:1646 to 10.101.0.20:1813 length 285 (0) Acct-Session-Id = "0000006A" (0) Cisco-AVPair = "audit-session-id=0A6400320000003BB2AB2641" (0) User-Name = "test" (0) Acct-Authentic = RADIUS (0) Acct-Terminate-Cause = Lost-Carrier (0) Cisco-AVPair = "disc-cause-ext=No Reason" (0) Cisco-AVPair = "connect-progress=Call Up" (0) Acct-Session-Time = 93 (0) Acct-Input-Octets = 14097 (0) Acct-Output-Octets = 19204 (0) Acct-Input-Packets = 127 (0) Acct-Output-Packets = 74 (0) Acct-Status-Type = Stop (0) NAS-Port-Type = Ethernet (0) NAS-Port = 50006 (0) NAS-Port-Id = "GigabitEthernet0/6" (0) Called-Station-Id = "24-01-C7-8E-84-86" (0) Calling-Station-Id = "74-78-27-1B-F2-78" (0) Service-Type = Framed-User (0) NAS-IP-Address = 10.100.0.50 (0) Acct-Delay-Time = 19 (0) # Executing section preacct from file /etc/raddb/sites-enabled/default (0) preacct { (0) [preprocess] = ok (0) policy acct_unique { (0) update request { (0) &Tmp-String-9 := "ai:" (0) } # update request = noop (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (0) EXPAND %{hex:&Class} (0) --> (0) EXPAND ^%{hex:&Tmp-String-9} (0) --> ^61693a (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (0) else { (0) update request { (0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (0) --> 0391b84a0867b3fc2bafaf4741bd212a (0) &Acct-Unique-Session-Id := 0391b84a0867b3fc2bafaf4741bd212a (0) } # update request = noop (0) } # else = noop (0) } # policy acct_unique = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "test", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) [files] = noop (0) } # preacct = ok (0) # Executing section accounting from file /etc/raddb/sites-enabled/default (0) accounting { (0) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/detail-%Y%m%d (0) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725 (0) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.100.0.50/detail-20220725 (0) detail: EXPAND %t (0) detail: --> Mon Jul 25 18:15:40 2022 (0) [detail] = ok (0) [unix] = ok (0) radutmp: EXPAND /var/log/radius/radutmp (0) radutmp: --> /var/log/radius/radutmp (0) radutmp: EXPAND %{User-Name} (0) radutmp: --> test (0) [radutmp] = ok (0) sradutmp: EXPAND /var/log/radius/sradutmp (0) sradutmp: --> /var/log/radius/sradutmp (0) sradutmp: EXPAND %{User-Name} (0) sradutmp: --> test (0) [sradutmp] = ok (0) [exec] = noop (0) attr_filter.accounting_response: EXPAND %{User-Name} (0) attr_filter.accounting_response: --> test (0) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (0) [attr_filter.accounting_response] = updated (0) } # accounting = updated (0) Sent Accounting-Response Id 60 from 10.101.0.20:1813 to 10.100.0.50:1646 length 0 (0) Finished request (0) Cleaning up request packet ID 60 with timestamp +3 Ready to process requests (1) Received Access-Request Id 0 from 127.0.0.1:48058 to 127.0.0.1:1812 length 142 (1) User-Name = "anonymous_test" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x02a1001301616e6f6e796d6f75735f74657374 (1) Message-Authenticator = 0x63e0215c3759e15af3f8b2b777ce8370 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 161 length 19 (1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Auth-Type eap { (1) eap: Peer sent packet with method EAP Identity (1) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Initiating new TLS session (1) eap_ttls: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 162 length 6 (1) eap: EAP session adding &reply:State = 0x594837c159ea227a (1) [eap] = handled (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) EXPAND Response-Packet-Type (1) --> Access-Challenge (1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) attr_filter.access_challenge: EXPAND %{User-Name} (1) attr_filter.access_challenge: --> anonymous_test (1) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (1) [attr_filter.access_challenge.post-auth] = updated (1) [handled] = handled (1) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (1) } # Auth-Type eap = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0 (1) EAP-Message = 0x01a200061520 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x594837c159ea227a35f4296c6c550caa (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 1 from 127.0.0.1:48058 to 127.0.0.1:1812 length 343 (2) User-Name = "anonymous_test" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x02a200ca150016030100bf010000bb03037526679cd3ccd5346e9ffc32b3a61bc85036d03f f978485f54af4c4c4713eef2000048c02cc030cca9cca8c0adc02bc02fc0acc023c027c00ac0 14c009c013009dc09d009cc09c003d003c0035002f009fccaac09f009ec09e006b0067003900 33c008c012000a001600ff0100004a000b000403000102000a000c000a001d0017001e001900 180016000000170000000d002600240403050306030807080808090804080a0805080b080604 01050106010303030102030201 (2) State = 0x594837c159ea227a35f4296c6c550caa (2) Message-Authenticator = 0xa2ab78a30c2fd4c0b1e73fbaaa7c1007 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 162 length 202 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Auth-Type eap { (2) eap: Expiring EAP session with state 0x594837c159ea227a (2) eap: Finished EAP session with state 0x594837c159ea227a (2) eap: Previous EAP request found for state 0x594837c159ea227a, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Got final TLS record fragment (196 bytes) (2) eap_ttls: WARNING: Total received TLS record fragments (196 bytes), does not equal indicated TLS record length (0 bytes) (2) eap_ttls: [eaptls verify] = ok (2) eap_ttls: Done initial handshake (2) eap_ttls: (other): before SSL initialization (2) eap_ttls: TLS_accept: before SSL initialization (2) eap_ttls: TLS_accept: before SSL initialization (2) eap_ttls: <<< recv TLS 1.3 [length 00bf] (2) eap_ttls: TLS_accept: SSLv3/TLS read client hello (2) eap_ttls: >>> send TLS 1.2 [length 003d] (2) eap_ttls: TLS_accept: SSLv3/TLS write server hello (2) eap_ttls: >>> send TLS 1.2 [length 08e9] (2) eap_ttls: TLS_accept: SSLv3/TLS write certificate (2) eap_ttls: >>> send TLS 1.2 [length 014d] (2) eap_ttls: TLS_accept: SSLv3/TLS write key exchange (2) eap_ttls: >>> send TLS 1.2 [length 0004] (2) eap_ttls: TLS_accept: SSLv3/TLS write server done (2) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_ttls: TLS - In Handshake Phase (2) eap_ttls: TLS - got 2699 bytes of data (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 163 length 1014 (2) eap: EAP session adding &reply:State = 0x594837c158eb227a (2) [eap] = handled (2) if (handled && (Response-Packet-Type == Access-Challenge)) { (2) EXPAND Response-Packet-Type (2) --> Access-Challenge (2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (2) if (handled && (Response-Packet-Type == Access-Challenge)) { (2) attr_filter.access_challenge: EXPAND %{User-Name} (2) attr_filter.access_challenge: --> anonymous_test (2) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (2) [attr_filter.access_challenge.post-auth] = updated (2) [handled] = handled (2) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (2) } # Auth-Type eap = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0 (2) EAP-Message = 0x01a303f615c000000a8b160303003d020000390303ce7f5bed68f2bdab8d4c8b7ee830f975 965fb3242093f407d9b7f3798ed45b2000c030000011ff01000100000b000403000102001700 0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86 4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261 646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861 6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c 652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175 74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135 5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306 0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x594837c158eb227a35f4296c6c550caa (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 2 from 127.0.0.1:48058 to 127.0.0.1:1812 length 147 (3) User-Name = "anonymous_test" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x02a300061500 (3) State = 0x594837c158eb227a35f4296c6c550caa (3) Message-Authenticator = 0x0281d393c2571ae6091802af7143b0ed (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 163 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Auth-Type eap { (3) eap: Expiring EAP session with state 0x594837c158eb227a (3) eap: Finished EAP session with state 0x594837c158eb227a (3) eap: Previous EAP request found for state 0x594837c158eb227a, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: Peer ACKed our handshake fragment (3) eap_ttls: [eaptls verify] = request (3) eap_ttls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 164 length 1014 (3) eap: EAP session adding &reply:State = 0x594837c15bec227a (3) [eap] = handled (3) if (handled && (Response-Packet-Type == Access-Challenge)) { (3) EXPAND Response-Packet-Type (3) --> Access-Challenge (3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (3) if (handled && (Response-Packet-Type == Access-Challenge)) { (3) attr_filter.access_challenge: EXPAND %{User-Name} (3) attr_filter.access_challenge: --> anonymous_test (3) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (3) [attr_filter.access_challenge.post-auth] = updated (3) [handled] = handled (3) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (3) } # Auth-Type eap = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0 (3) EAP-Message = 0x01a403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91 d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8 62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b 83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06 035504080c065261646975733112301006035504070c09536f6d657768657265311530130603 55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69 6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966 696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038 30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261 646975733112301006035504070c09536f6d65776865726531153013060355040a0c (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x594837c15bec227a35f4296c6c550caa (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 3 from 127.0.0.1:48058 to 127.0.0.1:1812 length 147 (4) User-Name = "anonymous_test" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x02a400061500 (4) State = 0x594837c15bec227a35f4296c6c550caa (4) Message-Authenticator = 0x12aad93ece4c588ec719216bbaecd7fb (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 164 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Auth-Type eap { (4) eap: Expiring EAP session with state 0x594837c15bec227a (4) eap: Finished EAP session with state 0x594837c15bec227a (4) eap: Previous EAP request found for state 0x594837c15bec227a, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: Continuing EAP-TLS (4) eap_ttls: Peer ACKed our handshake fragment (4) eap_ttls: [eaptls verify] = request (4) eap_ttls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 165 length 701 (4) eap: EAP session adding &reply:State = 0x594837c15aed227a (4) [eap] = handled (4) if (handled && (Response-Packet-Type == Access-Challenge)) { (4) EXPAND Response-Packet-Type (4) --> Access-Challenge (4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (4) if (handled && (Response-Packet-Type == Access-Challenge)) { (4) attr_filter.access_challenge: EXPAND %{User-Name} (4) attr_filter.access_challenge: --> anonymous_test (4) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (4) [attr_filter.access_challenge.post-auth] = updated (4) [handled] = handled (4) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (4) } # Auth-Type eap = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0 (4) EAP-Message = 0x01a502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029 a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e 63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14 2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4 5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5 7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973 4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759 b33199019e7d482f8786044516160303014d0c000149030017410489b770c1cc2ded (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x594837c15aed227a35f4296c6c550caa (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 4 from 127.0.0.1:48058 to 127.0.0.1:1812 length 273 (5) User-Name = "anonymous_test" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x02a500841500160303004610000042410490f5fd271b8155492b8cd225df9a917c58da15b7 53f67fd3321719ee5bc61ec5d7dcc4344910224de589c074295c7725827083aa2533f613f392 603ac84822891403030001011603030028297482347c2337f8e1cd6ab9e31cc6bcb3d37932cb 7cf4dbf7e728729f98c928414c9b895270d9c5 (5) State = 0x594837c15aed227a35f4296c6c550caa (5) Message-Authenticator = 0xdbe58d4e8258b430621002f6a1cde860 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 165 length 132 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Auth-Type eap { (5) eap: Expiring EAP session with state 0x594837c15aed227a (5) eap: Finished EAP session with state 0x594837c15aed227a (5) eap: Previous EAP request found for state 0x594837c15aed227a, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: [eaptls verify] = ok (5) eap_ttls: Done initial handshake (5) eap_ttls: TLS_accept: SSLv3/TLS write server done (5) eap_ttls: <<< recv TLS 1.2 [length 0046] (5) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (5) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (5) eap_ttls: <<< recv TLS 1.2 [length 0010] (5) eap_ttls: TLS_accept: SSLv3/TLS read finished (5) eap_ttls: >>> send TLS 1.2 [length 0001] (5) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (5) eap_ttls: >>> send TLS 1.2 [length 0010] (5) eap_ttls: TLS_accept: SSLv3/TLS write finished (5) eap_ttls: (other): SSL negotiation finished successfully (5) eap_ttls: TLS - Connection Established (5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) eap_ttls: TLS-Session-Version = "TLS 1.2" (5) eap_ttls: TLS - got 51 bytes of data (5) eap_ttls: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 166 length 61 (5) eap: EAP session adding &reply:State = 0x594837c15dee227a (5) [eap] = handled (5) if (handled && (Response-Packet-Type == Access-Challenge)) { (5) EXPAND Response-Packet-Type (5) --> Access-Challenge (5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (5) if (handled && (Response-Packet-Type == Access-Challenge)) { (5) attr_filter.access_challenge: EXPAND %{User-Name} (5) attr_filter.access_challenge: --> anonymous_test (5) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (5) [attr_filter.access_challenge.post-auth] = updated (5) [handled] = handled (5) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (5) } # Auth-Type eap = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0 (5) EAP-Message = 0x01a6003d158000000033140303000101160303002868a7ea5e693524f968d02ec14fd7cb5a 629fbd3ff3d28e4a1fee62533733003052e86c7f2303bc2c (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x594837c15dee227a35f4296c6c550caa (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 5 from 127.0.0.1:48058 to 127.0.0.1:1812 length 212 (6) User-Name = "anonymous_test" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x02a600471500170303003c297482347c2337f99ae8244b354c6918951f0f3bde4cd3a1631f 568103bb1527d53de82d2d036cc96b994d91266bfc523eab035954577cc893219d7c (6) State = 0x594837c15dee227a35f4296c6c550caa (6) Message-Authenticator = 0x6aa1c90905881534f18620852003faf3 (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 166 length 71 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Auth-Type eap { (6) eap: Expiring EAP session with state 0x594837c15dee227a (6) eap: Finished EAP session with state 0x594837c15dee227a (6) eap: Previous EAP request found for state 0x594837c15dee227a, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: Continuing EAP-TLS (6) eap_ttls: [eaptls verify] = ok (6) eap_ttls: Done initial handshake (6) eap_ttls: [eaptls process] = ok (6) eap_ttls: Session established. Proceeding to decode tunneled attributes (6) eap_ttls: Got tunneled request (6) eap_ttls: User-Name = "test" (6) eap_ttls: User-Password = "testing" (6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_ttls: Sending tunneled request (6) Virtual server inner-tunnel received request (6) User-Name = "test" (6) User-Password = "testing" (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) Event-Timestamp = "Jul 25 2022 18:15:48 CEST" (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "test", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: No EAP-Message, not doing EAP (6) [eap] = noop (6) files: users: Matched entry test at line 1 (6) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name} (6) files: --> tu as reussi avec et en etant test (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) [pap] = updated (6) } # authorize = updated (6) Found Auth-Type = PAP (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) Auth-Type PAP { (6) pap: Login attempt with password (6) pap: Comparing with "known good" Cleartext-Password (6) pap: User authenticated successfully (6) [pap] = ok (6) } # Auth-Type PAP = ok (6) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (6) post-auth { (6) if (0) { (6) if (0) -> FALSE (6) } # post-auth = noop (6) Login OK: [test] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel) (6) } # server inner-tunnel (6) Virtual server sending reply (6) Reply-Message = "tu as reussi avec et en etant test" (6) eap_ttls: Got tunneled Access-Accept (6) eap: Sending EAP Success (code 3) ID 166 length 4 (6) eap: Freeing handler (6) [eap] = ok (6) if (handled && (Response-Packet-Type == Access-Challenge)) { (6) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (6) } # Auth-Type eap = ok (6) # Executing section post-auth from file /etc/raddb/sites-enabled/default (6) post-auth { (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (6) update { (6) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (6) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (6) } # update = noop (6) [exec] = noop (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) } # post-auth = noop (6) Login OK: [anonymous_test] (from client localhost port 0 cli 02-00-00-00-00-01) (6) Sent Access-Accept Id 5 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0 (6) MS-MPPE-Recv-Key = 0xe14135f14a872f650673a7f048b96e42d97e94269c4c9c764cc8957057a9f70a (6) MS-MPPE-Send-Key = 0x196c96bc3d4308ae0bd2fe7ba2292a4008232c68960bbc67658a13bb966e74fd (6) EAP-Message = 0x03a60004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) User-Name = "anonymous_test" (6) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 0 with timestamp +11 (2) Cleaning up request packet ID 1 with timestamp +11 (3) Cleaning up request packet ID 2 with timestamp +11 (4) Cleaning up request packet ID 3 with timestamp +11 (5) Cleaning up request packet ID 4 with timestamp +11 (6) Cleaning up request packet ID 5 with timestamp +11 Ready to process requests (7) Received Access-Request Id 181 from 10.100.0.50:1645 to 10.101.0.20:1812 length 204 (7) User-Name = "anonymous" (7) Service-Type = Framed-User (7) Framed-MTU = 1500 (7) Called-Station-Id = "24-01-C7-8E-84-86" (7) Calling-Station-Id = "74-78-27-1B-F2-78" (7) EAP-Message = 0x0201000e01616e6f6e796d6f7573 (7) Message-Authenticator = 0x55c09e83405ccf67b9c08d1e70ac4b1d (7) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898" (7) NAS-Port-Type = Ethernet (7) NAS-Port = 50006 (7) NAS-Port-Id = "GigabitEthernet0/6" (7) NAS-IP-Address = 10.100.0.50 (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 1 length 14 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Auth-Type eap { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_ttls to process data (7) eap_ttls: Initiating new TLS session (7) eap_ttls: [eaptls start] = request (7) eap: Sending EAP Request (code 1) ID 2 length 6 (7) eap: EAP session adding &reply:State = 0x1aff00fb1afd150b (7) [eap] = handled (7) if (handled && (Response-Packet-Type == Access-Challenge)) { (7) EXPAND Response-Packet-Type (7) --> Access-Challenge (7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (7) if (handled && (Response-Packet-Type == Access-Challenge)) { (7) attr_filter.access_challenge: EXPAND %{User-Name} (7) attr_filter.access_challenge: --> anonymous (7) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (7) [attr_filter.access_challenge.post-auth] = updated (7) [handled] = handled (7) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (7) } # Auth-Type eap = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 181 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (7) EAP-Message = 0x010200061520 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x1aff00fb1afd150bdec157b3b6aa7742 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 182 from 10.100.0.50:1645 to 10.101.0.20:1812 length 380 (8) User-Name = "anonymous" (8) Service-Type = Framed-User (8) Framed-MTU = 1500 (8) Called-Station-Id = "24-01-C7-8E-84-86" (8) Calling-Station-Id = "74-78-27-1B-F2-78" (8) EAP-Message = 0x020200ac1580000000a2160303009d01000099030362dec1cb4de29748aa3f666036d19548 5065509be2151045e5ff5ad25a8dc96f00002ac02cc02bc030c02f009f009ec024c023c028c0 27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a 00080006001d00170018000b00020100000d001a001808040805080604010501020104030503 02030202060106030023000000170000ff01000100 (8) Message-Authenticator = 0xf4be43381cba5bcb881815edb82aaedc (8) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898" (8) NAS-Port-Type = Ethernet (8) NAS-Port = 50006 (8) NAS-Port-Id = "GigabitEthernet0/6" (8) State = 0x1aff00fb1afd150bdec157b3b6aa7742 (8) NAS-IP-Address = 10.100.0.50 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 2 length 172 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Auth-Type eap { (8) eap: Expiring EAP session with state 0x1aff00fb1afd150b (8) eap: Finished EAP session with state 0x1aff00fb1afd150b (8) eap: Previous EAP request found for state 0x1aff00fb1afd150b, released from the list (8) eap: Peer sent packet with method EAP TTLS (21) (8) eap: Calling submodule eap_ttls to process data (8) eap_ttls: Authenticate (8) eap_ttls: Continuing EAP-TLS (8) eap_ttls: Peer indicated complete TLS record size will be 162 bytes (8) eap_ttls: Got complete TLS record (162 bytes) (8) eap_ttls: [eaptls verify] = length included (8) eap_ttls: (other): before SSL initialization (8) eap_ttls: TLS_accept: before SSL initialization (8) eap_ttls: TLS_accept: before SSL initialization (8) eap_ttls: <<< recv TLS 1.3 [length 009d] (8) eap_ttls: TLS_accept: SSLv3/TLS read client hello (8) eap_ttls: >>> send TLS 1.2 [length 003d] (8) eap_ttls: TLS_accept: SSLv3/TLS write server hello (8) eap_ttls: >>> send TLS 1.2 [length 08e9] (8) eap_ttls: TLS_accept: SSLv3/TLS write certificate (8) eap_ttls: >>> send TLS 1.2 [length 014d] (8) eap_ttls: TLS_accept: SSLv3/TLS write key exchange (8) eap_ttls: >>> send TLS 1.2 [length 0004] (8) eap_ttls: TLS_accept: SSLv3/TLS write server done (8) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done (8) eap_ttls: TLS - In Handshake Phase (8) eap_ttls: TLS - got 2699 bytes of data (8) eap_ttls: [eaptls process] = handled (8) eap: Sending EAP Request (code 1) ID 3 length 1014 (8) eap: EAP session adding &reply:State = 0x1aff00fb1bfc150b (8) [eap] = handled (8) if (handled && (Response-Packet-Type == Access-Challenge)) { (8) EXPAND Response-Packet-Type (8) --> Access-Challenge (8) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (8) if (handled && (Response-Packet-Type == Access-Challenge)) { (8) attr_filter.access_challenge: EXPAND %{User-Name} (8) attr_filter.access_challenge: --> anonymous (8) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (8) [attr_filter.access_challenge.post-auth] = updated (8) [handled] = handled (8) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (8) } # Auth-Type eap = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 182 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (8) EAP-Message = 0x010303f615c000000a8b160303003d020000390303dc012d9023dc1e70f151f05ebf2e358c 66de5ac2dc909c71b3ff934c6deeb0bb00c030000011ff01000100000b000403000102001700 0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86 4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261 646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861 6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c 652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175 74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135 5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306 0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x1aff00fb1bfc150bdec157b3b6aa7742 (8) Finished request Waking up in 4.9 seconds. (9) Received Access-Request Id 183 from 10.100.0.50:1645 to 10.101.0.20:1812 length 214 (9) User-Name = "anonymous" (9) Service-Type = Framed-User (9) Framed-MTU = 1500 (9) Called-Station-Id = "24-01-C7-8E-84-86" (9) Calling-Station-Id = "74-78-27-1B-F2-78" (9) EAP-Message = 0x020300061500 (9) Message-Authenticator = 0x27fa8829f5e4cbd6c0703ff10396bd50 (9) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898" (9) NAS-Port-Type = Ethernet (9) NAS-Port = 50006 (9) NAS-Port-Id = "GigabitEthernet0/6" (9) State = 0x1aff00fb1bfc150bdec157b3b6aa7742 (9) NAS-IP-Address = 10.100.0.50 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 3 length 6 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Auth-Type eap { (9) eap: Expiring EAP session with state 0x1aff00fb1bfc150b (9) eap: Finished EAP session with state 0x1aff00fb1bfc150b (9) eap: Previous EAP request found for state 0x1aff00fb1bfc150b, released from the list (9) eap: Peer sent packet with method EAP TTLS (21) (9) eap: Calling submodule eap_ttls to process data (9) eap_ttls: Authenticate (9) eap_ttls: Continuing EAP-TLS (9) eap_ttls: Peer ACKed our handshake fragment (9) eap_ttls: [eaptls verify] = request (9) eap_ttls: [eaptls process] = handled (9) eap: Sending EAP Request (code 1) ID 4 length 1014 (9) eap: EAP session adding &reply:State = 0x1aff00fb18fb150b (9) [eap] = handled (9) if (handled && (Response-Packet-Type == Access-Challenge)) { (9) EXPAND Response-Packet-Type (9) --> Access-Challenge (9) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (9) if (handled && (Response-Packet-Type == Access-Challenge)) { (9) attr_filter.access_challenge: EXPAND %{User-Name} (9) attr_filter.access_challenge: --> anonymous (9) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (9) [attr_filter.access_challenge.post-auth] = updated (9) [handled] = handled (9) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (9) } # Auth-Type eap = handled (9) Using Post-Auth-Type Challenge (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Challenge { ... } # empty sub-section is ignored (9) Sent Access-Challenge Id 183 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (9) EAP-Message = 0x010403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91 d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8 62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b 83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06 035504080c065261646975733112301006035504070c09536f6d657768657265311530130603 55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69 6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966 696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038 30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261 646975733112301006035504070c09536f6d65776865726531153013060355040a0c (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x1aff00fb18fb150bdec157b3b6aa7742 (9) Finished request Waking up in 4.9 seconds. (10) Received Access-Request Id 184 from 10.100.0.50:1645 to 10.101.0.20:1812 length 214 (10) User-Name = "anonymous" (10) Service-Type = Framed-User (10) Framed-MTU = 1500 (10) Called-Station-Id = "24-01-C7-8E-84-86" (10) Calling-Station-Id = "74-78-27-1B-F2-78" (10) EAP-Message = 0x020400061500 (10) Message-Authenticator = 0xc343c114dc97c30f335f153612ee98ba (10) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898" (10) NAS-Port-Type = Ethernet (10) NAS-Port = 50006 (10) NAS-Port-Id = "GigabitEthernet0/6" (10) State = 0x1aff00fb18fb150bdec157b3b6aa7742 (10) NAS-IP-Address = 10.100.0.50 (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 4 length 6 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Auth-Type eap { (10) eap: Expiring EAP session with state 0x1aff00fb18fb150b (10) eap: Finished EAP session with state 0x1aff00fb18fb150b (10) eap: Previous EAP request found for state 0x1aff00fb18fb150b, released from the list (10) eap: Peer sent packet with method EAP TTLS (21) (10) eap: Calling submodule eap_ttls to process data (10) eap_ttls: Authenticate (10) eap_ttls: Continuing EAP-TLS (10) eap_ttls: Peer ACKed our handshake fragment (10) eap_ttls: [eaptls verify] = request (10) eap_ttls: [eaptls process] = handled (10) eap: Sending EAP Request (code 1) ID 5 length 701 (10) eap: EAP session adding &reply:State = 0x1aff00fb19fa150b (10) [eap] = handled (10) if (handled && (Response-Packet-Type == Access-Challenge)) { (10) EXPAND Response-Packet-Type (10) --> Access-Challenge (10) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (10) if (handled && (Response-Packet-Type == Access-Challenge)) { (10) attr_filter.access_challenge: EXPAND %{User-Name} (10) attr_filter.access_challenge: --> anonymous (10) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (10) [attr_filter.access_challenge.post-auth] = updated (10) [handled] = handled (10) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (10) } # Auth-Type eap = handled (10) Using Post-Auth-Type Challenge (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Challenge { ... } # empty sub-section is ignored (10) Sent Access-Challenge Id 184 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (10) EAP-Message = 0x010502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029 a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e 63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14 2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4 5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5 7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973 4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759 b33199019e7d482f8786044516160303014d0c0001490300174104ea71ea5eb3ce16 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x1aff00fb19fa150bdec157b3b6aa7742 (10) Finished request Waking up in 4.8 seconds. (11) Received Access-Request Id 185 from 10.100.0.50:1645 to 10.101.0.20:1812 length 344 (11) User-Name = "anonymous" (11) Service-Type = Framed-User (11) Framed-MTU = 1500 (11) Called-Station-Id = "24-01-C7-8E-84-86" (11) Calling-Station-Id = "74-78-27-1B-F2-78" (11) EAP-Message = 0x0205008815800000007e16030300461000004241041bafe37c8a64c35895a588b20bcfdef3 d2b1464ce4d5ae1c8e8e920de9406dc98f4a94b63bcd85a4cbbe35b06823f7cb4f7f6b7cb9ba 6c3f93273bbad00a32a214030300010116030300280000000000000000b2756332a6d5dece72 43e156997beb79b6e0890ac8bdf90da6ada1e3a02371ce (11) Message-Authenticator = 0x12631f913feb4471ab0fca288c0638f1 (11) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898" (11) NAS-Port-Type = Ethernet (11) NAS-Port = 50006 (11) NAS-Port-Id = "GigabitEthernet0/6" (11) State = 0x1aff00fb19fa150bdec157b3b6aa7742 (11) NAS-IP-Address = 10.100.0.50 (11) session-state: No cached attributes (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) eap: Peer sent EAP Response (code 2) ID 5 length 136 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Auth-Type eap { (11) eap: Expiring EAP session with state 0x1aff00fb19fa150b (11) eap: Finished EAP session with state 0x1aff00fb19fa150b (11) eap: Previous EAP request found for state 0x1aff00fb19fa150b, released from the list (11) eap: Peer sent packet with method EAP TTLS (21) (11) eap: Calling submodule eap_ttls to process data (11) eap_ttls: Authenticate (11) eap_ttls: Continuing EAP-TLS (11) eap_ttls: Peer indicated complete TLS record size will be 126 bytes (11) eap_ttls: Got complete TLS record (126 bytes) (11) eap_ttls: [eaptls verify] = length included (11) eap_ttls: TLS_accept: SSLv3/TLS write server done (11) eap_ttls: <<< recv TLS 1.2 [length 0046] (11) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (11) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (11) eap_ttls: <<< recv TLS 1.2 [length 0010] (11) eap_ttls: TLS_accept: SSLv3/TLS read finished (11) eap_ttls: >>> send TLS 1.2 [length 0001] (11) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (11) eap_ttls: >>> send TLS 1.2 [length 0010] (11) eap_ttls: TLS_accept: SSLv3/TLS write finished (11) eap_ttls: (other): SSL negotiation finished successfully (11) eap_ttls: TLS - Connection Established (11) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (11) eap_ttls: TLS-Session-Version = "TLS 1.2" (11) eap_ttls: TLS - got 51 bytes of data (11) eap_ttls: [eaptls process] = handled (11) eap: Sending EAP Request (code 1) ID 6 length 61 (11) eap: EAP session adding &reply:State = 0x1aff00fb1ef9150b (11) [eap] = handled (11) if (handled && (Response-Packet-Type == Access-Challenge)) { (11) EXPAND Response-Packet-Type (11) --> Access-Challenge (11) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (11) if (handled && (Response-Packet-Type == Access-Challenge)) { (11) attr_filter.access_challenge: EXPAND %{User-Name} (11) attr_filter.access_challenge: --> anonymous (11) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (11) [attr_filter.access_challenge.post-auth] = updated (11) [handled] = handled (11) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (11) } # Auth-Type eap = handled (11) Using Post-Auth-Type Challenge (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Challenge { ... } # empty sub-section is ignored (11) session-state: Saving cached attributes (11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (11) TLS-Session-Version = "TLS 1.2" (11) Sent Access-Challenge Id 185 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (11) EAP-Message = 0x0106003d158000000033140303000101160303002890e19eed4974783059ef0d676e70aab3 470cc68cadd1254943ddd9bbe1307ceed06dc7a28a15b4b1 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0x1aff00fb1ef9150bdec157b3b6aa7742 (11) Finished request Waking up in 4.8 seconds. (7) Cleaning up request packet ID 181 with timestamp +35 (8) Cleaning up request packet ID 182 with timestamp +35 (9) Cleaning up request packet ID 183 with timestamp +35 (10) Cleaning up request packet ID 184 with timestamp +35 (11) Cleaning up request packet ID 185 with timestamp +35 Ready to process requests (12) Received Access-Request Id 186 from 10.100.0.50:1645 to 10.101.0.20:1812 length 194 (12) User-Name = "test" (12) Service-Type = Framed-User (12) Framed-MTU = 1500 (12) Called-Station-Id = "24-01-C7-8E-84-86" (12) Calling-Station-Id = "74-78-27-1B-F2-78" (12) EAP-Message = 0x020100090174657374 (12) Message-Authenticator = 0x5064878bed8665909256b735e175b2d4 (12) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (12) NAS-Port-Type = Ethernet (12) NAS-Port = 50006 (12) NAS-Port-Id = "GigabitEthernet0/6" (12) NAS-IP-Address = 10.100.0.50 (12) # Executing section authorize from file /etc/raddb/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "test", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 1 length 9 (12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (12) [eap] = ok (12) } # authorize = ok (12) Found Auth-Type = eap (12) # Executing group from file /etc/raddb/sites-enabled/default (12) Auth-Type eap { (12) eap: Peer sent packet with method EAP Identity (1) (12) eap: Calling submodule eap_ttls to process data (12) eap_ttls: Initiating new TLS session (12) eap_ttls: [eaptls start] = request (12) eap: Sending EAP Request (code 1) ID 2 length 6 (12) eap: EAP session adding &reply:State = 0x5709dc2c570bc95d (12) [eap] = handled (12) if (handled && (Response-Packet-Type == Access-Challenge)) { (12) EXPAND Response-Packet-Type (12) --> Access-Challenge (12) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (12) if (handled && (Response-Packet-Type == Access-Challenge)) { (12) attr_filter.access_challenge: EXPAND %{User-Name} (12) attr_filter.access_challenge: --> test (12) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (12) [attr_filter.access_challenge.post-auth] = updated (12) [handled] = handled (12) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (12) } # Auth-Type eap = handled (12) Using Post-Auth-Type Challenge (12) # Executing group from file /etc/raddb/sites-enabled/default (12) Challenge { ... } # empty sub-section is ignored (12) Sent Access-Challenge Id 186 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (12) EAP-Message = 0x010200061520 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0x5709dc2c570bc95d080b76220813d0d4 (12) Finished request Waking up in 4.9 seconds. (13) Received Access-Request Id 187 from 10.100.0.50:1645 to 10.101.0.20:1812 length 209 (13) User-Name = "test" (13) Service-Type = Framed-User (13) Framed-MTU = 1500 (13) Called-Station-Id = "24-01-C7-8E-84-86" (13) Calling-Station-Id = "74-78-27-1B-F2-78" (13) EAP-Message = 0x020200060319 (13) Message-Authenticator = 0xde3e82b04cacf9575f36bb5d7da5a570 (13) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (13) NAS-Port-Type = Ethernet (13) NAS-Port = 50006 (13) NAS-Port-Id = "GigabitEthernet0/6" (13) State = 0x5709dc2c570bc95d080b76220813d0d4 (13) NAS-IP-Address = 10.100.0.50 (13) session-state: No cached attributes (13) # Executing section authorize from file /etc/raddb/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "test", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) eap: Peer sent EAP Response (code 2) ID 2 length 6 (13) eap: No EAP Start, assuming it's an on-going EAP conversation (13) [eap] = updated (13) } # authorize = updated (13) Found Auth-Type = eap (13) # Executing group from file /etc/raddb/sites-enabled/default (13) Auth-Type eap { (13) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (13) eap: Finished EAP session with state 0x5709dc2c570bc95d (13) eap: Previous EAP request found for state 0x5709dc2c570bc95d, released from the list (13) eap: Peer sent packet with method EAP NAK (3) (13) eap: Found mutually acceptable type PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: Initiating new TLS session (13) eap_peap: [eaptls start] = request (13) eap: Sending EAP Request (code 1) ID 3 length 6 (13) eap: EAP session adding &reply:State = 0x5709dc2c560ac55d (13) [eap] = handled (13) if (handled && (Response-Packet-Type == Access-Challenge)) { (13) EXPAND Response-Packet-Type (13) --> Access-Challenge (13) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (13) if (handled && (Response-Packet-Type == Access-Challenge)) { (13) attr_filter.access_challenge: EXPAND %{User-Name} (13) attr_filter.access_challenge: --> test (13) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (13) [attr_filter.access_challenge.post-auth] = updated (13) [handled] = handled (13) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (13) } # Auth-Type eap = handled (13) Using Post-Auth-Type Challenge (13) # Executing group from file /etc/raddb/sites-enabled/default (13) Challenge { ... } # empty sub-section is ignored (13) Sent Access-Challenge Id 187 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (13) EAP-Message = 0x010300061920 (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0x5709dc2c560ac55d080b76220813d0d4 (13) Finished request Waking up in 4.9 seconds. (14) Received Access-Request Id 188 from 10.100.0.50:1645 to 10.101.0.20:1812 length 375 (14) User-Name = "test" (14) Service-Type = Framed-User (14) Framed-MTU = 1500 (14) Called-Station-Id = "24-01-C7-8E-84-86" (14) Calling-Station-Id = "74-78-27-1B-F2-78" (14) EAP-Message = 0x020300ac1980000000a2160303009d01000099030362dec1e8bb336220b36115a2f152d4ff bda23da4d62a4b3a3dd2d90243cfb65500002ac02cc02bc030c02f009f009ec024c023c028c0 27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a 00080006001d00170018000b00020100000d001a001808040805080604010501020104030503 02030202060106030023000000170000ff01000100 (14) Message-Authenticator = 0x723199c45f61b638f39acfd1af4ef706 (14) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (14) NAS-Port-Type = Ethernet (14) NAS-Port = 50006 (14) NAS-Port-Id = "GigabitEthernet0/6" (14) State = 0x5709dc2c560ac55d080b76220813d0d4 (14) NAS-IP-Address = 10.100.0.50 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/raddb/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "test", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 3 length 172 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/raddb/sites-enabled/default (14) Auth-Type eap { (14) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (14) eap: Finished EAP session with state 0x5709dc2c560ac55d (14) eap: Previous EAP request found for state 0x5709dc2c560ac55d, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer indicated complete TLS record size will be 162 bytes (14) eap_peap: Got complete TLS record (162 bytes) (14) eap_peap: [eaptls verify] = length included (14) eap_peap: (other): before SSL initialization (14) eap_peap: TLS_accept: before SSL initialization (14) eap_peap: TLS_accept: before SSL initialization (14) eap_peap: <<< recv TLS 1.3 [length 009d] (14) eap_peap: TLS_accept: SSLv3/TLS read client hello (14) eap_peap: >>> send TLS 1.2 [length 003d] (14) eap_peap: TLS_accept: SSLv3/TLS write server hello (14) eap_peap: >>> send TLS 1.2 [length 08e9] (14) eap_peap: TLS_accept: SSLv3/TLS write certificate (14) eap_peap: >>> send TLS 1.2 [length 014d] (14) eap_peap: TLS_accept: SSLv3/TLS write key exchange (14) eap_peap: >>> send TLS 1.2 [length 0004] (14) eap_peap: TLS_accept: SSLv3/TLS write server done (14) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (14) eap_peap: TLS - In Handshake Phase (14) eap_peap: TLS - got 2699 bytes of data (14) eap_peap: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 4 length 1014 (14) eap: EAP session adding &reply:State = 0x5709dc2c550dc55d (14) [eap] = handled (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) EXPAND Response-Packet-Type (14) --> Access-Challenge (14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) attr_filter.access_challenge: EXPAND %{User-Name} (14) attr_filter.access_challenge: --> test (14) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (14) [attr_filter.access_challenge.post-auth] = updated (14) [handled] = handled (14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (14) } # Auth-Type eap = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/raddb/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) Sent Access-Challenge Id 188 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (14) EAP-Message = 0x010403f619c000000a8b160303003d020000390303e63773a6f4e7998fe2174245b1361d9d 6235d691817e1c0537491a129c815c5e00c030000011ff01000100000b000403000102001700 0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86 4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261 646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861 6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c 652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175 74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135 5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306 0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x5709dc2c550dc55d080b76220813d0d4 (14) Finished request Waking up in 4.9 seconds. (15) Received Access-Request Id 189 from 10.100.0.50:1645 to 10.101.0.20:1812 length 209 (15) User-Name = "test" (15) Service-Type = Framed-User (15) Framed-MTU = 1500 (15) Called-Station-Id = "24-01-C7-8E-84-86" (15) Calling-Station-Id = "74-78-27-1B-F2-78" (15) EAP-Message = 0x020400061900 (15) Message-Authenticator = 0x5c6dceb7d89b74812695116e8c825b77 (15) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (15) NAS-Port-Type = Ethernet (15) NAS-Port = 50006 (15) NAS-Port-Id = "GigabitEthernet0/6" (15) State = 0x5709dc2c550dc55d080b76220813d0d4 (15) NAS-IP-Address = 10.100.0.50 (15) session-state: No cached attributes (15) # Executing section authorize from file /etc/raddb/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) [preprocess] = ok (15) [chap] = noop (15) [mschap] = noop (15) [digest] = noop (15) suffix: Checking for suffix after "@" (15) suffix: No '@' in User-Name = "test", looking up realm NULL (15) suffix: No such realm "NULL" (15) [suffix] = noop (15) eap: Peer sent EAP Response (code 2) ID 4 length 6 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # authorize = ok (15) Found Auth-Type = eap (15) # Executing group from file /etc/raddb/sites-enabled/default (15) Auth-Type eap { (15) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (15) eap: Finished EAP session with state 0x5709dc2c550dc55d (15) eap: Previous EAP request found for state 0x5709dc2c550dc55d, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: Continuing EAP-TLS (15) eap_peap: Peer ACKed our handshake fragment (15) eap_peap: [eaptls verify] = request (15) eap_peap: [eaptls process] = handled (15) eap: Sending EAP Request (code 1) ID 5 length 1010 (15) eap: EAP session adding &reply:State = 0x5709dc2c540cc55d (15) [eap] = handled (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) EXPAND Response-Packet-Type (15) --> Access-Challenge (15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) attr_filter.access_challenge: EXPAND %{User-Name} (15) attr_filter.access_challenge: --> test (15) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (15) [attr_filter.access_challenge.post-auth] = updated (15) [handled] = handled (15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (15) } # Auth-Type eap = handled (15) Using Post-Auth-Type Challenge (15) # Executing group from file /etc/raddb/sites-enabled/default (15) Challenge { ... } # empty sub-section is ignored (15) Sent Access-Challenge Id 189 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (15) EAP-Message = 0x010503f219402191b630136f9c3efec0d255f3b83b044d67821de971742e781d91d550b267 675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd862dd0004 fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b83f0300d 06092a864886f70d01010b0500308193310b3009060355040613024652310f300d0603550408 0c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c 0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578 616d706c652e6f72673126302406035504030c1d4578616d706c652043657274696669636174 6520417574686f72697479301e170d3232303630373133353631355a170d3232303830363133 353631355a308193310b3009060355040613024652310f300d06035504080c06526164697573 3112301006035504070c09536f6d65776865726531153013060355040a0c0c457861 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x5709dc2c540cc55d080b76220813d0d4 (15) Finished request Waking up in 4.9 seconds. (16) Received Access-Request Id 190 from 10.100.0.50:1645 to 10.101.0.20:1812 length 209 (16) User-Name = "test" (16) Service-Type = Framed-User (16) Framed-MTU = 1500 (16) Called-Station-Id = "24-01-C7-8E-84-86" (16) Calling-Station-Id = "74-78-27-1B-F2-78" (16) EAP-Message = 0x020500061900 (16) Message-Authenticator = 0x338407f535f332f0091f8b6a8546c39a (16) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (16) NAS-Port-Type = Ethernet (16) NAS-Port = 50006 (16) NAS-Port-Id = "GigabitEthernet0/6" (16) State = 0x5709dc2c540cc55d080b76220813d0d4 (16) NAS-IP-Address = 10.100.0.50 (16) session-state: No cached attributes (16) # Executing section authorize from file /etc/raddb/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "test", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 5 length 6 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/raddb/sites-enabled/default (16) Auth-Type eap { (16) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (16) eap: Finished EAP session with state 0x5709dc2c540cc55d (16) eap: Previous EAP request found for state 0x5709dc2c540cc55d, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: Peer ACKed our handshake fragment (16) eap_peap: [eaptls verify] = request (16) eap_peap: [eaptls process] = handled (16) eap: Sending EAP Request (code 1) ID 6 length 697 (16) eap: EAP session adding &reply:State = 0x5709dc2c530fc55d (16) [eap] = handled (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) EXPAND Response-Packet-Type (16) --> Access-Challenge (16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) attr_filter.access_challenge: EXPAND %{User-Name} (16) attr_filter.access_challenge: --> test (16) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (16) [attr_filter.access_challenge.post-auth] = updated (16) [handled] = handled (16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (16) } # Auth-Type eap = handled (16) Using Post-Auth-Type Challenge (16) # Executing group from file /etc/raddb/sites-enabled/default (16) Challenge { ... } # empty sub-section is ignored (16) Sent Access-Challenge Id 190 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (16) EAP-Message = 0x010602b919001d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625 687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c30 0d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d142dea0f64 ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabacdf1f473b 35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee45ad98a87 9609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f57a3c4654 49fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb9734ad96157 81be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdbc7942c0d 7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759b3319901 9e7d482f8786044516160303014d0c00014903001741045122cc6a47b169b7a16ff1 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x5709dc2c530fc55d080b76220813d0d4 (16) Finished request Waking up in 4.8 seconds. (17) Received Access-Request Id 191 from 10.100.0.50:1645 to 10.101.0.20:1812 length 339 (17) User-Name = "test" (17) Service-Type = Framed-User (17) Framed-MTU = 1500 (17) Called-Station-Id = "24-01-C7-8E-84-86" (17) Calling-Station-Id = "74-78-27-1B-F2-78" (17) EAP-Message = 0x0206008819800000007e160303004610000042410446771ce3728af651ce38b33f2dbad2de 2ec1398220b2deca4e147610a28845f811a15650a23e9c2d6cda8703a81d827e6d5c3335a7ad ed1f9348bed6398856db140303000101160303002800000000000000006467b41f8f49082292 2783c45df9e0ab3f5f3ee2d6b27ac824a0291d83fc0cbb (17) Message-Authenticator = 0x9881bcce42caeb449d1792b76c542650 (17) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (17) NAS-Port-Type = Ethernet (17) NAS-Port = 50006 (17) NAS-Port-Id = "GigabitEthernet0/6" (17) State = 0x5709dc2c530fc55d080b76220813d0d4 (17) NAS-IP-Address = 10.100.0.50 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/raddb/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [chap] = noop (17) [mschap] = noop (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "test", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 6 length 136 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/raddb/sites-enabled/default (17) Auth-Type eap { (17) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (17) eap: Finished EAP session with state 0x5709dc2c530fc55d (17) eap: Previous EAP request found for state 0x5709dc2c530fc55d, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: Continuing EAP-TLS (17) eap_peap: Peer indicated complete TLS record size will be 126 bytes (17) eap_peap: Got complete TLS record (126 bytes) (17) eap_peap: [eaptls verify] = length included (17) eap_peap: TLS_accept: SSLv3/TLS write server done (17) eap_peap: <<< recv TLS 1.2 [length 0046] (17) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (17) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (17) eap_peap: <<< recv TLS 1.2 [length 0010] (17) eap_peap: TLS_accept: SSLv3/TLS read finished (17) eap_peap: >>> send TLS 1.2 [length 0001] (17) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (17) eap_peap: >>> send TLS 1.2 [length 0010] (17) eap_peap: TLS_accept: SSLv3/TLS write finished (17) eap_peap: (other): SSL negotiation finished successfully (17) eap_peap: TLS - Connection Established (17) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (17) eap_peap: TLS-Session-Version = "TLS 1.2" (17) eap_peap: TLS - got 51 bytes of data (17) eap_peap: [eaptls process] = handled (17) eap: Sending EAP Request (code 1) ID 7 length 57 (17) eap: EAP session adding &reply:State = 0x5709dc2c520ec55d (17) [eap] = handled (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) EXPAND Response-Packet-Type (17) --> Access-Challenge (17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) attr_filter.access_challenge: EXPAND %{User-Name} (17) attr_filter.access_challenge: --> test (17) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (17) [attr_filter.access_challenge.post-auth] = updated (17) [handled] = handled (17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (17) } # Auth-Type eap = handled (17) Using Post-Auth-Type Challenge (17) # Executing group from file /etc/raddb/sites-enabled/default (17) Challenge { ... } # empty sub-section is ignored (17) session-state: Saving cached attributes (17) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (17) TLS-Session-Version = "TLS 1.2" (17) Sent Access-Challenge Id 191 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (17) EAP-Message = 0x01070039190014030300010116030300285bc3632e6b443560a1c7f7fcfd4d4dce83eb70b6 a001d27389578382a78d0283e43c7e8969d6f3ba (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x5709dc2c520ec55d080b76220813d0d4 (17) Finished request Waking up in 4.8 seconds. (18) Received Access-Request Id 192 from 10.100.0.50:1645 to 10.101.0.20:1812 length 209 (18) User-Name = "test" (18) Service-Type = Framed-User (18) Framed-MTU = 1500 (18) Called-Station-Id = "24-01-C7-8E-84-86" (18) Calling-Station-Id = "74-78-27-1B-F2-78" (18) EAP-Message = 0x020700061900 (18) Message-Authenticator = 0x33689c92606612b6d8b208e12717fd08 (18) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (18) NAS-Port-Type = Ethernet (18) NAS-Port = 50006 (18) NAS-Port-Id = "GigabitEthernet0/6" (18) State = 0x5709dc2c520ec55d080b76220813d0d4 (18) NAS-IP-Address = 10.100.0.50 (18) Restoring &session-state (18) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (18) &session-state:TLS-Session-Version = "TLS 1.2" (18) # Executing section authorize from file /etc/raddb/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) [chap] = noop (18) [mschap] = noop (18) [digest] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "test", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) eap: Peer sent EAP Response (code 2) ID 7 length 6 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/raddb/sites-enabled/default (18) Auth-Type eap { (18) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (18) eap: Finished EAP session with state 0x5709dc2c520ec55d (18) eap: Previous EAP request found for state 0x5709dc2c520ec55d, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: Continuing EAP-TLS (18) eap_peap: Peer ACKed our handshake fragment. handshake is finished (18) eap_peap: [eaptls verify] = success (18) eap_peap: [eaptls process] = success (18) eap_peap: Session established. Decoding tunneled attributes (18) eap_peap: PEAP state TUNNEL ESTABLISHED (18) eap: Sending EAP Request (code 1) ID 8 length 40 (18) eap: EAP session adding &reply:State = 0x5709dc2c5101c55d (18) [eap] = handled (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) EXPAND Response-Packet-Type (18) --> Access-Challenge (18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) attr_filter.access_challenge: EXPAND %{User-Name} (18) attr_filter.access_challenge: --> test (18) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (18) [attr_filter.access_challenge.post-auth] = updated (18) [handled] = handled (18) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (18) } # Auth-Type eap = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /etc/raddb/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) session-state: Saving cached attributes (18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (18) TLS-Session-Version = "TLS 1.2" (18) Sent Access-Challenge Id 192 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (18) EAP-Message = 0x010800281900170303001d5bc3632e6b443561fcf82593fda17abbf449f59d02196666fae6 9cf929 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x5709dc2c5101c55d080b76220813d0d4 (18) Finished request Waking up in 2.1 seconds. (19) Received Access-Request Id 193 from 10.100.0.50:1645 to 10.101.0.20:1812 length 243 (19) User-Name = "test" (19) Service-Type = Framed-User (19) Framed-MTU = 1500 (19) Called-Station-Id = "24-01-C7-8E-84-86" (19) Calling-Station-Id = "74-78-27-1B-F2-78" (19) EAP-Message = 0x020800281900170303001d0000000000000001f4b75ef3c9c70e7de845b7ad53435ce649bc e97bd6 (19) Message-Authenticator = 0xdd6a472f02ab76bc724223ac8592f303 (19) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (19) NAS-Port-Type = Ethernet (19) NAS-Port = 50006 (19) NAS-Port-Id = "GigabitEthernet0/6" (19) State = 0x5709dc2c5101c55d080b76220813d0d4 (19) NAS-IP-Address = 10.100.0.50 (19) Restoring &session-state (19) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (19) &session-state:TLS-Session-Version = "TLS 1.2" (19) # Executing section authorize from file /etc/raddb/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) [chap] = noop (19) [mschap] = noop (19) [digest] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "test", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) eap: Peer sent EAP Response (code 2) ID 8 length 40 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/raddb/sites-enabled/default (19) Auth-Type eap { (19) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (19) eap: Finished EAP session with state 0x5709dc2c5101c55d (19) eap: Previous EAP request found for state 0x5709dc2c5101c55d, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: Continuing EAP-TLS (19) eap_peap: [eaptls verify] = ok (19) eap_peap: Done initial handshake (19) eap_peap: [eaptls process] = ok (19) eap_peap: Session established. Decoding tunneled attributes (19) eap_peap: PEAP state WAITING FOR INNER IDENTITY (19) eap_peap: Identity - test (19) eap_peap: Got inner identity 'test' (19) eap_peap: Setting default EAP type for tunneled EAP session (19) eap_peap: Got tunneled request (19) eap_peap: EAP-Message = 0x020800090174657374 (19) eap_peap: Setting User-Name to test (19) eap_peap: Sending tunneled request to inner-tunnel (19) eap_peap: EAP-Message = 0x020800090174657374 (19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (19) eap_peap: User-Name = "test" (19) Virtual server inner-tunnel received request (19) EAP-Message = 0x020800090174657374 (19) FreeRADIUS-Proxied-To = 127.0.0.1 (19) User-Name = "test" (19) WARNING: Outer and inner identities are the same. User privacy is compromised. (19) server inner-tunnel { (19) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [chap] = noop (19) [mschap] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "test", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) update control { (19) &Proxy-To-Realm := LOCAL (19) } # update control = noop (19) eap: Peer sent EAP Response (code 2) ID 8 length 9 (19) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (19) authenticate { (19) eap: Peer sent packet with method EAP Identity (1) (19) eap: Calling submodule eap_mschapv2 to process data (19) eap_mschapv2: Issuing Challenge (19) eap: Sending EAP Request (code 1) ID 9 length 43 (19) eap: EAP session adding &reply:State = 0xc8f1f8bdc8f8e24d (19) [eap] = handled (19) } # authenticate = handled (19) } # server inner-tunnel (19) Virtual server sending reply (19) EAP-Message = 0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d 332e302e3230 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0xc8f1f8bdc8f8e24d226d055121876240 (19) eap_peap: Got tunneled reply code 11 (19) eap_peap: EAP-Message = 0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d 332e302e3230 (19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240 (19) eap_peap: Got tunneled reply RADIUS code 11 (19) eap_peap: EAP-Message = 0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d 332e302e3230 (19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240 (19) eap_peap: Got tunneled Access-Challenge (19) eap: Sending EAP Request (code 1) ID 9 length 74 (19) eap: EAP session adding &reply:State = 0x5709dc2c5000c55d (19) [eap] = handled (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) EXPAND Response-Packet-Type (19) --> Access-Challenge (19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) attr_filter.access_challenge: EXPAND %{User-Name} (19) attr_filter.access_challenge: --> test (19) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (19) [attr_filter.access_challenge.post-auth] = updated (19) [handled] = handled (19) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (19) } # Auth-Type eap = handled (19) Using Post-Auth-Type Challenge (19) # Executing group from file /etc/raddb/sites-enabled/default (19) Challenge { ... } # empty sub-section is ignored (19) session-state: Saving cached attributes (19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (19) TLS-Session-Version = "TLS 1.2" (19) Sent Access-Challenge Id 193 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (19) EAP-Message = 0x0109004a1900170303003f5bc3632e6b4435625e5c5051af7c363be95d4ee4f3f3b7ac445d 1ecac6abc90cb5263d48732e332fae270276b7d924f672cc1b74d6916b68c2e03e7ebe1975 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0x5709dc2c5000c55d080b76220813d0d4 (19) Finished request Waking up in 2.0 seconds. (20) Received Access-Request Id 194 from 10.100.0.50:1645 to 10.101.0.20:1812 length 297 (20) User-Name = "test" (20) Service-Type = Framed-User (20) Framed-MTU = 1500 (20) Called-Station-Id = "24-01-C7-8E-84-86" (20) Calling-Station-Id = "74-78-27-1B-F2-78" (20) EAP-Message = 0x0209005e19001703030053000000000000000267df274f7aba3c388821a73daf611375d9d7 2eef18a2029801924010afde0f8c56c84035beb392c5d720651c2253091340fa76a3f6a37152 3b42fb59bacd4ff5ff77aa734d8f4abc3bfe4c (20) Message-Authenticator = 0xdd9df03d48297b3c9942e21f2b832e07 (20) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (20) NAS-Port-Type = Ethernet (20) NAS-Port = 50006 (20) NAS-Port-Id = "GigabitEthernet0/6" (20) State = 0x5709dc2c5000c55d080b76220813d0d4 (20) NAS-IP-Address = 10.100.0.50 (20) Restoring &session-state (20) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) &session-state:TLS-Session-Version = "TLS 1.2" (20) # Executing section authorize from file /etc/raddb/sites-enabled/default (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [preprocess] = ok (20) [chap] = noop (20) [mschap] = noop (20) [digest] = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "test", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) eap: Peer sent EAP Response (code 2) ID 9 length 94 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # authorize = ok (20) Found Auth-Type = eap (20) # Executing group from file /etc/raddb/sites-enabled/default (20) Auth-Type eap { (20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (20) eap: Finished EAP session with state 0x5709dc2c5000c55d (20) eap: Previous EAP request found for state 0x5709dc2c5000c55d, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: Continuing EAP-TLS (20) eap_peap: [eaptls verify] = ok (20) eap_peap: Done initial handshake (20) eap_peap: [eaptls process] = ok (20) eap_peap: Session established. Decoding tunneled attributes (20) eap_peap: PEAP state phase2 (20) eap_peap: EAP method MSCHAPv2 (26) (20) eap_peap: Got tunneled request (20) eap_peap: EAP-Message = 0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5 2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374 (20) eap_peap: Setting User-Name to test (20) eap_peap: Sending tunneled request to inner-tunnel (20) eap_peap: EAP-Message = 0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5 2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374 (20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (20) eap_peap: User-Name = "test" (20) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240 (20) Virtual server inner-tunnel received request (20) EAP-Message = 0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5 2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374 (20) FreeRADIUS-Proxied-To = 127.0.0.1 (20) User-Name = "test" (20) State = 0xc8f1f8bdc8f8e24d226d055121876240 (20) WARNING: Outer and inner identities are the same. User privacy is compromised. (20) server inner-tunnel { (20) session-state: No cached attributes (20) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [chap] = noop (20) [mschap] = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "test", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) update control { (20) &Proxy-To-Realm := LOCAL (20) } # update control = noop (20) eap: Peer sent EAP Response (code 2) ID 9 length 63 (20) eap: No EAP Start, assuming it's an on-going EAP conversation (20) [eap] = updated (20) files: users: Matched entry test at line 1 (20) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name} (20) files: --> tu as reussi avec et en etant test (20) [files] = ok (20) [expiration] = noop (20) [logintime] = noop (20) pap: WARNING: Auth-Type already set. Not setting to PAP (20) [pap] = noop (20) } # authorize = updated (20) Found Auth-Type = eap (20) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (20) authenticate { (20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (20) eap: Finished EAP session with state 0xc8f1f8bdc8f8e24d (20) eap: Previous EAP request found for state 0xc8f1f8bdc8f8e24d, released from the list (20) eap: Peer sent packet with method EAP MSCHAPv2 (26) (20) eap: Calling submodule eap_mschapv2 to process data (20) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (20) eap_mschapv2: authenticate { (20) mschap: Found Cleartext-Password, hashing to create NT-Password (20) mschap: Creating challenge hash with username: test (20) mschap: Client is using MS-CHAPv2 (20) mschap: Adding MS-CHAPv2 MPPE keys (20) eap_mschapv2: [mschap] = ok (20) eap_mschapv2: } # authenticate = ok (20) eap_mschapv2: MSCHAP Success (20) eap: Sending EAP Request (code 1) ID 10 length 51 (20) eap: EAP session adding &reply:State = 0xc8f1f8bdc9fbe24d (20) [eap] = handled (20) } # authenticate = handled (20) } # server inner-tunnel (20) Virtual server sending reply (20) Reply-Message = "tu as reussi avec et en etant test" (20) EAP-Message = 0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336 3034393136433231333534313235 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0xc8f1f8bdc9fbe24d226d055121876240 (20) eap_peap: Got tunneled reply code 11 (20) eap_peap: Reply-Message = "tu as reussi avec et en etant test" (20) eap_peap: EAP-Message = 0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336 3034393136433231333534313235 (20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240 (20) eap_peap: Got tunneled reply RADIUS code 11 (20) eap_peap: Reply-Message = "tu as reussi avec et en etant test" (20) eap_peap: EAP-Message = 0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336 3034393136433231333534313235 (20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240 (20) eap_peap: Got tunneled Access-Challenge (20) eap: Sending EAP Request (code 1) ID 10 length 82 (20) eap: EAP session adding &reply:State = 0x5709dc2c5f03c55d (20) [eap] = handled (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) EXPAND Response-Packet-Type (20) --> Access-Challenge (20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) attr_filter.access_challenge: EXPAND %{User-Name} (20) attr_filter.access_challenge: --> test (20) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (20) [attr_filter.access_challenge.post-auth] = updated (20) [handled] = handled (20) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (20) } # Auth-Type eap = handled (20) Using Post-Auth-Type Challenge (20) # Executing group from file /etc/raddb/sites-enabled/default (20) Challenge { ... } # empty sub-section is ignored (20) session-state: Saving cached attributes (20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) TLS-Session-Version = "TLS 1.2" (20) Sent Access-Challenge Id 194 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (20) EAP-Message = 0x010a0052190017030300475bc3632e6b443563bfdb8a34b1d033e80abaed0886740e922409 cc823028e6c31f02665c568a46c5f021df9853700a6be0d1b2248b9520ffad2833cdfccb681b bfefac58b6c6e8 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0x5709dc2c5f03c55d080b76220813d0d4 (20) Finished request Waking up in 2.0 seconds. (21) Received Access-Request Id 195 from 10.100.0.50:1645 to 10.101.0.20:1812 length 240 (21) User-Name = "test" (21) Service-Type = Framed-User (21) Framed-MTU = 1500 (21) Called-Station-Id = "24-01-C7-8E-84-86" (21) Calling-Station-Id = "74-78-27-1B-F2-78" (21) EAP-Message = 0x020a00251900170303001a0000000000000003b7e4977bb2c798f1390f20f4c06d08798279 (21) Message-Authenticator = 0xc450ef4dd19f37f7ff7136f788d710b0 (21) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (21) NAS-Port-Type = Ethernet (21) NAS-Port = 50006 (21) NAS-Port-Id = "GigabitEthernet0/6" (21) State = 0x5709dc2c5f03c55d080b76220813d0d4 (21) NAS-IP-Address = 10.100.0.50 (21) Restoring &session-state (21) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) &session-state:TLS-Session-Version = "TLS 1.2" (21) # Executing section authorize from file /etc/raddb/sites-enabled/default (21) authorize { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = notfound (21) } # policy filter_username = notfound (21) [preprocess] = ok (21) [chap] = noop (21) [mschap] = noop (21) [digest] = noop (21) suffix: Checking for suffix after "@" (21) suffix: No '@' in User-Name = "test", looking up realm NULL (21) suffix: No such realm "NULL" (21) [suffix] = noop (21) eap: Peer sent EAP Response (code 2) ID 10 length 37 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # authorize = ok (21) Found Auth-Type = eap (21) # Executing group from file /etc/raddb/sites-enabled/default (21) Auth-Type eap { (21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (21) eap: Finished EAP session with state 0x5709dc2c5f03c55d (21) eap: Previous EAP request found for state 0x5709dc2c5f03c55d, released from the list (21) eap: Peer sent packet with method EAP PEAP (25) (21) eap: Calling submodule eap_peap to process data (21) eap_peap: Continuing EAP-TLS (21) eap_peap: [eaptls verify] = ok (21) eap_peap: Done initial handshake (21) eap_peap: [eaptls process] = ok (21) eap_peap: Session established. Decoding tunneled attributes (21) eap_peap: PEAP state phase2 (21) eap_peap: EAP method MSCHAPv2 (26) (21) eap_peap: Got tunneled request (21) eap_peap: EAP-Message = 0x020a00061a03 (21) eap_peap: Setting User-Name to test (21) eap_peap: Sending tunneled request to inner-tunnel (21) eap_peap: EAP-Message = 0x020a00061a03 (21) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (21) eap_peap: User-Name = "test" (21) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240 (21) Virtual server inner-tunnel received request (21) EAP-Message = 0x020a00061a03 (21) FreeRADIUS-Proxied-To = 127.0.0.1 (21) User-Name = "test" (21) State = 0xc8f1f8bdc9fbe24d226d055121876240 (21) WARNING: Outer and inner identities are the same. User privacy is compromised. (21) server inner-tunnel { (21) session-state: No cached attributes (21) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (21) authorize { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = notfound (21) } # policy filter_username = notfound (21) [chap] = noop (21) [mschap] = noop (21) suffix: Checking for suffix after "@" (21) suffix: No '@' in User-Name = "test", looking up realm NULL (21) suffix: No such realm "NULL" (21) [suffix] = noop (21) update control { (21) &Proxy-To-Realm := LOCAL (21) } # update control = noop (21) eap: Peer sent EAP Response (code 2) ID 10 length 6 (21) eap: No EAP Start, assuming it's an on-going EAP conversation (21) [eap] = updated (21) files: users: Matched entry test at line 1 (21) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name} (21) files: --> tu as reussi avec et en etant test (21) [files] = ok (21) [expiration] = noop (21) [logintime] = noop (21) pap: WARNING: Auth-Type already set. Not setting to PAP (21) [pap] = noop (21) } # authorize = updated (21) Found Auth-Type = eap (21) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (21) authenticate { (21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (21) eap: Finished EAP session with state 0xc8f1f8bdc9fbe24d (21) eap: Previous EAP request found for state 0xc8f1f8bdc9fbe24d, released from the list (21) eap: Peer sent packet with method EAP MSCHAPv2 (26) (21) eap: Calling submodule eap_mschapv2 to process data (21) eap: Sending EAP Success (code 3) ID 10 length 4 (21) eap: Freeing handler (21) [eap] = ok (21) } # authenticate = ok (21) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (21) post-auth { (21) if (0) { (21) if (0) -> FALSE (21) } # post-auth = noop (21) Login OK: [test] (from client swi_said_edward_p173 port 0 via TLS tunnel) (21) } # server inner-tunnel (21) Virtual server sending reply (21) Reply-Message = "tu as reussi avec et en etant test" (21) MS-MPPE-Encryption-Policy = Encryption-Allowed (21) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (21) MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81 (21) MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc (21) EAP-Message = 0x030a0004 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) User-Name = "test" (21) eap_peap: Got tunneled reply code 2 (21) eap_peap: Reply-Message = "tu as reussi avec et en etant test" (21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81 (21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc (21) eap_peap: EAP-Message = 0x030a0004 (21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (21) eap_peap: User-Name = "test" (21) eap_peap: Got tunneled reply RADIUS code 2 (21) eap_peap: Reply-Message = "tu as reussi avec et en etant test" (21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81 (21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc (21) eap_peap: EAP-Message = 0x030a0004 (21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (21) eap_peap: User-Name = "test" (21) eap_peap: Tunneled authentication was successful (21) eap_peap: SUCCESS (21) eap: Sending EAP Request (code 1) ID 11 length 46 (21) eap: EAP session adding &reply:State = 0x5709dc2c5e02c55d (21) [eap] = handled (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) EXPAND Response-Packet-Type (21) --> Access-Challenge (21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) attr_filter.access_challenge: EXPAND %{User-Name} (21) attr_filter.access_challenge: --> test (21) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (21) [attr_filter.access_challenge.post-auth] = updated (21) [handled] = handled (21) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (21) } # Auth-Type eap = handled (21) Using Post-Auth-Type Challenge (21) # Executing group from file /etc/raddb/sites-enabled/default (21) Challenge { ... } # empty sub-section is ignored (21) session-state: Saving cached attributes (21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) TLS-Session-Version = "TLS 1.2" (21) Sent Access-Challenge Id 195 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (21) EAP-Message = 0x010b002e190017030300235bc3632e6b443564d2723008ae0ef670403b61176bfb8668e1ff 44cb3c02f7217871f0 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0x5709dc2c5e02c55d080b76220813d0d4 (21) Finished request Waking up in 2.0 seconds. (22) Received Access-Request Id 196 from 10.100.0.50:1645 to 10.101.0.20:1812 length 249 (22) User-Name = "test" (22) Service-Type = Framed-User (22) Framed-MTU = 1500 (22) Called-Station-Id = "24-01-C7-8E-84-86" (22) Calling-Station-Id = "74-78-27-1B-F2-78" (22) EAP-Message = 0x020b002e19001703030023000000000000000445fbfc432839d0f47cc453ff5500e022d602 41ef8e33106eda0936 (22) Message-Authenticator = 0x7ca959931442315cd10d49eb490df5db (22) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (22) NAS-Port-Type = Ethernet (22) NAS-Port = 50006 (22) NAS-Port-Id = "GigabitEthernet0/6" (22) State = 0x5709dc2c5e02c55d080b76220813d0d4 (22) NAS-IP-Address = 10.100.0.50 (22) Restoring &session-state (22) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (22) &session-state:TLS-Session-Version = "TLS 1.2" (22) # Executing section authorize from file /etc/raddb/sites-enabled/default (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [preprocess] = ok (22) [chap] = noop (22) [mschap] = noop (22) [digest] = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "test", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) eap: Peer sent EAP Response (code 2) ID 11 length 46 (22) eap: Continuing tunnel setup (22) [eap] = ok (22) } # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/raddb/sites-enabled/default (22) Auth-Type eap { (22) eap: Expiring EAP session with state 0x1aff00fb1ef9150b (22) eap: Finished EAP session with state 0x5709dc2c5e02c55d (22) eap: Previous EAP request found for state 0x5709dc2c5e02c55d, released from the list (22) eap: Peer sent packet with method EAP PEAP (25) (22) eap: Calling submodule eap_peap to process data (22) eap_peap: Continuing EAP-TLS (22) eap_peap: [eaptls verify] = ok (22) eap_peap: Done initial handshake (22) eap_peap: [eaptls process] = ok (22) eap_peap: Session established. Decoding tunneled attributes (22) eap_peap: PEAP state send tlv success (22) eap_peap: Received EAP-TLV response (22) eap_peap: Success (22) eap: Sending EAP Success (code 3) ID 11 length 4 (22) eap: Freeing handler (22) [eap] = ok (22) if (handled && (Response-Packet-Type == Access-Challenge)) { (22) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (22) } # Auth-Type eap = ok (22) # Executing section post-auth from file /etc/raddb/sites-enabled/default (22) post-auth { (22) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (22) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (22) update { (22) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (22) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (22) } # update = noop (22) [exec] = noop (22) policy remove_reply_message_if_eap { (22) if (&reply:EAP-Message && &reply:Reply-Message) { (22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (22) else { (22) [noop] = noop (22) } # else = noop (22) } # policy remove_reply_message_if_eap = noop (22) } # post-auth = noop (22) Login OK: [test] (from client swi_said_edward_p173 port 50006 cli 74-78-27-1B-F2-78) (22) Sent Access-Accept Id 196 from 10.101.0.20:1812 to 10.100.0.50:1645 length 0 (22) MS-MPPE-Recv-Key = 0xb3963e8d4a98a9a2b83fc3463f4aee62e926bbe31e9fab554887fbef5efce59d (22) MS-MPPE-Send-Key = 0xe659945053c03ec5ae6b8b0ceef6fa83d90c3718f2a69f013f86f3870e5349ed (22) EAP-Message = 0x030b0004 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) User-Name = "test" (22) Finished request Waking up in 2.0 seconds. (23) Received Accounting-Request Id 61 from 10.100.0.50:1646 to 10.101.0.20:1813 length 217 (23) Acct-Session-Id = "0000006D" (23) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7" (23) User-Name = "test" (23) Cisco-AVPair = "connect-progress=Call Up" (23) Acct-Authentic = RADIUS (23) Acct-Status-Type = Start (23) NAS-Port-Type = Ethernet (23) NAS-Port = 50006 (23) NAS-Port-Id = "GigabitEthernet0/6" (23) Called-Station-Id = "24-01-C7-8E-84-86" (23) Calling-Station-Id = "74-78-27-1B-F2-78" (23) Service-Type = Framed-User (23) NAS-IP-Address = 10.100.0.50 (23) Acct-Delay-Time = 0 (23) # Executing section preacct from file /etc/raddb/sites-enabled/default (23) preacct { (23) [preprocess] = ok (23) policy acct_unique { (23) update request { (23) &Tmp-String-9 := "ai:" (23) } # update request = noop (23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (23) EXPAND %{hex:&Class} (23) --> (23) EXPAND ^%{hex:&Tmp-String-9} (23) --> ^61693a (23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (23) else { (23) update request { (23) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (23) --> ec3bf2e33c3293d656fc4362227660f2 (23) &Acct-Unique-Session-Id := ec3bf2e33c3293d656fc4362227660f2 (23) } # update request = noop (23) } # else = noop (23) } # policy acct_unique = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "test", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) [files] = noop (23) } # preacct = ok (23) # Executing section accounting from file /etc/raddb/sites-enabled/default (23) accounting { (23) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/detail-%Y%m%d (23) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725 (23) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.100.0.50/detail-20220725 (23) detail: EXPAND %t (23) detail: --> Mon Jul 25 18:16:45 2022 (23) [detail] = ok (23) [unix] = ok (23) radutmp: EXPAND /var/log/radius/radutmp (23) radutmp: --> /var/log/radius/radutmp (23) radutmp: EXPAND %{User-Name} (23) radutmp: --> test (23) [radutmp] = ok (23) sradutmp: EXPAND /var/log/radius/sradutmp (23) sradutmp: --> /var/log/radius/sradutmp (23) sradutmp: EXPAND %{User-Name} (23) sradutmp: --> test (23) [sradutmp] = ok (23) [exec] = noop (23) attr_filter.accounting_response: EXPAND %{User-Name} (23) attr_filter.accounting_response: --> test (23) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (23) [attr_filter.accounting_response] = updated (23) } # accounting = updated (23) Sent Accounting-Response Id 61 from 10.101.0.20:1813 to 10.100.0.50:1646 length 0 (23) Finished request (23) Cleaning up request packet ID 61 with timestamp +68 Waking up in 0.8 seconds. (12) Cleaning up request packet ID 186 with timestamp +64 (13) Cleaning up request packet ID 187 with timestamp +64 (14) Cleaning up request packet ID 188 with timestamp +64 (15) Cleaning up request packet ID 189 with timestamp +64 (16) Cleaning up request packet ID 190 with timestamp +64 (17) Cleaning up request packet ID 191 with timestamp +64 Waking up in 2.7 seconds. (18) Cleaning up request packet ID 192 with timestamp +67 (19) Cleaning up request packet ID 193 with timestamp +67 (20) Cleaning up request packet ID 194 with timestamp +67 (21) Cleaning up request packet ID 195 with timestamp +67 (22) Cleaning up request packet ID 196 with timestamp +67 Ready to process requests
On Jul 25, 2022, at 12:50 PM, florentvercourt@gmail.com wrote:
I’m trying to implement, a FreeRADIUS server for a wired usage using EAP-TTLS/PAP protocol, I’m authorizing my users based on their credentials saved in the users file.
That should be fine, subject to some issues.
But when I try to authenticate with EAP-TTLS/PAP, it fails when I click on « connect », I don’t have any following response to my Access-Challenge packets.
I know there is an article on wiki.freeradius about certificate compatibility, but I’ve not been able to solve the problem even with it.
FreeRADIUS Version 3.0.20
Use 3.2.0. There's been a number of fixes, including for TLS 1.3. And Windows 11 tries hard to use TLS 1.3. That is, we're not going to debug issues *again* when they've already been found and fixed. If the issue is still there with 3.2.0, then we can spend some time tracking it down. But we haven't seen issues yet in our tests. Alan DeKok.
W dniu 25.07.2022 o 21:21, Alan DeKok pisze:
On Jul 25, 2022, at 12:50 PM, florentvercourt@gmail.com wrote:
I’m trying to implement, a FreeRADIUS server for a wired usage using EAP-TTLS/PAP protocol, I’m authorizing my users based on their credentials saved in the users file. That should be fine, subject to some issues.
But when I try to authenticate with EAP-TTLS/PAP, it fails when I click on « connect », I don’t have any following response to my Access-Challenge packets.
Some of our eduroam users running Windows 11 are also encountering issues with EAP-TTLS and it looks like the reply from the server is missing too. We are investigating this. It is worth mentioning here that after six months of running FreeRADIUS 3.2.0 we noticed that so far only wpa_supplicant v2.10 is able to use TLS 1.3 in EAP-TTLS. Today the servers got updated to FreeRADIUS 3.2.1. Of course, it runs fine on FreeBSD too. Thank you! -- Marek Zarychta
On Oct 11, 2022, at 4:33 PM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
Some of our eduroam users running Windows 11 are also encountering issues with EAP-TTLS and it looks like the reply from the server is missing too. We are investigating this.
The server should always reply. What usually happens is that the Windows system doesn't like something about the servers reply, and then just stops doing EAP. You might try turning off session resumption. I would normally recommend using it always, but we've had issues with it in Windows 11. i.e. the combination of Windows 11, TLS 1.3, TTLS, and session resumption makes Windows upset. I don't really know more than that, as any information I have is just "Windows goes away".
It is worth mentioning here that after six months of running FreeRADIUS 3.2.0 we noticed that so far only wpa_supplicant v2.10 is able to use TLS 1.3 in EAP-TTLS.
I hope the TTLS issues in Windows 11 get fixed. We've reported the issue to Microsoft, but they have corporate time frames to solve problems.
Today the servers got updated to FreeRADIUS 3.2.1. Of course, it runs fine on FreeBSD too. Thank you!
Good to hear. Alan DeKok.
W dniu 11.10.2022 o 23:22, Alan DeKok pisze:
On Oct 11, 2022, at 4:33 PM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
Some of our eduroam users running Windows 11 are also encountering issues with EAP-TTLS and it looks like the reply from the server is missing too. We are investigating this. The server should always reply.
What usually happens is that the Windows system doesn't like something about the servers reply, and then just stops doing EAP.
You might try turning off session resumption. I would normally recommend using it always, but we've had issues with it in Windows 11.
i.e. the combination of Windows 11, TLS 1.3, TTLS, and session resumption makes Windows upset. I don't really know more than that, as any information I have is just "Windows goes away".
Thank you for this important and very valuable clue. Indeed, I can confirm that Windows 11 clients to perform TTLS auth with success need either session resumption turned off or TLS 1.3 disabled. I hope Microsoft will fix it in the near future, but now Windows 11 seems to be a showstopper precluding wider adoption of TLS 1.3 in TTLS environments. -- Marek Zarychta
On Oct 13, 2022, at 3:33 AM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
Thank you for this important and very valuable clue. Indeed, I can confirm that Windows 11 clients to perform TTLS auth with success need either session resumption turned off or TLS 1.3 disabled.
That's good to hear.
I hope Microsoft will fix it in the near future, but now Windows 11 seems to be a showstopper precluding wider adoption of TLS 1.3 in TTLS environments.
Well, you can use TLS 1.3, but then you lose the benefits of session resumption. This looks like a decision made for "marketing" reasons. i.e. "We want people to use PEAP, so we'll make TTLS harder to use". In the end, all that does is annoy your customers. Alan DeKok.
W dniu 13.10.2022 o 13:30, Alan DeKok pisze:
Well, you can use TLS 1.3, but then you lose the benefits of session resumption.
Yes, TLS 1.3 for EAP is still new feature, worth testing, so we are testing.
This looks like a decision made for "marketing" reasons. i.e. "We want people to use PEAP, so we'll make TTLS harder to use". In the end, all that does is annoy your customers.
Probably not, unfortunately, PEAP reveals the same behavior. Session resumption has to be turned off when TLS 1.3 is negotiated by the Windows supplicant, otherwise, Windows steps back. So far only wpa_supplicant(8) can do {PEAP,TTLS}/MSCHAP2 against FreeRADIUS 3.2.1 with TLS 1.3 negotiated while session resumption is turned on. -- Marek Zarychta
On Oct 14, 2022, at 11:29 AM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
Probably not, unfortunately, PEAP reveals the same behavior. Session resumption has to be turned off when TLS 1.3 is negotiated by the Windows supplicant, otherwise, Windows steps back.
That's depressing. There's a huge difference between "we don't support session resumption", versus "we panic when asked to do session resumption". Arg. Alan DeKok.
participants (3)
-
Alan DeKok -
florentvercourt@gmail.com -
Marek Zarychta