Connect Users registered on a ldaps (azure ad ds with hashed passwords ) via a local freeradius server
Dear Alan DeKok and Alan Buxey Thank you for your answers. Message to Alan Buxey: i can't add "Auth-Type := LDAP" in the authorize section. i tried differents ways but i can only write a syntax like "Auth-Type := LDAP" in the auhentication section. In the authentication section i have this: Auth-Type LDAP { ldap } Message to Alan DeKok: I changed my default file and my inner-tunnel file to the default configuration. I also added/checked the module eap in the authtorize section. i changed and checked some elements steps by steps like recommended. Unfortunaly my configuration still doesn't work. my log: Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 54919 Listening on proxy address :: port 33469 Ready to process requests (0) Received Access-Request Id 60 from 192.168.200.20:51098 to 192.168.10.124:1812 length 269 (0) User-Name = "chris.nzengue" (0) Chargeable-User-Identity = 0x14 (0) Location-Capable = Civic-Location (0) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (0) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64" (0) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015" (0) NAS-IP-Address = 192.168.200.20 (0) NAS-Identifier = "Dejamobile" (0) Airespace-Wlan-Id = 1 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x020100120163687269732e6e7a656e677565 (0) Message-Authenticator = 0x152d6c9151ccc00eda8651079e743f0f (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 18 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: (TLS) Initiating new session (0) eap: Sending EAP Request (code 1) ID 2 length 6 (0) eap: EAP session adding &reply:State = 0x3928d6d2392ac3c4 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 60 from 192.168.10.124:1812 to 192.168.200.20:51098 length 64 (0) EAP-Message = 0x010200061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x3928d6d2392ac3c470d72d9dc025396c (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from 192.168.200.20:51098 to 192.168.10.124:1812 length 430 (1) User-Name = "chris.nzengue" (1) Chargeable-User-Identity = 0x14 (1) Location-Capable = Civic-Location (1) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (1) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64" (1) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015" (1) NAS-IP-Address = 192.168.200.20 (1) NAS-Identifier = "Dejamobile" (1) Airespace-Wlan-Id = 1 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) EAP-Message = 0x020200a115800000009716030100920100008e0303640f5f3b217e84d6eb2bb1dc0e3862e4301609d5dd8156ea582ee9e9618ce89200002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (1) State = 0x3928d6d2392ac3c470d72d9dc025396c (1) Message-Authenticator = 0x5e4ed5f1554b77fb9eca516f0b622090 (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 161 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x3928d6d2392ac3c4 (1) eap: Finished EAP session with state 0x3928d6d2392ac3c4 (1) eap: Previous EAP request found for state 0x3928d6d2392ac3c4, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes (1) eap_ttls: (TLS) EAP Got all data (151 bytes) (1) eap_ttls: (TLS) Handshake state - before SSL initialization (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization (1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello (1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (1) eap_ttls: (TLS) In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 3 length 1004 (1) eap: EAP session adding &reply:State = 0x3928d6d2382bc3c4 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 61 from 192.168.10.124:1812 to 192.168.200.20:51098 length 1068 (1) EAP-Message = 0x010303ec15c0000004b1160303003d0200003903032f11de33c426afb2d9497c86e2a911e6b439474f3cb137da7395b16ee2b50b6f00c030000011ff01000100000b00040300010200170000160303030f0b00030b00030800030530820301308201e9a00302010202140ea85d3ec7ee7aec904f3547480a14d73c892031300d06092a864886f70d01010b050030173115301306035504030c0c726164697573736572766572301e170d3232313131363134303934355a170d3332313131333134303934355a30173115301306035504030c0c72616469757373657276657230820122300d06092a864886f70d01010105000382010f003082010a0282010100adda610f374fc54e2949f1d9a7ba9ad8abf1c24a9773f9ab5fa50b43fefd07a7c61da781fd53b4277cdbe46b9964548a4125a313d4d3df6ee6593fe9dba778843c02dfa1ebceeaf17370dd8604a60085efa9d7b78b0ad571a378b30074bbabef337174fdef87ab30482289f75f3661d0b972299e9aefab (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x3928d6d2382bc3c470d72d9dc025396c (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from 192.168.200.20:51098 to 192.168.10.124:1812 length 275 (2) User-Name = "chris.nzengue" (2) Chargeable-User-Identity = 0x14 (2) Location-Capable = Civic-Location (2) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (2) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64" (2) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015" (2) NAS-IP-Address = 192.168.200.20 (2) NAS-Identifier = "Dejamobile" (2) Airespace-Wlan-Id = 1 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) EAP-Message = 0x020300061500 (2) State = 0x3928d6d2382bc3c470d72d9dc025396c (2) Message-Authenticator = 0xf72e4e265499850d5d6421aded843c88 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x3928d6d2382bc3c4 (2) eap: Finished EAP session with state 0x3928d6d2382bc3c4 (2) eap: Previous EAP request found for state 0x3928d6d2382bc3c4, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 4 length 217 (2) eap: EAP session adding &reply:State = 0x3928d6d23b2cc3c4 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 62 from 192.168.10.124:1812 to 192.168.200.20:51098 length 275 (2) EAP-Message = 0x010400d91580000004b1bf0b7836f57013f68d84f283d18386c495f55bf6aefb9ffe13fa9ec4dc7558c1d64614cbfe1b150c6c5557eca368492d9f0703e9df123c9afa1ad66d2270997a6d9dd2108d864e63548e04e8822559864fa2763023bff6c9482116a090880534024828465510f207f1e82753981e4edfe992d2e34946f371c7b4e9ff950bffe7921daf41e7b35adcd3ed7b38ef2beb6e6c5b5797a3d3e3dcdf5e5935cb22cbbb074171beac78ba5516e39b7028280ceb40c91e5f05209cd8114a47e7c216237261cfbde7bf6b16030300040e000000 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x3928d6d23b2cc3c470d72d9dc025396c (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 63 from 192.168.200.20:51098 to 192.168.10.124:1812 length 405 (3) User-Name = "chris.nzengue" (3) Chargeable-User-Identity = 0x14 (3) Location-Capable = Civic-Location (3) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (3) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (3) NAS-Port = 1 (3) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64" (3) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015" (3) NAS-IP-Address = 192.168.200.20 (3) NAS-Identifier = "Dejamobile" (3) Airespace-Wlan-Id = 1 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) EAP-Message = 0x0204008815800000007e1603030046100000424104533ca32d47edc703e275388f1effbc8eb436405d6aa3738351c3fba56c00973994a438ee6f424fb5509e7f5f9941b6eeec7e1df3979458f10c6214296159cf5914030300010116030300287faf547f2d6fb7d3c55e5be7259a0f1cd3caafd860197082b595fe088774085dc4325485792a77bb (3) State = 0x3928d6d23b2cc3c470d72d9dc025396c (3) Message-Authenticator = 0x79689f3375c63ab53647785b94456026 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 4 length 136 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x3928d6d23b2cc3c4 (3) eap: Finished EAP session with state 0x3928d6d23b2cc3c4 (3) eap: Previous EAP request found for state 0x3928d6d23b2cc3c4, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes (3) eap_ttls: (TLS) EAP Got all data (126 bytes) (3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (3) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (3) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished (3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished (3) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec (3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (3) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished (3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished (3) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully (3) eap_ttls: (TLS) Connection Established (3) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (3) eap_ttls: TLS-Session-Version = "TLS 1.2" (3) eap: Sending EAP Request (code 1) ID 5 length 61 (3) eap: EAP session adding &reply:State = 0x3928d6d23a2dc3c4 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (3) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (3) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (3) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (3) TLS-Session-Version = "TLS 1.2" (3) Sent Access-Challenge Id 63 from 192.168.10.124:1812 to 192.168.200.20:51098 length 119 (3) EAP-Message = 0x0105003d158000000033140303000101160303002860d606d18ea71d16b3c68c4ae06da363a94b18bae53e6c81c1d6858d6f02f6d40be4b094449db2d7 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x3928d6d23a2dc3c470d72d9dc025396c (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 64 from 192.168.200.20:51098 to 192.168.10.124:1812 length 336 (4) User-Name = "chris.nzengue" (4) Chargeable-User-Identity = 0x14 (4) Location-Capable = Civic-Location (4) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (4) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (4) NAS-Port = 1 (4) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64" (4) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015" (4) NAS-IP-Address = 192.168.200.20 (4) NAS-Identifier = "Dejamobile" (4) Airespace-Wlan-Id = 1 (4) Service-Type = Framed-User (4) Framed-MTU = 1300 (4) NAS-Port-Type = Wireless-802.11 (4) EAP-Message = 0x0205004315800000003917030300347faf547f2d6fb7d49a7c5eecbf2f091d6fa4b0d4f764f0d8b00b14a40df28858de23dccc5fcc4980690298cf1097a44b39977dcd (4) State = 0x3928d6d23a2dc3c470d72d9dc025396c (4) Message-Authenticator = 0x7231f57f1ffe824ddc3ef6e4618cda9b (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (4) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (4) &session-state:TLS-Session-Version = "TLS 1.2" (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 5 length 67 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x3928d6d23a2dc3c4 (4) eap: Finished EAP session with state 0x3928d6d23a2dc3c4 (4) eap: Previous EAP request found for state 0x3928d6d23a2dc3c4, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes (4) eap_ttls: (TLS) EAP Got all data (57 bytes) (4) eap_ttls: Session established. Proceeding to decode tunneled attributes (4) eap_ttls: Got tunneled request (4) eap_ttls: EAP-Message = 0x020000120163687269732e6e7a656e677565 (4) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (4) eap_ttls: Got tunneled identity of chris.nzengue (4) eap_ttls: Setting default EAP type for tunneled EAP session (4) eap_ttls: Sending tunneled request (4) Virtual server inner-tunnel received request (4) EAP-Message = 0x020000120163687269732e6e7a656e677565 (4) FreeRADIUS-Proxied-To = 127.0.0.1 (4) User-Name = "chris.nzengue" (4) WARNING: Outer and inner identities are the same. User privacy is compromised. (4) server inner-tunnel { (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [chap] = noop (4) [mschap] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) update control { (4) &Proxy-To-Realm := LOCAL (4) } # update control = noop (4) eap: Peer sent EAP Response (code 2) ID 0 length 18 (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (4) authenticate { (4) eap: Peer sent packet with method EAP Identity (1) (4) eap: Calling submodule eap_md5 to process data (4) eap_md5: Issuing MD5 Challenge (4) eap: Sending EAP Request (code 1) ID 1 length 22 (4) eap: EAP session adding &reply:State = 0x106ef3d5106ff7e6 (4) [eap] = handled (4) } # authenticate = handled (4) } # server inner-tunnel (4) Virtual server sending reply (4) EAP-Message = 0x010100160410a7b40954aa2a2708b16d9fcb7ef44fc8 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x106ef3d5106ff7e6264667ace5f7b4d2 (4) eap_ttls: Got tunneled Access-Challenge (4) eap: Sending EAP Request (code 1) ID 6 length 71 (4) eap: EAP session adding &reply:State = 0x3928d6d23d2ec3c4 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (4) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (4) TLS-Session-Version = "TLS 1.2" (4) Sent Access-Challenge Id 64 from 192.168.10.124:1812 to 192.168.200.20:51098 length 129 (4) EAP-Message = 0x0106004715800000003d170303003860d606d18ea71d17d954a1cc464eeb9c3042d45f159a59b49ae258e5511653994c15478a525d0883f7bf3a4cbf95ab1215fe9b9d3a4dbcd3 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x3928d6d23d2ec3c470d72d9dc025396c (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 65 from 192.168.200.20:51098 to 192.168.10.124:1812 length 352 (5) User-Name = "chris.nzengue" (5) Chargeable-User-Identity = 0x14 (5) Location-Capable = Civic-Location (5) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (5) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (5) NAS-Port = 1 (5) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64" (5) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015" (5) NAS-IP-Address = 192.168.200.20 (5) NAS-Identifier = "Dejamobile" (5) Airespace-Wlan-Id = 1 (5) Service-Type = Framed-User (5) Framed-MTU = 1300 (5) NAS-Port-Type = Wireless-802.11 (5) EAP-Message = 0x0206005315800000004917030300447faf547f2d6fb7d5abcaaf1c210b8e0187dbcb790c3e36ba59060260fad4e263465a94afa3ccef5d7e76f84d6f46d3d30998f3c80c52a22e54de4e5c2a807294a4aca3db (5) State = 0x3928d6d23d2ec3c470d72d9dc025396c (5) Message-Authenticator = 0xa69f949d8589b0539d6e70fbcc826bc6 (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) &session-state:TLS-Session-Version = "TLS 1.2" (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 6 length 83 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x106ef3d5106ff7e6 (5) eap: Finished EAP session with state 0x3928d6d23d2ec3c4 (5) eap: Previous EAP request found for state 0x3928d6d23d2ec3c4, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: (TLS) EAP Peer says that the final record size will be 73 bytes (5) eap_ttls: (TLS) EAP Got all data (73 bytes) (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: EAP-Message = 0x020100230410400fe50041a6197c7046c3839f170c2e63687269732e6e7a656e677565 (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x020100230410400fe50041a6197c7046c3839f170c2e63687269732e6e7a656e677565 (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "chris.nzengue" (5) State = 0x106ef3d5106ff7e6264667ace5f7b4d2 (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 1 length 35 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) files: Searching for user in group "AADDC Users" rlm_ldap (ldap): Reserved connection (0) (5) files: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})) (5) files: --> (&(objectClass=user)(sAMAccountName=chris.nzengue)) (5) files: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub" (5) files: Waiting for search result... (5) files: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com" (5) files: Checking user object's memberOf attributes (5) files: Performing unfiltered search in "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com", scope "base" (5) files: Waiting for search result... (5) files: Processing memberOf value "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" as a DN (5) files: Resolving group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" to group name (5) files: Performing unfiltered search in "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com", scope "base" (5) files: Waiting for search result... (5) files: Group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "SSL_VPN_SSO" (5) files: Processing memberOf value "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" as a DN (5) files: Resolving group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" to group name (5) files: Performing unfiltered search in "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com", scope "base" (5) files: Waiting for search result... (5) files: Group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "DejaTeam" (5) files: Processing memberOf value "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" as a DN (5) files: Resolving group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" to group name (5) files: Performing unfiltered search in "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com", scope "base" (5) files: Waiting for search result... (5) files: Group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "deja-developpeur" rlm_ldap (ldap): Released connection (0) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://aadds.dejamobile.com:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (5) files: User is not a member of "AADDC Users" (5) [files] = noop rlm_ldap (ldap): Reserved connection (1) (5) ldap: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})) (5) ldap: --> (&(objectClass=user)(sAMAccountName=chris.nzengue)) (5) ldap: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub" (5) ldap: Waiting for search result... (5) ldap: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com" (5) ldap: Processing user attributes (5) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (1) (5) [ldap] = ok (5) [expiration] = noop (5) [logintime] = noop (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Expiring EAP session with state 0x106ef3d5106ff7e6 (5) eap: Finished EAP session with state 0x106ef3d5106ff7e6 (5) eap: Previous EAP request found for state 0x106ef3d5106ff7e6, released from the list (5) eap: Peer sent packet with method EAP MD5 (4) (5) eap: Calling submodule eap_md5 to process data (5) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication (5) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 1 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> chris.nzengue (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) update outer.session-state { (5) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap_md5: Cleartext-Password is required for EAP-MD5 authentication' (5) } # update outer.session-state = noop (5) } # Post-Auth-Type REJECT = updated (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x04010004 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_ttls: Got tunneled Access-Reject (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 6 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> chris.nzengue (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Delaying response for 1.000000 seconds Waking up in 0.1 seconds. Waking up in 0.8 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 65 from 192.168.10.124:1812 to 192.168.200.20:51098 length 44 (5) EAP-Message = 0x04060004 (5) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 60 with timestamp +22 due to cleanup_delay was reached (1) Cleaning up request packet ID 61 with timestamp +22 due to cleanup_delay was reached (2) Cleaning up request packet ID 62 with timestamp +22 due to cleanup_delay was reached (3) Cleaning up request packet ID 63 with timestamp +22 due to cleanup_delay was reached (4) Cleaning up request packet ID 64 with timestamp +22 due to cleanup_delay was reached Waking up in 0.2 seconds. (5) Cleaning up request packet ID 65 with timestamp +22 due to cleanup_delay was reached Ready to process requests (6) Received Access-Request Id 66 from 192.168.200.20:51098 to 192.168.10.124:1812 length 269 (6) User-Name = "chris.nzengue" (6) Chargeable-User-Identity = 0x14 (6) Location-Capable = Civic-Location (6) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (6) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (6) NAS-Port = 1 (6) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64" (6) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017" (6) NAS-IP-Address = 192.168.200.20 (6) NAS-Identifier = "Dejamobile" (6) Airespace-Wlan-Id = 1 (6) Service-Type = Framed-User (6) Framed-MTU = 1300 (6) NAS-Port-Type = Wireless-802.11 (6) EAP-Message = 0x020100120163687269732e6e7a656e677565 (6) Message-Authenticator = 0x04716ca8efc66c87deb829afd564835e (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 1 length 18 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: (TLS) Initiating new session (6) eap: Sending EAP Request (code 1) ID 2 length 6 (6) eap: EAP session adding &reply:State = 0xb06a93a4b06886f8 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) Sent Access-Challenge Id 66 from 192.168.10.124:1812 to 192.168.200.20:51098 length 64 (6) EAP-Message = 0x010200061520 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xb06a93a4b06886f8af54277185111954 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 67 from 192.168.200.20:51098 to 192.168.10.124:1812 length 430 (7) User-Name = "chris.nzengue" (7) Chargeable-User-Identity = 0x14 (7) Location-Capable = Civic-Location (7) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (7) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (7) NAS-Port = 1 (7) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64" (7) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017" (7) NAS-IP-Address = 192.168.200.20 (7) NAS-Identifier = "Dejamobile" (7) Airespace-Wlan-Id = 1 (7) Service-Type = Framed-User (7) Framed-MTU = 1300 (7) NAS-Port-Type = Wireless-802.11 (7) EAP-Message = 0x020200a115800000009716030100920100008e0303640f5f507ddda497f89309a6801f714fc625ee51897918a136b390ed62ba730300002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (7) State = 0xb06a93a4b06886f8af54277185111954 (7) Message-Authenticator = 0xc24227a2378efffbc3b1075a04b6469a (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 2 length 161 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xb06a93a4b06886f8 (7) eap: Finished EAP session with state 0xb06a93a4b06886f8 (7) eap: Previous EAP request found for state 0xb06a93a4b06886f8, released from the list (7) eap: Peer sent packet with method EAP TTLS (21) (7) eap: Calling submodule eap_ttls to process data (7) eap_ttls: Authenticate (7) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes (7) eap_ttls: (TLS) EAP Got all data (151 bytes) (7) eap_ttls: (TLS) Handshake state - before SSL initialization (7) eap_ttls: (TLS) Handshake state - Server before SSL initialization (7) eap_ttls: (TLS) Handshake state - Server before SSL initialization (7) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello (7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello (7) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello (7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello (7) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate (7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate (7) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (7) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (7) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (7) eap_ttls: (TLS) In Handshake Phase (7) eap: Sending EAP Request (code 1) ID 3 length 1004 (7) eap: EAP session adding &reply:State = 0xb06a93a4b16986f8 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) Sent Access-Challenge Id 67 from 192.168.10.124:1812 to 192.168.200.20:51098 length 1068 (7) EAP-Message = 0x010303ec15c0000004b1160303003d020000390303026be732868da5ade139a288a53f8dac55c2b3e393564573fe037abee2d494cb00c030000011ff01000100000b00040300010200170000160303030f0b00030b00030800030530820301308201e9a00302010202140ea85d3ec7ee7aec904f3547480a14d73c892031300d06092a864886f70d01010b050030173115301306035504030c0c726164697573736572766572301e170d3232313131363134303934355a170d3332313131333134303934355a30173115301306035504030c0c72616469757373657276657230820122300d06092a864886f70d01010105000382010f003082010a0282010100adda610f374fc54e2949f1d9a7ba9ad8abf1c24a9773f9ab5fa50b43fefd07a7c61da781fd53b4277cdbe46b9964548a4125a313d4d3df6ee6593fe9dba778843c02dfa1ebceeaf17370dd8604a60085efa9d7b78b0ad571a378b30074bbabef337174fdef87ab30482289f75f3661d0b972299e9aefab (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb06a93a4b16986f8af54277185111954 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 68 from 192.168.200.20:51098 to 192.168.10.124:1812 length 275 (8) User-Name = "chris.nzengue" (8) Chargeable-User-Identity = 0x14 (8) Location-Capable = Civic-Location (8) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (8) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (8) NAS-Port = 1 (8) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64" (8) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017" (8) NAS-IP-Address = 192.168.200.20 (8) NAS-Identifier = "Dejamobile" (8) Airespace-Wlan-Id = 1 (8) Service-Type = Framed-User (8) Framed-MTU = 1300 (8) NAS-Port-Type = Wireless-802.11 (8) EAP-Message = 0x020300061500 (8) State = 0xb06a93a4b16986f8af54277185111954 (8) Message-Authenticator = 0x0aa15d8721da3796d573e74f7cb9d80a (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 3 length 6 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb06a93a4b16986f8 (8) eap: Finished EAP session with state 0xb06a93a4b16986f8 (8) eap: Previous EAP request found for state 0xb06a93a4b16986f8, released from the list (8) eap: Peer sent packet with method EAP TTLS (21) (8) eap: Calling submodule eap_ttls to process data (8) eap_ttls: Authenticate (8) eap_ttls: (TLS) Peer ACKed our handshake fragment (8) eap: Sending EAP Request (code 1) ID 4 length 217 (8) eap: EAP session adding &reply:State = 0xb06a93a4b26e86f8 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) Framed-MTU = 994 (8) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) Sent Access-Challenge Id 68 from 192.168.10.124:1812 to 192.168.200.20:51098 length 275 (8) EAP-Message = 0x010400d91580000004b10097f501404446d75765f353e00ba11a38c9d8b03b8130c97ab3f461a973c837c7278ca05260132dc7ffc2d9c69d6278f4caec292bbf3aff547982a6b646b89840697c34aea050230143a6f341d6e4f77d711e272bc2e5ba7f44ea03b6b7c479aa6c67a5be51d58da3f67d07e01d59ca0f334c88390e756a0c203664a2f49a9669863b039ae7aa5358457baf93418877a8fabc3f4441c6453431c6d573e831809067d2470dcbfa6812a24a9e445579080900d3582d14ad2eb69fcbadfae89ee4884679ac77d716030300040e000000 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xb06a93a4b26e86f8af54277185111954 (8) Finished request Waking up in 4.9 seconds. (9) Received Access-Request Id 69 from 192.168.200.20:51098 to 192.168.10.124:1812 length 405 (9) User-Name = "chris.nzengue" (9) Chargeable-User-Identity = 0x14 (9) Location-Capable = Civic-Location (9) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (9) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (9) NAS-Port = 1 (9) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64" (9) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017" (9) NAS-IP-Address = 192.168.200.20 (9) NAS-Identifier = "Dejamobile" (9) Airespace-Wlan-Id = 1 (9) Service-Type = Framed-User (9) Framed-MTU = 1300 (9) NAS-Port-Type = Wireless-802.11 (9) EAP-Message = 0x0204008815800000007e1603030046100000424104bcb05e9ba5ebc01969e6451ca2dd8ad3047d264fb49a0aaae1334245f3ee007cd0571e406182d4db73c00ef12beaecdfeeed8ba828f08f1da11b3823a09027061403030001011603030028055c825a7cda76658bf919b822b00a85ba2962186168f0200f034e6a59d44623e1dcb6961e119655 (9) State = 0xb06a93a4b26e86f8af54277185111954 (9) Message-Authenticator = 0xd05333313b7f97d9f662c7176758ee93 (9) Restoring &session-state (9) &session-state:Framed-MTU = 994 (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 4 length 136 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xb06a93a4b26e86f8 (9) eap: Finished EAP session with state 0xb06a93a4b26e86f8 (9) eap: Previous EAP request found for state 0xb06a93a4b26e86f8, released from the list (9) eap: Peer sent packet with method EAP TTLS (21) (9) eap: Calling submodule eap_ttls to process data (9) eap_ttls: Authenticate (9) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes (9) eap_ttls: (TLS) EAP Got all data (126 bytes) (9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (9) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (9) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished (9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished (9) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec (9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (9) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished (9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished (9) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully (9) eap_ttls: (TLS) Connection Established (9) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) eap_ttls: TLS-Session-Version = "TLS 1.2" (9) eap: Sending EAP Request (code 1) ID 5 length 61 (9) eap: EAP session adding &reply:State = 0xb06a93a4b36f86f8 (9) [eap] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) Challenge { ... } # empty sub-section is ignored (9) session-state: Saving cached attributes (9) Framed-MTU = 994 (9) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (9) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) TLS-Session-Version = "TLS 1.2" (9) Sent Access-Challenge Id 69 from 192.168.10.124:1812 to 192.168.200.20:51098 length 119 (9) EAP-Message = 0x0105003d1580000000331403030001011603030028d24fc42abd6c93595bca05ae4f609d15cc9e9d1390c6ebadf69d8306c02f665f730329bbc16fba9b (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xb06a93a4b36f86f8af54277185111954 (9) Finished request Waking up in 4.9 seconds. (10) Received Access-Request Id 70 from 192.168.200.20:51098 to 192.168.10.124:1812 length 336 (10) User-Name = "chris.nzengue" (10) Chargeable-User-Identity = 0x14 (10) Location-Capable = Civic-Location (10) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (10) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (10) NAS-Port = 1 (10) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64" (10) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017" (10) NAS-IP-Address = 192.168.200.20 (10) NAS-Identifier = "Dejamobile" (10) Airespace-Wlan-Id = 1 (10) Service-Type = Framed-User (10) Framed-MTU = 1300 (10) NAS-Port-Type = Wireless-802.11 (10) EAP-Message = 0x020500431580000000391703030034055c825a7cda7666218232272050e9269e4ece33975dec65f19718088ca239cb67788e727536ddf614279eaea1b61c1441a4726b (10) State = 0xb06a93a4b36f86f8af54277185111954 (10) Message-Authenticator = 0xb6621b928cfd197b4a86cdad6c58c6f9 (10) Restoring &session-state (10) &session-state:Framed-MTU = 994 (10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) &session-state:TLS-Session-Version = "TLS 1.2" (10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 5 length 67 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (10) authenticate { (10) eap: Expiring EAP session with state 0xb06a93a4b36f86f8 (10) eap: Finished EAP session with state 0xb06a93a4b36f86f8 (10) eap: Previous EAP request found for state 0xb06a93a4b36f86f8, released from the list (10) eap: Peer sent packet with method EAP TTLS (21) (10) eap: Calling submodule eap_ttls to process data (10) eap_ttls: Authenticate (10) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes (10) eap_ttls: (TLS) EAP Got all data (57 bytes) (10) eap_ttls: Session established. Proceeding to decode tunneled attributes (10) eap_ttls: Got tunneled request (10) eap_ttls: EAP-Message = 0x020000120163687269732e6e7a656e677565 (10) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (10) eap_ttls: Got tunneled identity of chris.nzengue (10) eap_ttls: Setting default EAP type for tunneled EAP session (10) eap_ttls: Sending tunneled request (10) Virtual server inner-tunnel received request (10) EAP-Message = 0x020000120163687269732e6e7a656e677565 (10) FreeRADIUS-Proxied-To = 127.0.0.1 (10) User-Name = "chris.nzengue" (10) WARNING: Outer and inner identities are the same. User privacy is compromised. (10) server inner-tunnel { (10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [chap] = noop (10) [mschap] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) update control { (10) &Proxy-To-Realm := LOCAL (10) } # update control = noop (10) eap: Peer sent EAP Response (code 2) ID 0 length 18 (10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (10) authenticate { (10) eap: Peer sent packet with method EAP Identity (1) (10) eap: Calling submodule eap_md5 to process data (10) eap_md5: Issuing MD5 Challenge (10) eap: Sending EAP Request (code 1) ID 1 length 22 (10) eap: EAP session adding &reply:State = 0x4402aae04403aead (10) [eap] = handled (10) } # authenticate = handled (10) } # server inner-tunnel (10) Virtual server sending reply (10) EAP-Message = 0x0101001604102159bde60b2e60420dd98342dac2e574 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x4402aae04403aead50a58e9ebcef6551 (10) eap_ttls: Got tunneled Access-Challenge (10) eap: Sending EAP Request (code 1) ID 6 length 71 (10) eap: EAP session adding &reply:State = 0xb06a93a4b46c86f8 (10) [eap] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (10) Challenge { ... } # empty sub-section is ignored (10) session-state: Saving cached attributes (10) Framed-MTU = 994 (10) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (10) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) TLS-Session-Version = "TLS 1.2" (10) Sent Access-Challenge Id 70 from 192.168.10.124:1812 to 192.168.200.20:51098 length 129 (10) EAP-Message = 0x0106004715800000003d1703030038d24fc42abd6c935a2809ce7be46cc5d28f9e549f3edb4ca54df04a5f174a5c1cdd6f37b0d9fbc84103a89bdcdfb38565a66a5bc2dfb19654 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xb06a93a4b46c86f8af54277185111954 (10) Finished request Waking up in 4.9 seconds. (11) Received Access-Request Id 71 from 192.168.200.20:51098 to 192.168.10.124:1812 length 352 (11) User-Name = "chris.nzengue" (11) Chargeable-User-Identity = 0x14 (11) Location-Capable = Civic-Location (11) Calling-Station-Id = "98-5a-eb-8e-1c-5c" (11) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test" (11) NAS-Port = 1 (11) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64" (11) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017" (11) NAS-IP-Address = 192.168.200.20 (11) NAS-Identifier = "Dejamobile" (11) Airespace-Wlan-Id = 1 (11) Service-Type = Framed-User (11) Framed-MTU = 1300 (11) NAS-Port-Type = Wireless-802.11 (11) EAP-Message = 0x020600531580000000491703030044055c825a7cda7667c7154a803cd94615441be6ab0d2222f75f36d997c204e0545d45ab5925417126f12750a01296cd1c296d4dc91bf7d63e7573fa858f504a3c9b0fdf50 (11) State = 0xb06a93a4b46c86f8af54277185111954 (11) Message-Authenticator = 0xbc7275f34cf240da340a2c24f6b95a75 (11) Restoring &session-state (11) &session-state:Framed-MTU = 994 (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (11) &session-state:TLS-Session-Version = "TLS 1.2" (11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) eap: Peer sent EAP Response (code 2) ID 6 length 83 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) authenticate { (11) eap: Expiring EAP session with state 0x4402aae04403aead (11) eap: Finished EAP session with state 0xb06a93a4b46c86f8 (11) eap: Previous EAP request found for state 0xb06a93a4b46c86f8, released from the list (11) eap: Peer sent packet with method EAP TTLS (21) (11) eap: Calling submodule eap_ttls to process data (11) eap_ttls: Authenticate (11) eap_ttls: (TLS) EAP Peer says that the final record size will be 73 bytes (11) eap_ttls: (TLS) EAP Got all data (73 bytes) (11) eap_ttls: Session established. Proceeding to decode tunneled attributes (11) eap_ttls: Got tunneled request (11) eap_ttls: EAP-Message = 0x020100230410c7fd95c7eb515678451ac8a352b9078363687269732e6e7a656e677565 (11) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (11) eap_ttls: Sending tunneled request (11) Virtual server inner-tunnel received request (11) EAP-Message = 0x020100230410c7fd95c7eb515678451ac8a352b9078363687269732e6e7a656e677565 (11) FreeRADIUS-Proxied-To = 127.0.0.1 (11) User-Name = "chris.nzengue" (11) State = 0x4402aae04403aead50a58e9ebcef6551 (11) WARNING: Outer and inner identities are the same. User privacy is compromised. (11) server inner-tunnel { (11) session-state: No cached attributes (11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [chap] = noop (11) [mschap] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) update control { (11) &Proxy-To-Realm := LOCAL (11) } # update control = noop (11) eap: Peer sent EAP Response (code 2) ID 1 length 35 (11) eap: No EAP Start, assuming it's an on-going EAP conversation (11) [eap] = updated (11) files: Searching for user in group "AADDC Users" rlm_ldap (ldap): Reserved connection (2) (11) files: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})) (11) files: --> (&(objectClass=user)(sAMAccountName=chris.nzengue)) (11) files: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub" (11) files: Waiting for search result... (11) files: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com" (11) files: Checking user object's memberOf attributes (11) files: Performing unfiltered search in "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com", scope "base" (11) files: Waiting for search result... (11) files: Processing memberOf value "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" as a DN (11) files: Resolving group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" to group name (11) files: Performing unfiltered search in "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com", scope "base" (11) files: Waiting for search result... (11) files: Group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "SSL_VPN_SSO" (11) files: Processing memberOf value "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" as a DN (11) files: Resolving group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" to group name (11) files: Performing unfiltered search in "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com", scope "base" (11) files: Waiting for search result... (11) files: Group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "DejaTeam" (11) files: Processing memberOf value "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" as a DN (11) files: Resolving group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" to group name (11) files: Performing unfiltered search in "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com", scope "base" (11) files: Waiting for search result... (11) files: Group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "deja-developpeur" rlm_ldap (ldap): Released connection (2) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ldap): Connecting to ldaps://aadds.dejamobile.com:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (11) files: User is not a member of "AADDC Users" (11) [files] = noop rlm_ldap (ldap): Reserved connection (3) (11) ldap: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})) (11) ldap: --> (&(objectClass=user)(sAMAccountName=chris.nzengue)) (11) ldap: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub" (11) ldap: Waiting for search result... (11) ldap: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com" (11) ldap: Processing user attributes (11) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (11) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (3) (11) [ldap] = ok (11) [expiration] = noop (11) [logintime] = noop (11) [pap] = noop (11) } # authorize = updated (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11) authenticate { (11) eap: Expiring EAP session with state 0x4402aae04403aead (11) eap: Finished EAP session with state 0x4402aae04403aead (11) eap: Previous EAP request found for state 0x4402aae04403aead, released from the list (11) eap: Peer sent packet with method EAP MD5 (4) (11) eap: Calling submodule eap_md5 to process data (11) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication (11) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed (11) eap: Sending EAP Failure (code 4) ID 1 length 4 (11) eap: Failed in EAP select (11) [eap] = invalid (11) } # authenticate = invalid (11) Failed to authenticate the user (11) Using Post-Auth-Type Reject (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (11) Post-Auth-Type REJECT { (11) attr_filter.access_reject: EXPAND %{User-Name} (11) attr_filter.access_reject: --> chris.nzengue (11) attr_filter.access_reject: Matched entry DEFAULT at line 11 (11) [attr_filter.access_reject] = updated (11) update outer.session-state { (11) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap_md5: Cleartext-Password is required for EAP-MD5 authentication' (11) } # update outer.session-state = noop (11) } # Post-Auth-Type REJECT = updated (11) } # server inner-tunnel (11) Virtual server sending reply (11) EAP-Message = 0x04010004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) eap_ttls: Got tunneled Access-Reject (11) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (11) eap: Sending EAP Failure (code 4) ID 6 length 4 (11) eap: Failed in EAP select (11) [eap] = invalid (11) } # authenticate = invalid (11) Failed to authenticate the user (11) Using Post-Auth-Type Reject (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) Post-Auth-Type REJECT { (11) attr_filter.access_reject: EXPAND %{User-Name} (11) attr_filter.access_reject: --> chris.nzengue (11) attr_filter.access_reject: Matched entry DEFAULT at line 11 (11) [attr_filter.access_reject] = updated (11) [eap] = noop (11) policy remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) { (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else { (11) [noop] = noop (11) } # else = noop (11) } # policy remove_reply_message_if_eap = noop (11) } # Post-Auth-Type REJECT = updated (11) Delaying response for 1.000000 seconds Waking up in 0.1 seconds. Waking up in 0.8 seconds. (11) Sending delayed response (11) Sent Access-Reject Id 71 from 192.168.10.124:1812 to 192.168.200.20:51098 length 44 (11) EAP-Message = 0x04060004 (11) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (6) Cleaning up request packet ID 66 with timestamp +42 due to cleanup_delay was reached (7) Cleaning up request packet ID 67 with timestamp +42 due to cleanup_delay was reached (8) Cleaning up request packet ID 68 with timestamp +42 due to cleanup_delay was reached (9) Cleaning up request packet ID 69 with timestamp +43 due to cleanup_delay was reached (10) Cleaning up request packet ID 70 with timestamp +43 due to cleanup_delay was reached Waking up in 0.2 seconds. (11) Cleaning up request packet ID 71 with timestamp +43 due to cleanup_delay was reached Ready to process requests Chris Nzengue Stagiaire DEVOPS DEVOPS internship Fixe / Office: +33(2)14747500 chris.nzengue@dejamobile.com<mailto:%7BE-mail%7D> [cid:logo-500x500_8c612466-939f-4f99-8d85-3affb0831c87.png] [cid:SocialLink_Linkedin_32x32_44e008ea-1b1a-4fa0-b32f-2c845382148a.png] <https://www.linkedin.com/company/dejamobile/> [cid:SocialLink_Twitter_32x32_082f5645-c4de-4011-bd63-3d63208f4a3e.png] <https://twitter.com/dejamobile> <https://www.linkedin.com/company/dejamobile/><https://www.linkedin.com/company/dejamobile/>[cid:mpe23mail_8ab29f82-07d3-4119-943b-776a4cea5fb3.png]<https://www.merchantpaymentsecosystem.com/>
On Mar 13, 2023, at 1:50 PM, Chris Nzengue - dejamobile externe <chris.nzengue@dejamobile.com> wrote:
i can't add "Auth-Type := LDAP" in the authorize section.
Yes, you can. See "man unlang". You can't just put random things into the configuration and expect them to work. When you do attribute editing, you have to use an "update" statement. This is documented everywhere, and is also shown in all of the examples in the virtual servers.
I changed my default file and my inner-tunnel file to the default configuration. I also added/checked the module eap in the authtorize section. i changed and checked some elements steps by steps like recommended. Unfortunaly my configuration still doesn't work. ... (11) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication (11) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed
You can't use EAP-MD5 with Azure. https://networkradius.com/articles/2021/10/08/authentication-system-and-prot... You must use TTLS + PAP. Alan DeKok.
participants (2)
-
Alan DeKok -
Chris Nzengue - dejamobile externe