Issues with post-auth not running in inner-tunnel/proxy-inner-tunnel
I am currently migrating some Freeradius 2 based services over to Freeradius 3 (3.2.0), and I am having an issue with post-auth executing in the inner-tunnel. In Freeradius 2, I have some post-auth logic that runs fine, but it seems that the post-auth section does not run in Freeradius 3. I have gone through the documentation and posts to the listserv and haven't found any clues as to why. In my particular case, I am using the proxy-inner-tunnel configuration and adding a post-auth section, but in other tests, it doesn't seem that post-auth runs when I try to use the "inner-tunnel" config, which already has a post-auth section. Just to make things simple to debug, I was able to build a very simple test case which shows the problem: Steps to re-create: build 3.2.0 delete link to inner-tunnel and link to proxy-inner-tunnel. edit eap to point to proxy-inner-tunnel as virtual server add section post-auth and put: update outer.session-state { User-Name := &User-Name } just as a test action to look for. add config to proxy.conf to allow for proxying the inner tunnel to another radius server. Resulting logs when testing with eapol_test: =================================================== (0) Received Access-Request Id 0 from 127.0.0.1:41445 to 127.0.0.1:1812 length 132 (0) User-Name = "anonymous" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x021d000e01616e6f6e796d6f7573 (0) Message-Authenticator = 0x39ea158d433932e66e0bc072cfa388d8 (0) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 29 length 14 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 30 length 22 (0) eap: EAP session adding &reply:State = 0xe675df6ee66bdb2e (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:41445 length 80 (0) EAP-Message = 0x011e001604102a157d4326f67fce4347da02b42ebd23 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xe675df6ee66bdb2e8fcb18675fa52d04 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 127.0.0.1:41445 to 127.0.0.1:1812 length 142 (1) User-Name = "anonymous" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x021e00060319 (1) State = 0xe675df6ee66bdb2e8fcb18675fa52d04 (1) Message-Authenticator = 0xd42eec5a6a092ca329ae0713a3ef3cd6 (1) session-state: No cached attributes (1) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 30 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xe675df6ee66bdb2e (1) eap: Finished EAP session with state 0xe675df6ee66bdb2e (1) eap: Previous EAP request found for state 0xe675df6ee66bdb2e, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) Initiating new session (1) eap: Sending EAP Request (code 1) ID 31 length 6 (1) eap: EAP session adding &reply:State = 0xe675df6ee76ac62e (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:41445 length 64 (1) EAP-Message = 0x011f00061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xe675df6ee76ac62e8fcb18675fa52d04 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 2 from 127.0.0.1:41445 to 127.0.0.1:1812 length 326 (2) User-Name = "anonymous" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x021f00be1980000000b416030100af010000ab0303f1314c571be3433e52568c36e53402e80746307dd0b21b23326981a604679922000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004a000b000403000102000a000c000a001d0017001e001900180016000000170000000d002600240403050306030807080808090804080a0805080b08060401050106010303030102030201 (2) State = 0xe675df6ee76ac62e8fcb18675fa52d04 (2) Message-Authenticator = 0x675e1043ccbb0dfe522b1d29bd34c303 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 31 length 190 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xe675df6ee76ac62e (2) eap: Finished EAP session with state 0xe675df6ee76ac62e (2) eap: Previous EAP request found for state 0xe675df6ee76ac62e, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: (TLS) EAP Peer says that the final record size will be 180 bytes (2) eap_peap: (TLS) EAP Got all data (180 bytes) (2) eap_peap: (TLS) Handshake state - before SSL initialization (2) eap_peap: (TLS) Handshake state - Server before SSL initialization (2) eap_peap: (TLS) Handshake state - Server before SSL initialization (2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello (2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello (2) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate (2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange (2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (2) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server done (2) eap_peap: (TLS) In Handshake Phase (2) eap: Sending EAP Request (code 1) ID 32 length 1004 (2) eap: EAP session adding &reply:State = 0xe675df6ee455c62e (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:41445 length 1068 (2) EAP-Message = 0x012003ec19c000000a84160303003d0200003903036da97779dcfc5a5bc9f1c9906948eaebe1baa0466fad865b3e0f2f7c01d4d05d00c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303831303132313133365a170d3232313030393132313133365a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xe675df6ee455c62e8fcb18675fa52d04 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 3 from 127.0.0.1:41445 to 127.0.0.1:1812 length 142 (3) User-Name = "anonymous" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x022000061900 (3) State = 0xe675df6ee455c62e8fcb18675fa52d04 (3) Message-Authenticator = 0xfc03a376328f9a0499739fce27d2084c (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 32 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xe675df6ee455c62e (3) eap: Finished EAP session with state 0xe675df6ee455c62e (3) eap: Previous EAP request found for state 0xe675df6ee455c62e, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 33 length 1000 (3) eap: EAP session adding &reply:State = 0xe675df6ee554c62e (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:41445 length 1064 (3) EAP-Message = 0x012103e819402adb595160175b017ed0e17a78bc099f1156837d868d3cbbf3e451228cba9c6d5ace7fa48e393591d454b4eeedf7a3c90910e6cd8dcc47b6e19ebe5d559324942cef992db2bd43102f8f5e89e5edb824cba0d5233dd57861bcd08acc9de162ba78fa450458c5530004fe308204fa308203e2a003020102021435d2a8dc2d1b2be61dc557b21db07c8fa0fc6647300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303831303132313133365a170d3232313030393132313133365a308193310b3009060355040613024652310f300d06035504080c0652616469 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xe675df6ee554c62e8fcb18675fa52d04 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 4 from 127.0.0.1:41445 to 127.0.0.1:1812 length 142 (4) User-Name = "anonymous" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x022100061900 (4) State = 0xe675df6ee554c62e8fcb18675fa52d04 (4) Message-Authenticator = 0x8569b7d08d76ab03703a102f5d4288b5 (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 33 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xe675df6ee554c62e (4) eap: Finished EAP session with state 0xe675df6ee554c62e (4) eap: Previous EAP request found for state 0xe675df6ee554c62e, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 34 length 710 (4) eap: EAP session adding &reply:State = 0xe675df6ee257c62e (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:41445 length 772 (4) EAP-Message = 0x012202c6190072746966696361746520417574686f72697479821435d2a8dc2d1b2be61dc557b21db07c8fa0fc6647300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010050d5336980e982145b06a8a407b19683d7f53faf13f80a0e7e74c5c629669a7b19e3046c6e075497f3ed348ba7f771991661ac6727f3247b2432c88f8d3ce43f4cbe446154361b182bf735339a4436f4d6a9c04dd86a8831ce2d5e82f534dc0dfa03b22936c611f13e376f283e56897337a54ce3bfba868789142a04b9be837250de393c66f399c36ffbd3e9d4f2053473e1b50079a53ea4c17888cea0e0b7dd8c3c1bc8cf9cd11522da747088e4a02cc3b15453b2a01fcf26852c934351321ee5ccee3da2c56d28939644f8d3c6bf0d14191a75c27b989b9ac66e025f8c0c8824dbf60d0c3677f0197712 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xe675df6ee257c62e8fcb18675fa52d04 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 5 from 127.0.0.1:41445 to 127.0.0.1:1812 length 239 (5) User-Name = "anonymous" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x0222006719800000005d160303002510000021205badd466a638f7537d8010eab5e0d3d8d6aaa705b329068bef15e3059fd39f501403030001011603030028c9186d481dde735885d75fa1f3d4c72bda0f66f8632b5206d9f169111cdb694c8ca57fb878cbd583 (5) State = 0xe675df6ee257c62e8fcb18675fa52d04 (5) Message-Authenticator = 0x8ea387527f36de9ea4e8f4278e256010 (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 34 length 103 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xe675df6ee257c62e (5) eap: Finished EAP session with state 0xe675df6ee257c62e (5) eap: Previous EAP request found for state 0xe675df6ee257c62e, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: (TLS) EAP Peer says that the final record size will be 93 bytes (5) eap_peap: (TLS) EAP Got all data (93 bytes) (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (5) eap_peap: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (5) eap_peap: (TLS) recv TLS 1.2 Handshake, Finished (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read finished (5) eap_peap: (TLS) send TLS 1.2 ChangeCipherSpec (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (5) eap_peap: (TLS) send TLS 1.2 Handshake, Finished (5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished (5) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully (5) eap_peap: (TLS) Connection Established (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) eap_peap: TLS-Session-Version = "TLS 1.2" (5) eap: Sending EAP Request (code 1) ID 35 length 57 (5) eap: EAP session adding &reply:State = 0xe675df6ee356c62e (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:41445 length 115 (5) EAP-Message = 0x01230039190014030300010116030300282054ff1c9b5e54f29863aa0bd69ed60ba57d30beacbe09fd503621ec887b1c6569231971db0cc58b (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xe675df6ee356c62e8fcb18675fa52d04 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 6 from 127.0.0.1:41445 to 127.0.0.1:1812 length 142 (6) User-Name = "anonymous" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x022300061900 (6) State = 0xe675df6ee356c62e8fcb18675fa52d04 (6) Message-Authenticator = 0x78ff7dfd696415044fb2363b8595b00c (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 35 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xe675df6ee356c62e (6) eap: Finished EAP session with state 0xe675df6ee356c62e (6) eap: Previous EAP request found for state 0xe675df6ee356c62e, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 36 length 40 (6) eap: EAP session adding &reply:State = 0xe675df6ee051c62e (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:41445 length 98 (6) EAP-Message = 0x012400281900170303001d2054ff1c9b5e54f33382548c13b84579a2844d2cbe8a06080b85335aba (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xe675df6ee051c62e8fcb18675fa52d04 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 7 from 127.0.0.1:41445 to 127.0.0.1:1812 length 188 (7) User-Name = "anonymous" (7) NAS-IP-Address = 127.0.0.1 (7) Calling-Station-Id = "02-00-00-00-00-01" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Connect-Info = "CONNECT 11Mbps 802.11b" (7) EAP-Message = 0x0224003419001703030029c9186d481dde7359fda0277d5d1165a6f67f77bd2273b9e846ae774aa73ba8c5fd0122fffdf5364740 (7) State = 0xe675df6ee051c62e8fcb18675fa52d04 (7) Message-Authenticator = 0xe17bde94850882d1c7ab3953ffe189a8 (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 36 length 52 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xe675df6ee051c62e (7) eap: Finished EAP session with state 0xe675df6ee051c62e (7) eap: Previous EAP request found for state 0xe675df6ee051c62e, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) EAP Done initial handshake (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - username@example.org (7) eap_peap: Got inner identity 'username@example.org' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0224001501636772696666696e4075666c2e656475 (7) eap_peap: Setting User-Name to username@example.org (7) eap_peap: Sending tunneled request to proxy-inner-tunnel (7) eap_peap: EAP-Message = 0x0224001501636772696666696e4075666c2e656475 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "username@example.org" (7) Virtual server proxy-inner-tunnel received request (7) EAP-Message = 0x0224001501636772696666696e4075666c2e656475 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "username@example.org" (7) server proxy-inner-tunnel { (7) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel (7) authorize { (7) update control { (7) &Proxy-To-Realm := "example.org" (7) } # update control = noop (7) } # authorize = noop (7) } # server proxy-inner-tunnel (7) Virtual server sending reply (7) eap_peap: Got tunneled reply code 0 (7) eap_peap: Tunnelled authentication will be proxied to example.org (7) eap: WARNING: Tunneled session will be proxied. Not doing EAP (7) [eap] = handled (7) } # authenticate = handled (7) Starting proxy to home server 127.0.0.1 port 1812 (7) server default { (7) } (7) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000 (7) Sent Access-Request Id 221 from 0.0.0.0:59393 to 127.0.0.1:1812 length 82 (7) EAP-Message = 0x0224001501636772696666696e4075666c2e656475 (7) User-Name = "username@example.org" (7) Message-Authenticator = 0x (7) Proxy-State = 0x37 Waking up in 0.3 seconds. (8) Received Access-Request Id 221 from 127.0.0.1:59393 to 127.0.0.1:1812 length 82 (8) EAP-Message = 0x0224001501636772696666696e4075666c2e656475 (8) User-Name = "username@example.org" (8) Message-Authenticator = 0x43b1c4ff0c835adf67913c98a827f03a (8) Proxy-State = 0x37 (8) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "example.org" for User-Name = " username@example.org" (8) suffix: Found realm "example.org" (8) suffix: Adding Realm = "example.org" (8) suffix: Proxying request from user username@example.org to realm example.org (8) suffix: Preparing to proxy authentication request to realm "example.org" (8) [suffix] = updated (8) eap: Request is supposed to be proxied to Realm example.org. Not doing EAP. (8) [eap] = noop (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Starting proxy to home server 10.6.11.15 port 1812 (8) server default { (8) } (8) Proxying request to home server 10.6.11.15 port 1812 timeout 10.000000 (8) Sent Access-Request Id 186 from 0.0.0.0:59393 to 10.6.11.15:1812 length 99 (8) EAP-Message = 0x0224001501636772696666696e4075666c2e656475 (8) User-Name = "username@example.org" (8) Message-Authenticator = 0x43b1c4ff0c835adf67913c98a827f03a (8) Proxy-State = 0x37 (8) Event-Timestamp = "Aug 10 2022 08:18:59 EDT" (8) NAS-IP-Address = 127.0.0.1 (8) Proxy-State = 0x323231 Waking up in 0.3 seconds. (8) Marking home server 10.6.11.15 port 1812 alive (8) Clearing existing &reply: attributes (8) Received Access-Challenge Id 186 from 10.6.11.15:1812 to 10.6.11.22:59393 length 131 (8) Proxy-State = 0x37 (8) Proxy-State = 0x323231 (8) Session-Timeout = 60 (8) EAP-Message = 0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136 (8) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (8) Message-Authenticator = 0x75e2f8c4ebb5d17b32cc932f2d37777b (8) server default { (8) # Executing section post-proxy from file /opt/freeradius-test/etc/raddb/sites-enabled/default (8) post-proxy { (8) eap: No pre-existing handler found (8) [eap] = noop (8) } # post-proxy = noop (8) } (8) Using Post-Auth-Type Challenge (8) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 221 from 127.0.0.1:1812 to 127.0.0.1:59393 length 126 (8) Session-Timeout = 60 (8) EAP-Message = 0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136 (8) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (8) Message-Authenticator = 0x75e2f8c4ebb5d17b32cc932f2d37777b (8) Proxy-State = 0x37 (8) Finished request Waking up in 0.2 seconds. (7) Marking home server 127.0.0.1 port 1812 alive (7) Clearing existing &reply: attributes (7) Received Access-Challenge Id 221 from 127.0.0.1:1812 to 127.0.0.1:59393 length 126 (7) Session-Timeout = 60 (7) EAP-Message = 0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136 (7) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (7) Message-Authenticator = 0xaec7f4f146d52066eb1af0e204283dcd (7) Proxy-State = 0x37 (7) server default { (7) # Executing section post-proxy from file /opt/freeradius-test/etc/raddb/sites-enabled/default (7) post-proxy { (7) eap: Doing post-proxy callback (7) eap: Passing reply from proxy back into the tunnel (7) eap: Got tunneled reply RADIUS code 11 (7) eap: Session-Timeout = 60 (7) eap: EAP-Message = 0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136 (7) eap: State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (7) eap: Message-Authenticator = 0xaec7f4f146d52066eb1af0e204283dcd (7) eap: Proxy-State = 0x37 (7) eap: Got tunneled Access-Challenge (7) eap: Reply was handled (7) eap: Sending EAP Request (code 1) ID 37 length 70 (7) eap: EAP session adding &reply:State = 0xe675df6ee150c62e (7) [eap] = ok (7) } # post-proxy = ok (7) } (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Using Post-Auth-Type Challenge (7) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:41445 length 128 (7) EAP-Message = 0x012500461900170303003b2054ff1c9b5e54f41704b7e71c7b36fac19dc00a4c72e794816491552341929e3a29eaacb6ed73a86178e2a411236422b3f1fb96aa4050005cfd0c (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xe675df6ee150c62e8fcb18675fa52d04 (7) Finished request Waking up in 4.9 seconds. (9) Received Access-Request Id 8 from 127.0.0.1:41445 to 127.0.0.1:1812 length 242 (9) User-Name = "anonymous" (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id = "02-00-00-00-00-01" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) EAP-Message = 0x0225006a1900170303005fc9186d481dde735a6f6ed9296cacf6e5e023ec3f83ee85a45230752da0ad7ecadeda1694f5c57198ab6841dfd339157a386210e7f3ebd75a3f15c87e8b8013129a97f5b62c4066a50056afee0c1275fd499841f9f6c4d4e00c312aafe6272e (9) State = 0xe675df6ee150c62e8fcb18675fa52d04 (9) Message-Authenticator = 0x2934573eb6545749fc175ddbb34b8896 (9) Restoring &session-state (9) &session-state:Framed-MTU = 994 (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 37 length 106 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xe675df6ee150c62e (9) eap: Finished EAP session with state 0xe675df6ee150c62e (9) eap: Previous EAP request found for state 0xe675df6ee150c62e, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: (TLS) EAP Done initial handshake (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475 (9) eap_peap: Setting User-Name to username@example.org (9) eap_peap: Sending tunneled request to proxy-inner-tunnel (9) eap_peap: EAP-Message = 0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "username@example.org" (9) eap_peap: State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (9) Virtual server proxy-inner-tunnel received request (9) EAP-Message = 0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "username@example.org" (9) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (9) server proxy-inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel (9) authorize { (9) update control { (9) &Proxy-To-Realm := "example.org" (9) } # update control = noop (9) } # authorize = noop (9) } # server proxy-inner-tunnel (9) Virtual server sending reply (9) eap_peap: Got tunneled reply code 0 (9) eap_peap: Tunnelled authentication will be proxied to example.org (9) eap: WARNING: Tunneled session will be proxied. Not doing EAP (9) [eap] = handled (9) } # authenticate = handled (9) Starting proxy to home server 127.0.0.1 port 1812 (9) server default { (9) } (9) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000 (9) Sent Access-Request Id 235 from 0.0.0.0:59393 to 127.0.0.1:1812 length 174 (9) EAP-Message = 0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475 (9) User-Name = "username@example.org" (9) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (9) Message-Authenticator = 0x (9) Proxy-State = 0x38 Waking up in 0.3 seconds. (10) Received Access-Request Id 235 from 127.0.0.1:59393 to 127.0.0.1:1812 length 174 (10) EAP-Message = 0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475 (10) User-Name = "username@example.org" (10) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (10) Message-Authenticator = 0x2252e6f6a3cc56e21ec1162298e833f4 (10) Proxy-State = 0x38 (10) session-state: No cached attributes (10) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: Looking up realm "example.org" for User-Name = " username@example.org" (10) suffix: Found realm "example.org" (10) suffix: Adding Realm = "example.org" (10) suffix: Proxying request from user username@example.org to realm example.org (10) suffix: Preparing to proxy authentication request to realm "example.org" (10) [suffix] = updated (10) eap: Request is supposed to be proxied to Realm example.org. Not doing EAP. (10) [eap] = noop (10) [files] = noop (10) [expiration] = noop (10) [logintime] = noop (10) [pap] = noop (10) } # authorize = updated (10) Starting proxy to home server 10.6.11.15 port 1812 (10) server default { (10) } (10) Proxying request to home server 10.6.11.15 port 1812 timeout 10.000000 (10) Sent Access-Request Id 59 from 0.0.0.0:59393 to 10.6.11.15:1812 length 191 (10) EAP-Message = 0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475 (10) User-Name = "username@example.org" (10) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (10) Message-Authenticator = 0x2252e6f6a3cc56e21ec1162298e833f4 (10) Proxy-State = 0x38 (10) Event-Timestamp = "Aug 10 2022 08:18:59 EDT" (10) NAS-IP-Address = 127.0.0.1 (10) Proxy-State = 0x323335 Waking up in 0.3 seconds. (10) Clearing existing &reply: attributes (10) Received Access-Challenge Id 59 from 10.6.11.15:1812 to 10.6.11.22:59393 length 143 (10) Proxy-State = 0x38 (10) Proxy-State = 0x323335 (10) Session-Timeout = 60 (10) EAP-Message = 0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632 (10) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (10) Message-Authenticator = 0x6b8527e1973479a319453417a2c90f42 (10) server default { (10) # Executing section post-proxy from file /opt/freeradius-test/etc/raddb/sites-enabled/default (10) post-proxy { (10) eap: No pre-existing handler found (10) [eap] = noop (10) } # post-proxy = noop (10) } (10) Using Post-Auth-Type Challenge (10) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (10) Challenge { ... } # empty sub-section is ignored (10) Sent Access-Challenge Id 235 from 127.0.0.1:1812 to 127.0.0.1:59393 length 138 (10) Session-Timeout = 60 (10) EAP-Message = 0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632 (10) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (10) Message-Authenticator = 0x6b8527e1973479a319453417a2c90f42 (10) Proxy-State = 0x38 (10) Finished request Waking up in 0.1 seconds. (9) Clearing existing &reply: attributes (9) Received Access-Challenge Id 235 from 127.0.0.1:1812 to 127.0.0.1:59393 length 138 (9) Session-Timeout = 60 (9) EAP-Message = 0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632 (9) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (9) Message-Authenticator = 0xa7a5d80e820957076837a9676974152d (9) Proxy-State = 0x38 (9) server default { (9) # Executing section post-proxy from file /opt/freeradius-test/etc/raddb/sites-enabled/default (9) post-proxy { (9) eap: Doing post-proxy callback (9) eap: Passing reply from proxy back into the tunnel (9) eap: Got tunneled reply RADIUS code 11 (9) eap: Session-Timeout = 60 (9) eap: EAP-Message = 0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632 (9) eap: State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (9) eap: Message-Authenticator = 0xa7a5d80e820957076837a9676974152d (9) eap: Proxy-State = 0x38 (9) eap: Got tunneled Access-Challenge (9) eap: Reply was handled (9) eap: Sending EAP Request (code 1) ID 38 length 82 (9) eap: EAP session adding &reply:State = 0xe675df6eee53c62e (9) [eap] = ok (9) } # post-proxy = ok (9) } (9) session-state: Saving cached attributes (9) Framed-MTU = 994 (9) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (9) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) TLS-Session-Version = "TLS 1.2" (9) Using Post-Auth-Type Challenge (9) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (9) Challenge { ... } # empty sub-section is ignored (9) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:41445 length 140 (9) EAP-Message = 0x01260052190017030300472054ff1c9b5e54f59cc0dcaebf53e944b82ed1c318ffbc62c980efe461b0d53ad17c41ec8d2ea20cee09c6fd2c291ff46f9f4c6f1c958b4f5bda67798c4c472160325089c9d09d (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xe675df6eee53c62e8fcb18675fa52d04 (9) Finished request Waking up in 4.7 seconds. (11) Received Access-Request Id 9 from 127.0.0.1:41445 to 127.0.0.1:1812 length 173 (11) User-Name = "anonymous" (11) NAS-IP-Address = 127.0.0.1 (11) Calling-Station-Id = "02-00-00-00-00-01" (11) Framed-MTU = 1400 (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) Connect-Info = "CONNECT 11Mbps 802.11b" (11) EAP-Message = 0x022600251900170303001ac9186d481dde735bda9d2d9bf418939943eeadac727b51daf83d (11) State = 0xe675df6eee53c62e8fcb18675fa52d04 (11) Message-Authenticator = 0x4369ac0ea166f1c1235fad5555c6b7bf (11) Restoring &session-state (11) &session-state:Framed-MTU = 994 (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (11) &session-state:TLS-Session-Version = "TLS 1.2" (11) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) eap: Peer sent EAP Response (code 2) ID 38 length 37 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (11) authenticate { (11) eap: Expiring EAP session with state 0xe675df6eee53c62e (11) eap: Finished EAP session with state 0xe675df6eee53c62e (11) eap: Previous EAP request found for state 0xe675df6eee53c62e, released from the list (11) eap: Peer sent packet with method EAP PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: (TLS) EAP Done initial handshake (11) eap_peap: Session established. Decoding tunneled attributes (11) eap_peap: PEAP state phase2 (11) eap_peap: EAP method MSCHAPv2 (26) (11) eap_peap: Got tunneled request (11) eap_peap: EAP-Message = 0x022600061a03 (11) eap_peap: Setting User-Name to username@example.org (11) eap_peap: Sending tunneled request to proxy-inner-tunnel (11) eap_peap: EAP-Message = 0x022600061a03 (11) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (11) eap_peap: User-Name = "username@example.org" (11) eap_peap: State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (11) Virtual server proxy-inner-tunnel received request (11) EAP-Message = 0x022600061a03 (11) FreeRADIUS-Proxied-To = 127.0.0.1 (11) User-Name = "username@example.org" (11) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (11) server proxy-inner-tunnel { (11) session-state: No cached attributes (11) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel (11) authorize { (11) update control { (11) &Proxy-To-Realm := "example.org" (11) } # update control = noop (11) } # authorize = noop (11) } # server proxy-inner-tunnel (11) Virtual server sending reply (11) eap_peap: Got tunneled reply code 0 (11) eap_peap: Tunnelled authentication will be proxied to example.org (11) eap: WARNING: Tunneled session will be proxied. Not doing EAP (11) [eap] = handled (11) } # authenticate = handled (11) Starting proxy to home server 127.0.0.1 port 1812 (11) server default { (11) } (11) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000 (11) Sent Access-Request Id 27 from 0.0.0.0:59393 to 127.0.0.1:1812 length 105 (11) EAP-Message = 0x022600061a03 (11) User-Name = "username@example.org" (11) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (11) Message-Authenticator = 0x (11) Proxy-State = 0x39 Waking up in 0.3 seconds. (12) Received Access-Request Id 27 from 127.0.0.1:59393 to 127.0.0.1:1812 length 105 (12) EAP-Message = 0x022600061a03 (12) User-Name = "username@example.org" (12) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (12) Message-Authenticator = 0x28dbdd5be33bb7040adfddfe8d9352cd (12) Proxy-State = 0x39 (12) session-state: No cached attributes (12) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: Looking up realm "example.org" for User-Name = " username@example.org" (12) suffix: Found realm "example.org" (12) suffix: Adding Realm = "example.org" (12) suffix: Proxying request from user username@example.org to realm example.org (12) suffix: Preparing to proxy authentication request to realm "example.org" (12) [suffix] = updated (12) eap: Request is supposed to be proxied to Realm example.org. Not doing EAP. (12) [eap] = noop (12) [files] = noop (12) [expiration] = noop (12) [logintime] = noop (12) [pap] = noop (12) } # authorize = updated (12) Starting proxy to home server 10.6.11.15 port 1812 (12) server default { (12) } (12) Proxying request to home server 10.6.11.15 port 1812 timeout 10.000000 (12) Sent Access-Request Id 52 from 0.0.0.0:59393 to 10.6.11.15:1812 length 121 (12) EAP-Message = 0x022600061a03 (12) User-Name = "username@example.org" (12) State = 0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe (12) Message-Authenticator = 0x28dbdd5be33bb7040adfddfe8d9352cd (12) Proxy-State = 0x39 (12) Event-Timestamp = "Aug 10 2022 08:18:59 EDT" (12) NAS-IP-Address = 127.0.0.1 (12) Proxy-State = 0x3237 Waking up in 0.3 seconds. (12) Clearing existing &reply: attributes (12) Received Access-Accept Id 52 from 10.6.11.15:1812 to 10.6.11.22:59393 length 281 (12) Proxy-State = 0x39 (12) Proxy-State = 0x3237 (12) Framed-Protocol = PPP (12) Service-Type = Framed-User (12) EAP-Message = 0x03260004 (12) Class = 0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48 (12) MS-Link-Utilization-Threshold = 50 (12) MS-Link-Drop-Time-Limit = 120 (12) MS-CHAP-Domain = "\001UFAD" (12) MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e (12) MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314 (12) MS-CHAP2-Success = 0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632 (12) Message-Authenticator = 0xc89831d91964fd2ed5b22785ef179a2e (12) server default { (12) # Executing section post-proxy from file /opt/freeradius-test/etc/raddb/sites-enabled/default (12) post-proxy { (12) eap: No pre-existing handler found (12) [eap] = noop (12) } # post-proxy = noop (12) } (12) Found Auth-Type = Accept (12) Auth-Type = Accept, accepting the user (12) # Executing section post-auth from file /opt/freeradius-test/etc/raddb/sites-enabled/default (12) post-auth { (12) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (12) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (12) update { (12) No attributes updated for RHS &session-state: (12) } # update = noop (12) [exec] = noop (12) policy remove_reply_message_if_eap { (12) if (&reply:EAP-Message && &reply:Reply-Message) { (12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (12) else { (12) [noop] = noop (12) } # else = noop (12) } # policy remove_reply_message_if_eap = noop (12) if (EAP-Key-Name && &reply:EAP-Session-Id) { (12) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (12) } # post-auth = noop (12) Sent Access-Accept Id 27 from 127.0.0.1:1812 to 127.0.0.1:59393 length 277 (12) Framed-Protocol = PPP (12) Service-Type = Framed-User (12) EAP-Message = 0x03260004 (12) Class = 0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48 (12) MS-Link-Utilization-Threshold = 50 (12) MS-Link-Drop-Time-Limit = 120 (12) MS-CHAP-Domain = "\001UFAD" (12) MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e (12) MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314 (12) MS-CHAP2-Success = 0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632 (12) Message-Authenticator = 0xc89831d91964fd2ed5b22785ef179a2e (12) Proxy-State = 0x39 (12) Finished request Waking up in 0.3 seconds. (11) Clearing existing &reply: attributes (11) Received Access-Accept Id 27 from 127.0.0.1:1812 to 127.0.0.1:59393 length 277 (11) Framed-Protocol = PPP (11) Service-Type = Framed-User (11) EAP-Message = 0x03260004 (11) Class = 0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48 (11) MS-Link-Utilization-Threshold = 50 (11) MS-Link-Drop-Time-Limit = 120 (11) MS-CHAP-Domain = "\001UFAD" (11) MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e (11) MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314 (11) MS-CHAP2-Success = 0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632 (11) Message-Authenticator = 0xde8fa57b092b483a7be18b2d1893aa40 (11) Proxy-State = 0x39 (11) server default { (11) # Executing section post-proxy from file /opt/freeradius-test/etc/raddb/sites-enabled/default (11) post-proxy { (11) eap: Doing post-proxy callback (11) eap: Passing reply from proxy back into the tunnel (11) eap: Got tunneled reply RADIUS code 2 (11) eap: Framed-Protocol = PPP (11) eap: Service-Type = Framed-User (11) eap: EAP-Message = 0x03260004 (11) eap: Class = 0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48 (11) eap: MS-Link-Utilization-Threshold = 50 (11) eap: MS-Link-Drop-Time-Limit = 120 (11) eap: MS-CHAP-Domain = "\001UFAD" (11) eap: MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e (11) eap: MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314 (11) eap: MS-CHAP2-Success = 0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632 (11) eap: Message-Authenticator = 0xde8fa57b092b483a7be18b2d1893aa40 (11) eap: Proxy-State = 0x39 (11) eap: Tunneled authentication was successful (11) eap: SUCCESS (11) eap: Reply was handled (11) eap: Sending EAP Request (code 1) ID 39 length 46 (11) eap: EAP session adding &reply:State = 0xe675df6eef52c62e (11) [eap] = ok (11) } # post-proxy = ok (11) } (11) session-state: Saving cached attributes (11) Framed-MTU = 994 (11) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (11) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (11) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (11) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (11) TLS-Session-Version = "TLS 1.2" (11) Using Post-Auth-Type Challenge (11) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (11) Challenge { ... } # empty sub-section is ignored (11) Sent Access-Challenge Id 9 from 127.0.0.1:1812 to 127.0.0.1:41445 length 104 (11) EAP-Message = 0x0127002e190017030300232054ff1c9b5e54f65a96c6f9c26f4368dea611f63dd222bbc75a6489e3787981c6c053 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0xe675df6eef52c62e8fcb18675fa52d04 (11) Finished request Waking up in 4.7 seconds. (13) Received Access-Request Id 10 from 127.0.0.1:41445 to 127.0.0.1:1812 length 182 (13) User-Name = "anonymous" (13) NAS-IP-Address = 127.0.0.1 (13) Calling-Station-Id = "02-00-00-00-00-01" (13) Framed-MTU = 1400 (13) NAS-Port-Type = Wireless-802.11 (13) Service-Type = Framed-User (13) Connect-Info = "CONNECT 11Mbps 802.11b" (13) EAP-Message = 0x0227002e19001703030023c9186d481dde735c252cdf5e4f904d6191485ee65d136156c4a980ed966e9fc425cbd7 (13) State = 0xe675df6eef52c62e8fcb18675fa52d04 (13) Message-Authenticator = 0x1d9975ec3f07b5971e779a3aaa8d0a4d (13) Restoring &session-state (13) &session-state:Framed-MTU = 994 (13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (13) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (13) &session-state:TLS-Session-Version = "TLS 1.2" (13) # Executing section authorize from file /opt/freeradius-test/etc/raddb/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) eap: Peer sent EAP Response (code 2) ID 39 length 46 (13) eap: Continuing tunnel setup (13) [eap] = ok (13) } # authorize = ok (13) Found Auth-Type = eap (13) # Executing group from file /opt/freeradius-test/etc/raddb/sites-enabled/default (13) authenticate { (13) eap: Expiring EAP session with state 0xe675df6eef52c62e (13) eap: Finished EAP session with state 0xe675df6eef52c62e (13) eap: Previous EAP request found for state 0xe675df6eef52c62e, released from the list (13) eap: Peer sent packet with method EAP PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: (TLS) EAP Done initial handshake (13) eap_peap: Session established. Decoding tunneled attributes (13) eap_peap: PEAP state send tlv success (13) eap_peap: Received EAP-TLV response (13) eap_peap: Success (13) eap: Sending EAP Success (code 3) ID 39 length 4 (13) eap: Freeing handler (13) [eap] = ok (13) } # authenticate = ok (13) # Executing section post-auth from file /opt/freeradius-test/etc/raddb/sites-enabled/default (13) post-auth { (13) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (13) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (13) update { (13) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (13) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' (13) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' (13) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' (13) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' (13) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' (13) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' (13) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' (13) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' (13) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (13) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (13) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (13) } # update = noop (13) [exec] = noop (13) policy remove_reply_message_if_eap { (13) if (&reply:EAP-Message && &reply:Reply-Message) { (13) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (13) else { (13) [noop] = noop (13) } # else = noop (13) } # policy remove_reply_message_if_eap = noop (13) if (EAP-Key-Name && &reply:EAP-Session-Id) { (13) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (13) } # post-auth = noop (13) Sent Access-Accept Id 10 from 127.0.0.1:1812 to 127.0.0.1:41445 length 177 (13) MS-MPPE-Recv-Key = 0x62648fa7a7f83a26511884879c34872597bf15b27f0fe7c0e8b9426e2de1e5b4 (13) MS-MPPE-Send-Key = 0x9e1e4d2c8aede721a947dfc545f44960236c983e73f6883659db7ddf618c46fc (13) EAP-Message = 0x03270004 (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) User-Name = "anonymous" (13) Framed-MTU += 994 (13) Finished request Waking up in 4.7 seconds. (0) Cleaning up request packet ID 0 with timestamp +3 due to cleanup_delay was reached (1) Cleaning up request packet ID 1 with timestamp +3 due to cleanup_delay was reached (2) Cleaning up request packet ID 2 with timestamp +3 due to cleanup_delay was reached (3) Cleaning up request packet ID 3 with timestamp +3 due to cleanup_delay was reached (4) Cleaning up request packet ID 4 with timestamp +3 due to cleanup_delay was reached (5) Cleaning up request packet ID 5 with timestamp +3 due to cleanup_delay was reached (6) Cleaning up request packet ID 6 with timestamp +3 due to cleanup_delay was reached (8) Cleaning up request packet ID 221 with timestamp +3 due to cleanup_delay was reached (7) Cleaning up request packet ID 7 with timestamp +3 due to cleanup_delay was reached Waking up in 0.1 seconds. (10) Cleaning up request packet ID 235 with timestamp +3 due to cleanup_delay was reached (9) Cleaning up request packet ID 8 with timestamp +3 due to cleanup_delay was reached (12) Cleaning up request packet ID 27 with timestamp +3 due to cleanup_delay was reached (11) Cleaning up request packet ID 9 with timestamp +3 due to cleanup_delay was reached (13) Cleaning up request packet ID 10 with timestamp +3 due to cleanup_delay was reached Ready to process requests ============================================== I don't see post-auth being called from proxy-inner-tunnel. Is there any trick that I missed to get it to run? Thanks! Chris
On Aug 10, 2022, at 9:06 AM, Chris Griffin <cgriffin352@gmail.com> wrote:
I am currently migrating some Freeradius 2 based services over to Freeradius 3 (3.2.0), and I am having an issue with post-auth executing in the inner-tunnel. In Freeradius 2, I have some post-auth logic that runs fine, but it seems that the post-auth section does not run in Freeradius 3.
It should run if you have the "post-auth" section in the inner-tunnel virtual server. See https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/src/modules/rlm_... and a few lines later where it calls rad_postauth()
I have gone through the documentation and posts to the listserv and haven't found any clues as to why. In my particular case, I am using the proxy-inner-tunnel configuration and adding a post-auth section, but in other tests, it doesn't seem that post-auth runs when I try to use the "inner-tunnel" config, which already has a post-auth section. Just to make things simple to debug, I was able to build a very simple test case which shows the problem:
Steps to re-create:
build 3.2.0 delete link to inner-tunnel and link to proxy-inner-tunnel. edit eap to point to proxy-inner-tunnel as virtual server
add section post-auth and put:
update outer.session-state { User-Name := &User-Name }
just as a test action to look for.
add config to proxy.conf to allow for proxying the inner tunnel to another radius server.
Resulting logs when testing with eapol_test:
It should also print out something like this for the "inner-tunnel" virtual server. That way you know it's been loaded and parsed. server inner-tunnel { # from file ./raddb/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} If it doesn't say "Loading post-auth" for the proxy-inner-tunnel virtual server, then that's the problem. You've put the post-auth section somewhere where the server can't see it (or ignores it). If it is there, then I'm a little surprised it doesn't work. We'll have to look at that in more detail. Alan DeKok.
Hi Alan, In my case I am using the "proxy-inner-tunnel" config, but I have added a post-auth section to it. Sorry I didn't post the loading debug. Here is what I have for proxy-inner-tunnel: server proxy-inner-tunnel { # from file /opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading post-proxy {...} # Loading post-auth {...} } # server proxy-inner-tunnel Happy to do any other debugs you would like to see. Thanks! Chris On Wed, Aug 10, 2022 at 9:52 AM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 10, 2022, at 9:06 AM, Chris Griffin <cgriffin352@gmail.com> wrote:
I am currently migrating some Freeradius 2 based services over to Freeradius 3 (3.2.0), and I am having an issue with post-auth executing
in
the inner-tunnel. In Freeradius 2, I have some post-auth logic that runs fine, but it seems that the post-auth section does not run in Freeradius 3.
It should run if you have the "post-auth" section in the inner-tunnel virtual server. See https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/src/modules/rlm_...
and a few lines later where it calls rad_postauth()
I have gone through the documentation and posts to the listserv and haven't found any clues as to why. In my particular case, I am using the proxy-inner-tunnel configuration and adding a post-auth section, but in other tests, it doesn't seem that post-auth runs when I try to use the "inner-tunnel" config, which already has a post-auth section. Just to make things simple to debug, I was able to build a very simple test case which shows the problem:
Steps to re-create:
build 3.2.0 delete link to inner-tunnel and link to proxy-inner-tunnel. edit eap to point to proxy-inner-tunnel as virtual server
add section post-auth and put:
update outer.session-state { User-Name := &User-Name }
just as a test action to look for.
add config to proxy.conf to allow for proxying the inner tunnel to another radius server.
Resulting logs when testing with eapol_test:
It should also print out something like this for the "inner-tunnel" virtual server. That way you know it's been loaded and parsed.
server inner-tunnel { # from file ./raddb/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...}
If it doesn't say "Loading post-auth" for the proxy-inner-tunnel virtual server, then that's the problem. You've put the post-auth section somewhere where the server can't see it (or ignores it).
If it is there, then I'm a little surprised it doesn't work. We'll have to look at that in more detail.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, I did a little debugging inside the code and found that 'request_data_get' returns NULL so we never pass the conditional which allows rad_postauth to be called. Any other debug information that would help? Thanks Chris On Wed, Aug 10, 2022 at 9:52 AM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 10, 2022, at 9:06 AM, Chris Griffin <cgriffin352@gmail.com> wrote:
I am currently migrating some Freeradius 2 based services over to Freeradius 3 (3.2.0), and I am having an issue with post-auth executing
in
the inner-tunnel. In Freeradius 2, I have some post-auth logic that runs fine, but it seems that the post-auth section does not run in Freeradius 3.
It should run if you have the "post-auth" section in the inner-tunnel virtual server. See https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/src/modules/rlm_...
and a few lines later where it calls rad_postauth()
I have gone through the documentation and posts to the listserv and haven't found any clues as to why. In my particular case, I am using the proxy-inner-tunnel configuration and adding a post-auth section, but in other tests, it doesn't seem that post-auth runs when I try to use the "inner-tunnel" config, which already has a post-auth section. Just to make things simple to debug, I was able to build a very simple test case which shows the problem:
Steps to re-create:
build 3.2.0 delete link to inner-tunnel and link to proxy-inner-tunnel. edit eap to point to proxy-inner-tunnel as virtual server
add section post-auth and put:
update outer.session-state { User-Name := &User-Name }
just as a test action to look for.
add config to proxy.conf to allow for proxying the inner tunnel to another radius server.
Resulting logs when testing with eapol_test:
It should also print out something like this for the "inner-tunnel" virtual server. That way you know it's been loaded and parsed.
server inner-tunnel { # from file ./raddb/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...}
If it doesn't say "Loading post-auth" for the proxy-inner-tunnel virtual server, then that's the problem. You've put the post-auth section somewhere where the server can't see it (or ignores it).
If it is there, then I'm a little surprised it doesn't work. We'll have to look at that in more detail.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 12, 2022, at 8:51 AM, Chris Griffin <cgriffin352@gmail.com> wrote:
I did a little debugging inside the code and found that 'request_data_get' returns NULL so we never pass the conditional which allows rad_postauth to be called. Any other debug information that would help?
You can try editing peap.c: /* * We're not proxying it as EAP, so we've got * to do the callback later. */ if ((fake->options & RAD_REQUEST_OPTION_PROXY_EAP) != 0) { just change that if if (1) { And that *should* help. Hopefully it doesn't break anything else. Alan DeKok.
Hi Alan, I found a few things. 1. The rad_postauth wasn't being called because "proxy_tunneled_request_as_eap" was commented out. I had made the wrong assumption about what the default was. I uncommented it and set it to no and rad_postauth was correctly called. That was set to no in my production 3.2 platform but not this test instance. 2. Digging into the auth.c: Based on this code: /* * If a method was chosen, use that. */ if (vp) { postauth_type = vp->vp_integer; RDEBUG2("Using Post-Auth-Type %s", dict_valnamebyattr(PW_POST_AUTH_TYPE, 0, postauth_type)); } It is setting the postauth_type to "Challenge" and I am getting this feedback in the debugs: (8) eap: EAP session adding &reply:State = 0x784b1b4e799f01a6 (8) [eap] = ok (8) } # post-proxy = ok (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. It seems that it is only looking for a Post-Auth-Type Challenge section in post-auth and if it doesn't have it, the section is ignored. Just as a test I changed it it: if (0) {.... To avoid setting the postauth_type and the post-auth section is now properly called: (8) # Executing section post-auth from file /opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel (8) post-auth { In my very brief testing, everything seems to work now, but this feels "very wrong" as a solution. Do you have any feedback as to the correct thing to do? Should I just put everything for post-auth in a challenge section or is that being mis-set somewhere and causing this result? Tnx! Chris On Fri, Aug 12, 2022 at 9:00 AM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 12, 2022, at 8:51 AM, Chris Griffin <cgriffin352@gmail.com> wrote:
I did a little debugging inside the code and found that 'request_data_get' returns NULL so we never pass the conditional which allows rad_postauth to be called. Any other debug information that would help?
You can try editing peap.c:
/* * We're not proxying it as EAP, so we've got * to do the callback later. */ if ((fake->options & RAD_REQUEST_OPTION_PROXY_EAP) != 0) {
just change that if
if (1) {
And that *should* help. Hopefully it doesn't break anything else.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 12, 2022, at 12:05 PM, Chris Griffin <cgriffin352@gmail.com> wrote:
1. The rad_postauth wasn't being called because "proxy_tunneled_request_as_eap" was commented out. I had made the wrong assumption about what the default was. I uncommented it and set it to no and rad_postauth was correctly called. That was set to no in my production 3.2 platform but not this test instance.
OK.
2. Digging into the auth.c:
Based on this code:
/* * If a method was chosen, use that. */ if (vp) { postauth_type = vp->vp_integer; RDEBUG2("Using Post-Auth-Type %s", dict_valnamebyattr(PW_POST_AUTH_TYPE, 0, postauth_type)); }
It is setting the postauth_type to "Challenge" and I am getting this feedback in the debugs:
(8) eap: EAP session adding &reply:State = 0x784b1b4e799f01a6 (8) [eap] = ok (8) } # post-proxy = ok (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring.
It seems that it is only looking for a Post-Auth-Type Challenge section in post-auth and if it doesn't have it, the section is ignored.
It only sets "Post-Auth-Type = Challenge" when running an Access-Challenge though the "post-auth" section. It should be using the fake request here for the running post-auth in the "inner-tunnel" virtual server.
Just as a test I changed it it:
if (0) {....
To avoid setting the postauth_type and the post-auth section is now properly called:
(8) # Executing section post-auth from file /opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel (8) post-auth {
In my very brief testing, everything seems to work now, but this feels "very wrong" as a solution. Do you have any feedback as to the correct thing to do? Should I just put everything for post-auth in a challenge section or is that being mis-set somewhere and causing this result?
It should be running post-auth { ... }, and not the "challenge" bit. I've pushed a fix in 851cb91 which should fix that. Alan DeKok.
Hi Alan, I did some testing and I am still seeing an issue. Although fake->reply->code = PW_CODE_ACCESS_ACCEPT is now set, a few lines later where: process_post_proxy(0, fake); is called, it gets reset to PW_CODE_ACCESS_CHALLENGE and so in rad_postauth it builds the VP with Post-Auth-Type, Challenge. This appears to be a result of having eap in the post-proxy configuration in proxy-inner-tunnel because we are not proxying as EAP. When I remove it, this patch appears effective, but EAP seems to fall apart, as the configuration guidance would suggest. Any further thoughts? Tnx Chris On Mon, Aug 15, 2022 at 4:08 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 12, 2022, at 12:05 PM, Chris Griffin <cgriffin352@gmail.com> wrote:
1. The rad_postauth wasn't being called because "proxy_tunneled_request_as_eap" was commented out. I had made the wrong assumption about what the default was. I uncommented it and set it to no and rad_postauth was correctly called. That was set to no in my production 3.2 platform but not this test instance.
OK.
2. Digging into the auth.c:
Based on this code:
/* * If a method was chosen, use that. */ if (vp) { postauth_type = vp->vp_integer; RDEBUG2("Using Post-Auth-Type %s", dict_valnamebyattr(PW_POST_AUTH_TYPE, 0, postauth_type)); }
It is setting the postauth_type to "Challenge" and I am getting this feedback in the debugs:
(8) eap: EAP session adding &reply:State = 0x784b1b4e799f01a6 (8) [eap] = ok (8) } # post-proxy = ok (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring.
It seems that it is only looking for a Post-Auth-Type Challenge section in post-auth and if it doesn't have it, the section is ignored.
It only sets "Post-Auth-Type = Challenge" when running an Access-Challenge though the "post-auth" section.
It should be using the fake request here for the running post-auth in the "inner-tunnel" virtual server.
Just as a test I changed it it:
if (0) {....
To avoid setting the postauth_type and the post-auth section is now properly called:
(8) # Executing section post-auth from file /opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel (8) post-auth {
In my very brief testing, everything seems to work now, but this feels "very wrong" as a solution. Do you have any feedback as to the correct thing to do? Should I just put everything for post-auth in a challenge section or is that being mis-set somewhere and causing this result?
It should be running post-auth { ... }, and not the "challenge" bit.
I've pushed a fix in 851cb91 which should fix that.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Chris Griffin