Re: Re: freeradius doesn't see user in group (Active Directory) but user belong to this group
Message: 1 Date: Sat, 04 Jul 2015 11:44:01 -0400 From: Brendan Kearney <bpk678@gmail.com> To: freeradius-users@lists.freeradius.org Subject: Re: freeradius doesn't see user in group (Active Directory) but user belong to this group Message-ID: <5597FF41.6050706@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed
On 07/04/2015 03:17 AM, stefan nowak wrote:
Hi All,
since few days I've stocked with configuration freeradius. All works good except one thing. I can't get info from Active Directory to freeradius in which group user belong (this one I need to set vlan depend on group). My version freeradius is 3.0.4
as you can see below user "newuser" participate in group "computers", here`s output from ldapsearch:
dn: CN=newuser,CN=Users,DC=test,DC=ad,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: newuser givenName: newuser distinguishedName: CN=newuser,CN=Users,DC=test,DC=ad,DC=com instanceType: 4 whenCreated: 20150702132126.0Z whenChanged: 20150703105127.0Z displayName: newuser uSNCreated: 82039 memberOf: CN=computers,CN=Users,DC=test,DC=ad,DC=com uSNChanged: 90187 name: newuser objectGUID:: XX+6g4wMJEGdDfEOZF5Rgw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130803168865078125 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAR3zVX0Ki+LP5AMXOVQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: newuser sAMAccountType: 805306368 userPrincipalName: newuser@test.ad.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=ad,DC=com dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130803172388710937
from log output I see that user "newuser" get access-accept but freeradius didn`t find him in group "computers" here is output:
Received Access-Request Id 182 from 192.168.0.2:1812 to 192.168.0.10:1812 length 129 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000c016e657775736572 Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375 (0) Received Access-Request packet from host 192.168.0.2 port 1812, id=182, length=129 (0) NAS-IP-Address = 192.168.0.2 (0) NAS-Port = 50024 (0) NAS-Port-Type = Ethernet (0) User-Name = 'newuser' (0) Called-Station-Id = '00-16-9D-D3-40-D8' (0) Calling-Station-Id = '68-B5-99-C8-B0-5E' (0) Service-Type = Framed-User (0) Framed-MTU = 1500 (0) EAP-Message = 0x0200000c016e657775736572 (0) Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = "newuser", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : Peer sent code Response (2) ID 0 length 12 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent method Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300e913e66 (0) [eap] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=182, length=0 (0) EAP-Message = 0x010100061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x0e9027300e913e6603c734ef610afcab Sending Access-Challenge Id 182 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300e913e6603c734ef610afcab (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 183 from 192.168.0.2:1812 to 192.168.0.10:1812 length 276 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300e913e6603c734ef610afcab EAP-Message = 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000 Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f (1) Received Access-Request packet from host 192.168.0.2 port 1812, id=183, length=276 (1) NAS-IP-Address = 192.168.0.2 (1) NAS-Port = 50024 (1) NAS-Port-Type = Ethernet (1) User-Name = 'newuser' (1) Called-Station-Id = '00-16-9D-D3-40-D8' (1) Calling-Station-Id = '68-B5-99-C8-B0-5E' (1) Service-Type = Framed-User (1) Framed-MTU = 1500 (1) State = 0x0e9027300e913e6603c734ef610afcab (1) EAP-Message = 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000 (1) Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (!&User-Name) (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : Checking for suffix after "@" (1) suffix : No '@' in User-Name = "newuser", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : Peer sent code Response (2) ID 1 length 141 (1) eap : Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x0e9027300e913e66 (1) eap : Finished EAP session with state 0x0e9027300e913e66 (1) eap : Previous EAP request found for state 0x0e9027300e913e66, released from the list (1) eap : Peer sent method PEAP (25) (1) eap : EAP PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : processing EAP-TLS TLS Length 131 (1) eap_peap : Length Included (1) eap_peap : eaptls_verify returned 11 (1) eap_peap : (other): before/accept initialization (1) eap_peap : TLS_accept: before/accept initialization (1) eap_peap : <<< TLS 1.0 Handshake [length 007e], ClientHello SSL: Client requested cached session fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d94 (1) eap_peap : TLS_accept: SSLv3 read client hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello (1) eap_peap : TLS_accept: SSLv3 write server hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate (1) eap_peap : TLS_accept: SSLv3 write certificate A (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap : TLS_accept: SSLv3 write server done A (1) eap_peap : TLS_accept: SSLv3 flush data (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap : eaptls_process returned 13 (1) eap_peap : FR_TLS_HANDLED (1) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300f923e66 (1) [eap] = handled (1) } # authenticate = handled (1) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=183, length=0 (1) EAP-Message = 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2c (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x0e9027300f923e6603c734ef610afcab Sending Access-Challenge Id 183 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300f923e6603c734ef610afcab (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 184 from 192.168.0.2:1812 to 192.168.0.10:1812 length 141 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300f923e6603c734ef610afcab EAP-Message = 0x020200061900 Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb (2) Received Access-Request packet from host 192.168.0.2 port 1812, id=184, length=141 (2) NAS-IP-Address = 192.168.0.2 (2) NAS-Port = 50024 (2) NAS-Port-Type = Ethernet (2) User-Name = 'newuser' (2) Called-Station-Id = '00-16-9D-D3-40-D8' (2) Calling-Station-Id = '68-B5-99-C8-B0-5E' (2) Service-Type = Framed-User (2) Framed-MTU = 1500 (2) State = 0x0e9027300f923e6603c734ef610afcab (2) EAP-Message = 0x020200061900 (2) Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (!&User-Name) (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : Checking for suffix after "@" (2) suffix : No '@' in User-Name = "newuser", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : Peer sent code Response (2) ID 2 length 6 (2) eap : Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x0e9027300f923e66 (2) eap : Finished EAP session with state 0x0e9027300f923e66 (2) eap : Previous EAP request found for state 0x0e9027300f923e66, released from the list (2) eap : Peer sent method PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS (2) eap_peap : Received TLS ACK (2) eap_peap : Received TLS ACK (2) eap_peap : ACK handshake fragment handler (2) eap_peap : eaptls_verify returned 1 (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300c933e66 (2) [eap] = handled (2) } # authenticate = handled (2) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=184, length=0 (2) EAP-Message = 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x0e9027300c933e6603c734ef610afcab Sending Access-Challenge Id 184 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f00308 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300c933e6603c734ef610afcab (2) Finished request Waking up in 0.3 seconds. Received Access-Request Id 185 from 192.168.0.2:1812 to 192.168.0.10:1812 length 141 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300c933e6603c734ef610afcab EAP-Message = 0x020300061900 Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3 (3) Received Access-Request packet from host 192.168.0.2 port 1812, id=185, length=141 (3) NAS-IP-Address = 192.168.0.2 (3) NAS-Port = 50024 (3) NAS-Port-Type = Ethernet (3) User-Name = 'newuser' (3) Called-Station-Id = '00-16-9D-D3-40-D8' (3) Calling-Station-Id = '68-B5-99-C8-B0-5E' (3) Service-Type = Framed-User (3) Framed-MTU = 1500 (3) State = 0x0e9027300c933e6603c734ef610afcab (3) EAP-Message = 0x020300061900 (3) Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3 (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (!&User-Name) (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\\.\\./ ) (3) if (&User-Name =~ /\\.\\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\\.$/) (3) if (&User-Name =~ /\\.$/) -> FALSE (3) if (&User-Name =~ /@\\./) (3) if (&User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Checking for suffix after "@" (3) suffix : No '@' in User-Name = "newuser", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : Peer sent code Response (2) ID 3 length 6 (3) eap : Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x0e9027300c933e66 (3) eap : Finished EAP session with state 0x0e9027300c933e66 (3) eap : Previous EAP request found for state 0x0e9027300c933e66, released from the list (3) eap : Peer sent method PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300d943e66 (3) [eap] = handled (3) } # authenticate = handled (3) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=185, length=0 (3) EAP-Message = 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x0e9027300d943e6603c734ef610afcab Sending Access-Challenge Id 185 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300d943e6603c734ef610afcab (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 186 from 192.168.0.2:1812 to 192.168.0.10:1812 length 473 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300d943e6603c734ef610afcab EAP-Message = 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54 (4) Received Access-Request packet from host 192.168.0.2 port 1812, id=186, length=473 (4) NAS-IP-Address = 192.168.0.2 (4) NAS-Port = 50024 (4) NAS-Port-Type = Ethernet (4) User-Name = 'newuser' (4) Called-Station-Id = '00-16-9D-D3-40-D8' (4) Calling-Station-Id = '68-B5-99-C8-B0-5E' (4) Service-Type = Framed-User (4) Framed-MTU = 1500 (4) State = 0x0e9027300d943e6603c734ef610afcab (4) EAP-Message = 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd (4) Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54 (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (!&User-Name) (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\\.\\./ ) (4) if (&User-Name =~ /\\.\\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\\.$/) (4) if (&User-Name =~ /\\.$/) -> FALSE (4) if (&User-Name =~ /@\\./) (4) if (&User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : Checking for suffix after "@" (4) suffix : No '@' in User-Name = "newuser", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : Peer sent code Response (2) ID 4 length 336 (4) eap : Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0x0e9027300d943e66 (4) eap : Finished EAP session with state 0x0e9027300d943e66 (4) eap : Previous EAP request found for state 0x0e9027300d943e66, released from the list (4) eap : Peer sent method PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS TLS Length 326 (4) eap_peap : Length Included (4) eap_peap : eaptls_verify returned 11 (4) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (4) eap_peap : TLS_accept: SSLv3 read client key exchange A (4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_peap : TLS_accept: SSLv3 read finished A (4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap : TLS_accept: SSLv3 write change cipher spec A (4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (4) eap_peap : TLS_accept: SSLv3 write finished A (4) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 to cache (4) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300a953e66 (4) [eap] = handled (4) } # authenticate = handled (4) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=186, length=0 (4) EAP-Message = 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x0e9027300a953e6603c734ef610afcab Sending Access-Challenge Id 186 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300a953e6603c734ef610afcab (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 187 from 192.168.0.2:1812 to 192.168.0.10:1812 length 141 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300a953e6603c734ef610afcab EAP-Message = 0x020500061900 Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2 (5) Received Access-Request packet from host 192.168.0.2 port 1812, id=187, length=141 (5) NAS-IP-Address = 192.168.0.2 (5) NAS-Port = 50024 (5) NAS-Port-Type = Ethernet (5) User-Name = 'newuser' (5) Called-Station-Id = '00-16-9D-D3-40-D8' (5) Calling-Station-Id = '68-B5-99-C8-B0-5E' (5) Service-Type = Framed-User (5) Framed-MTU = 1500 (5) State = 0x0e9027300a953e6603c734ef610afcab (5) EAP-Message = 0x020500061900 (5) Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2 (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (!&User-Name) (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\\.\\./ ) (5) if (&User-Name =~ /\\.\\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\\.$/) (5) if (&User-Name =~ /\\.$/) -> FALSE (5) if (&User-Name =~ /@\\./) (5) if (&User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : Checking for suffix after "@" (5) suffix : No '@' in User-Name = "newuser", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : Peer sent code Response (2) ID 5 length 6 (5) eap : Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0x0e9027300a953e66 (5) eap : Finished EAP session with state 0x0e9027300a953e66 (5) eap : Previous EAP request found for state 0x0e9027300a953e66, released from the list (5) eap : Peer sent method PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS (5) eap_peap : Received TLS ACK (5) eap_peap : Received TLS ACK (5) eap_peap : ACK handshake is finished (5) eap_peap : eaptls_verify returned 3 (5) eap_peap : eaptls_process returned 3 (5) eap_peap : FR_TLS_SUCCESS (5) eap_peap : Session established. Decoding tunneled attributes (5) eap_peap : Peap state TUNNEL ESTABLISHED (5) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300b963e66 (5) [eap] = handled (5) } # authenticate = handled (5) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=187, length=0 (5) EAP-Message = 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x0e9027300b963e6603c734ef610afcab Sending Access-Challenge Id 187 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300b963e6603c734ef610afcab (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 188 from 192.168.0.2:1812 to 192.168.0.10:1812 length 178 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300b963e6603c734ef610afcab EAP-Message = 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390 (6) Received Access-Request packet from host 192.168.0.2 port 1812, id=188, length=178 (6) NAS-IP-Address = 192.168.0.2 (6) NAS-Port = 50024 (6) NAS-Port-Type = Ethernet (6) User-Name = 'newuser' (6) Called-Station-Id = '00-16-9D-D3-40-D8' (6) Calling-Station-Id = '68-B5-99-C8-B0-5E' (6) Service-Type = Framed-User (6) Framed-MTU = 1500 (6) State = 0x0e9027300b963e6603c734ef610afcab (6) EAP-Message = 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a (6) Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390 (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (!&User-Name) (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\\.\\./ ) (6) if (&User-Name =~ /\\.\\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\\.$/) (6) if (&User-Name =~ /\\.$/) -> FALSE (6) if (&User-Name =~ /@\\./) (6) if (&User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : Checking for suffix after "@" (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : Peer sent code Response (2) ID 6 length 43 (6) eap : Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0x0e9027300b963e66 (6) eap : Finished EAP session with state 0x0e9027300b963e66 (6) eap : Previous EAP request found for state 0x0e9027300b963e66, released from the list (6) eap : Peer sent method PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : eaptls_verify returned 7 (6) eap_peap : Done initial handshake (6) eap_peap : eaptls_process returned 7 (6) eap_peap : FR_TLS_OK (6) eap_peap : Session established. Decoding tunneled attributes (6) eap_peap : Peap state WAITING FOR INNER IDENTITY (6) eap_peap : Identity - newuser (6) eap_peap : Got inner identity 'newuser' (6) eap_peap : Setting default EAP type for tunneled EAP session (6) eap_peap : Got tunneled request EAP-Message = 0x0206000c016e657775736572 server default { (6) eap_peap : Setting User-Name to newuser Sending tunneled request EAP-Message = 0x0206000c016e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' server inner-tunnel { (6) server inner-tunnel { (6) Request: EAP-Message = 0x0206000c016e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) [chap] = noop (6) [mschap] = noop (6) suffix : Checking for suffix after "@" (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) update control { (6) Proxy-To-Realm := 'LOCAL' (6) } # update control = noop (6) eap : Peer sent code Response (2) ID 6 length 12 (6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap : Peer sent method Identity (1) (6) eap : Calling eap_mschapv2 to process EAP data (6) eap_mschapv2 : Issuing Challenge (6) eap : New EAP session, adding 'State' attribute to reply 0x51469e48514184c8 (6) [eap] = handled (6) } # authenticate = handled (6) Reply: EAP-Message = 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48514184c89c06397edfb2b9f6 (6) } # server inner-tunnel } # server inner-tunnel (6) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48514184c89c06397edfb2b9f6 (6) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48514184c89c06397edfb2b9f6 (6) eap_peap : Got tunneled Access-Challenge (6) eap : New EAP session, adding 'State' attribute to reply 0x0e90273008973e66 (6) [eap] = handled (6) } # authenticate = handled (6) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=188, length=0 (6) EAP-Message = 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x0e90273008973e6603c734ef610afcab Sending Access-Challenge Id 188 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e90273008973e6603c734ef610afcab (6) Finished request Waking up in 0.2 seconds. Received Access-Request Id 189 from 192.168.0.2:1812 to 192.168.0.10:1812 length 242 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e90273008973e6603c734ef610afcab EAP-Message = 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7 (7) Received Access-Request packet from host 192.168.0.2 port 1812, id=189, length=242 (7) NAS-IP-Address = 192.168.0.2 (7) NAS-Port = 50024 (7) NAS-Port-Type = Ethernet (7) User-Name = 'newuser' (7) Called-Station-Id = '00-16-9D-D3-40-D8' (7) Calling-Station-Id = '68-B5-99-C8-B0-5E' (7) Service-Type = Framed-User (7) Framed-MTU = 1500 (7) State = 0x0e90273008973e6603c734ef610afcab (7) EAP-Message = 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb (7) Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7 (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (!&User-Name) (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\\.\\./ ) (7) if (&User-Name =~ /\\.\\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\\.$/) (7) if (&User-Name =~ /\\.$/) -> FALSE (7) if (&User-Name =~ /@\\./) (7) if (&User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : Checking for suffix after "@" (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : Peer sent code Response (2) ID 7 length 107 (7) eap : Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0x51469e48514184c8 (7) eap : Finished EAP session with state 0x0e90273008973e66 (7) eap : Previous EAP request found for state 0x0e90273008973e66, released from the list (7) eap : Peer sent method PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes (7) eap_peap : Peap state phase2 (7) eap_peap : EAP type MSCHAPv2 (26) (7) eap_peap : Got tunneled request EAP-Message = 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572 server default { (7) eap_peap : Setting User-Name to newuser Sending tunneled request EAP-Message = 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48514184c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' server inner-tunnel { (7) server inner-tunnel { (7) Request: EAP-Message = 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48514184c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : Checking for suffix after "@" (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : Peer sent code Response (2) ID 7 length 66 (7) eap : No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (4) (7) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap : --> (uid=newuser) (7) ldap : EXPAND dc=test,dc=ad,dc=com (7) ldap : --> dc=test,dc=ad,dc=com (7) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (7) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (7) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (4) (7) [ldap] = notfound (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Expiring EAP session with state 0x51469e48514184c8 (7) eap : Finished EAP session with state 0x51469e48514184c8 (7) eap : Previous EAP request found for state 0x51469e48514184c8, released from the list (7) eap : Peer sent method MSCHAPv2 (26) (7) eap : EAP MSCHAPv2 (26) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2 : Auth-Type MS-CHAP { (7) mschap : Creating challenge hash with username: newuser (7) mschap : Client is using MS-CHAPv2 Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap : --> --username=newuser (7) mschap : Creating challenge hash with username: newuser (7) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap : --> --challenge=141c75ef267aec37 (7) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap : --> --nt-response=8e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e Program returned code (0) and output 'NT_KEY: 917FDA71960ECCF4DF81D38405F86F42' (7) mschap : Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # Auth-Type MS-CHAP = ok MSCHAP Success (7) eap : New EAP session, adding 'State' attribute to reply 0x51469e48504e84c8 (7) [eap] = handled (7) } # authenticate = handled (7) Reply: EAP-Message = 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48504e84c89c06397edfb2b9f6 (7) } # server inner-tunnel } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48504e84c89c06397edfb2b9f6 (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48504e84c89c06397edfb2b9f6 (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0x0e90273009983e66 (7) [eap] = handled (7) } # authenticate = handled (7) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=189, length=0 (7) EAP-Message = 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x0e90273009983e6603c734ef610afcab Sending Access-Challenge Id 189 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e90273009983e6603c734ef610afcab (7) Finished request Waking up in 4.5 seconds. Received Access-Request Id 190 from 192.168.0.2:1812 to 192.168.0.10:1812 length 178 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e90273009983e6603c734ef610afcab EAP-Message = 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99 (8) Received Access-Request packet from host 192.168.0.2 port 1812, id=190, length=178 (8) NAS-IP-Address = 192.168.0.2 (8) NAS-Port = 50024 (8) NAS-Port-Type = Ethernet (8) User-Name = 'newuser' (8) Called-Station-Id = '00-16-9D-D3-40-D8' (8) Calling-Station-Id = '68-B5-99-C8-B0-5E' (8) Service-Type = Framed-User (8) Framed-MTU = 1500 (8) State = 0x0e90273009983e6603c734ef610afcab (8) EAP-Message = 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d (8) Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99 (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) if (!&User-Name) (8) if (!&User-Name) -> FALSE (8) if (&User-Name =~ / /) (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@.*@/ ) (8) if (&User-Name =~ /@.*@/ ) -> FALSE (8) if (&User-Name =~ /\\.\\./ ) (8) if (&User-Name =~ /\\.\\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\\.$/) (8) if (&User-Name =~ /\\.$/) -> FALSE (8) if (&User-Name =~ /@\\./) (8) if (&User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : Checking for suffix after "@" (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : Peer sent code Response (2) ID 8 length 43 (8) eap : Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0x51469e48504e84c8 (8) eap : Finished EAP session with state 0x0e90273009983e66 (8) eap : Previous EAP request found for state 0x0e90273009983e66, released from the list (8) eap : Peer sent method PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type MSCHAPv2 (26) (8) eap_peap : Got tunneled request EAP-Message = 0x020800061a03 server default { (8) eap_peap : Setting User-Name to newuser Sending tunneled request EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48504e84c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' server inner-tunnel { (8) server inner-tunnel { (8) Request: EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48504e84c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : Checking for suffix after "@" (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : Peer sent code Response (2) ID 8 length 6 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (3) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=newuser) (8) ldap : EXPAND dc=test,dc=ad,dc=com (8) ldap : --> dc=test,dc=ad,dc=com (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (8) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (8) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (3) rlm_ldap (ldap): 0 of 3 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (5) rlm_ldap (ldap): Connecting to 192.168.0.20:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (8) [ldap] = notfound (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x51469e48504e84c8 (8) eap : Finished EAP session with state 0x51469e48504e84c8 (8) eap : Previous EAP request found for state 0x51469e48504e84c8, released from the list (8) eap : Peer sent method MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap : Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) ldap : EXPAND . (8) ldap : --> . (8) ldap : EXPAND Authenticated at %S (8) ldap : --> Authenticated at 2015-07-03 14:28:13 rlm_ldap (ldap): Reserved connection (5) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=newuser) (8) ldap : EXPAND dc=test,dc=ad,dc=com (8) ldap : --> dc=test,dc=ad,dc=com (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (8) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (8) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (5) (8) [ldap] = notfound (8) } # post-auth = notfound (8) Reply: MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9 MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'newuser' (8) } # server inner-tunnel } # server inner-tunnel (8) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9 MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'newuser' (8) eap_peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9 MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'newuser' (8) eap_peap : Tunneled authentication was successful (8) eap_peap : SUCCESS (8) eap_peap : Saving tunneled attributes for later (8) eap : New EAP session, adding 'State' attribute to reply 0x0e90273006993e66 (8) [eap] = handled (8) } # authenticate = handled (8) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=190, length=0 (8) EAP-Message = 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x0e90273006993e6603c734ef610afcab Sending Access-Challenge Id 190 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e90273006993e6603c734ef610afcab (8) Finished request Waking up in 3.8 seconds. Received Access-Request Id 191 from 192.168.0.2:1812 to 192.168.0.10:1812 length 178 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e90273006993e6603c734ef610afcab EAP-Message = 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17 (9) Received Access-Request packet from host 192.168.0.2 port 1812, id=191, length=178 (9) NAS-IP-Address = 192.168.0.2 (9) NAS-Port = 50024 (9) NAS-Port-Type = Ethernet (9) User-Name = 'newuser' (9) Called-Station-Id = '00-16-9D-D3-40-D8' (9) Calling-Station-Id = '68-B5-99-C8-B0-5E' (9) Service-Type = Framed-User (9) Framed-MTU = 1500 (9) State = 0x0e90273006993e6603c734ef610afcab (9) EAP-Message = 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb (9) Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17 (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (!&User-Name) (9) if (!&User-Name) -> FALSE (9) if (&User-Name =~ / /) (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\\.\\./ ) (9) if (&User-Name =~ /\\.\\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\\.$/) (9) if (&User-Name =~ /\\.$/) -> FALSE (9) if (&User-Name =~ /@\\./) (9) if (&User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : Checking for suffix after "@" (9) suffix : No '@' in User-Name = "newuser", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : Peer sent code Response (2) ID 9 length 43 (9) eap : Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0x0e90273006993e66 (9) eap : Finished EAP session with state 0x0e90273006993e66 (9) eap : Previous EAP request found for state 0x0e90273006993e66, released from the list (9) eap : Peer sent method PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes (9) eap_peap : Peap state send tlv success (9) eap_peap : Received EAP-TLV response (9) eap_peap : Success (9) eap_peap : Using saved attributes from the original Access-Accept User-Name = 'newuser' (9) eap_peap : Saving session 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 vps 0x7f6012aedf20 in the cache (9) eap : Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default (9) post-auth { (9) ldap : EXPAND . (9) ldap : --> . (9) ldap : EXPAND Authenticated at %S (9) ldap : --> Authenticated at 2015-07-03 14:28:14 rlm_ldap (ldap): Reserved connection (2) (9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap : --> (uid=newuser) (9) ldap : EXPAND dc=test,dc=ad,dc=com (9) ldap : --> dc=test,dc=ad,dc=com (9) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (9) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (9) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (2) (9) [ldap] = notfound (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") (9) Searching for user in group "cn=computers,cn=Users,dc=test,dc=ad,dc=com" rlm_ldap (ldap): Reserved connection (1) (9) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) --> (uid=newuser) (9) EXPAND dc=test,dc=ad,dc=com (9) --> dc=test,dc=ad,dc=com (9) Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (9) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (9) Search returned no results rlm_ldap (ldap): Deleting connection (1) (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") -> FALSE (9) [exec] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sending Access-Accept packet to host 192.168.0.2 port 1812, id=191, length=0 (9) User-Name = 'newuser' (9) MS-MPPE-Recv-Key = 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2 (9) MS-MPPE-Send-Key = 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce (9) EAP-MSK = 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda271f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce (9) EAP-EMSK = 0x1b54d22a41027762199d0673d2024afb9b75034f4486286e1ce600f42266b87c01bf8b7801e44f136c405e7098f74a39062c8d0fd8199ad362af3aa3fd939603 (9) EAP-Session-Id = 0x19559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f355967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b313 (9) EAP-Message = 0x03090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Accept Id 191 from 192.168.0.10:1812 to 192.168.0.2:1812 User-Name = 'newuser' MS-MPPE-Recv-Key = 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2 MS-MPPE-Send-Key = 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 (9) Finished request
in ldap config file, part related user and groups looks like below:
user { base_dn = "dc=test,dc=ad,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } group {
base_dn ="dc=test,dc=ad,dc=com" filter = "(objectClass=posixGroup)" name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = "memberOf" }
Why freeradius can't match group "computers" to user "newuser"?
I would be very glad on any help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html your filter and membership_filter directives conflict.
the objectClass posixGroup uses the memberUid attribute, while the objectClass groupOfNames uses the member attribute.
because you are using AD, it should support RFC 2307bis, which makes the posixGroup an auxiliary objectClass, and not structural. both attributes (member and memberUid) can be defined for the same object, but it is likely that only one is used.
get our your favorite LDAP browser (phpLdapAdmin, gq, lat, luma, or SoftTerra LDAP Browser for windows) and look at the group object you are trying to match on. note the used attributes and adjust your filter and membership_filter directives accordingly.
Thank you for reply, as I understood I've changed : filter = "(objectClass=posixgroup)" to-> filter = "(objectClass=group)" and membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" to -> membership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" and still nothing. by the way I can't figure out in freeradius output logs part where system is trying match this filters. does my configuration is correct to searching groups?
On 07/06/2015 08:47 AM, stefan nowak wrote:
Message: 1 Date: Sat, 04 Jul 2015 11:44:01 -0400 From: Brendan Kearney <bpk678@gmail.com> To: freeradius-users@lists.freeradius.org Subject: Re: freeradius doesn't see user in group (Active Directory) but user belong to this group Message-ID: <5597FF41.6050706@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed
On 07/04/2015 03:17 AM, stefan nowak wrote:
Hi All,
since few days I've stocked with configuration freeradius. All works good except one thing. I can't get info from Active Directory to freeradius in which group user belong (this one I need to set vlan depend on group). My version freeradius is 3.0.4
as you can see below user "newuser" participate in group "computers", here`s output from ldapsearch:
dn: CN=newuser,CN=Users,DC=test,DC=ad,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: newuser givenName: newuser distinguishedName: CN=newuser,CN=Users,DC=test,DC=ad,DC=com instanceType: 4 whenCreated: 20150702132126.0Z whenChanged: 20150703105127.0Z displayName: newuser uSNCreated: 82039 memberOf: CN=computers,CN=Users,DC=test,DC=ad,DC=com uSNChanged: 90187 name: newuser objectGUID:: XX+6g4wMJEGdDfEOZF5Rgw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130803168865078125 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAR3zVX0Ki+LP5AMXOVQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: newuser sAMAccountType: 805306368 userPrincipalName: newuser@test.ad.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=ad,DC=com dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130803172388710937
from log output I see that user "newuser" get access-accept but freeradius didn`t find him in group "computers" here is output:
Received Access-Request Id 182 from 192.168.0.2:1812 to 192.168.0.10:1812 length 129 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000c016e657775736572 Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375 (0) Received Access-Request packet from host 192.168.0.2 port 1812, id=182, length=129 (0) NAS-IP-Address = 192.168.0.2 (0) NAS-Port = 50024 (0) NAS-Port-Type = Ethernet (0) User-Name = 'newuser' (0) Called-Station-Id = '00-16-9D-D3-40-D8' (0) Calling-Station-Id = '68-B5-99-C8-B0-5E' (0) Service-Type = Framed-User (0) Framed-MTU = 1500 (0) EAP-Message = 0x0200000c016e657775736572 (0) Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = "newuser", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : Peer sent code Response (2) ID 0 length 12 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent method Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300e913e66 (0) [eap] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=182, length=0 (0) EAP-Message = 0x010100061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x0e9027300e913e6603c734ef610afcab Sending Access-Challenge Id 182 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300e913e6603c734ef610afcab (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 183 from 192.168.0.2:1812 to 192.168.0.10:1812 length 276 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300e913e6603c734ef610afcab EAP-Message = 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000 Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f (1) Received Access-Request packet from host 192.168.0.2 port 1812, id=183, length=276 (1) NAS-IP-Address = 192.168.0.2 (1) NAS-Port = 50024 (1) NAS-Port-Type = Ethernet (1) User-Name = 'newuser' (1) Called-Station-Id = '00-16-9D-D3-40-D8' (1) Calling-Station-Id = '68-B5-99-C8-B0-5E' (1) Service-Type = Framed-User (1) Framed-MTU = 1500 (1) State = 0x0e9027300e913e6603c734ef610afcab (1) EAP-Message = 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000 (1) Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (!&User-Name) (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : Checking for suffix after "@" (1) suffix : No '@' in User-Name = "newuser", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : Peer sent code Response (2) ID 1 length 141 (1) eap : Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x0e9027300e913e66 (1) eap : Finished EAP session with state 0x0e9027300e913e66 (1) eap : Previous EAP request found for state 0x0e9027300e913e66, released from the list (1) eap : Peer sent method PEAP (25) (1) eap : EAP PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : processing EAP-TLS TLS Length 131 (1) eap_peap : Length Included (1) eap_peap : eaptls_verify returned 11 (1) eap_peap : (other): before/accept initialization (1) eap_peap : TLS_accept: before/accept initialization (1) eap_peap : <<< TLS 1.0 Handshake [length 007e], ClientHello SSL: Client requested cached session fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d94 (1) eap_peap : TLS_accept: SSLv3 read client hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello (1) eap_peap : TLS_accept: SSLv3 write server hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate (1) eap_peap : TLS_accept: SSLv3 write certificate A (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap : TLS_accept: SSLv3 write server done A (1) eap_peap : TLS_accept: SSLv3 flush data (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap : eaptls_process returned 13 (1) eap_peap : FR_TLS_HANDLED (1) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300f923e66 (1) [eap] = handled (1) } # authenticate = handled (1) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=183, length=0 (1) EAP-Message = 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2c (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x0e9027300f923e6603c734ef610afcab Sending Access-Challenge Id 183 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300f923e6603c734ef610afcab (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 184 from 192.168.0.2:1812 to 192.168.0.10:1812 length 141 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300f923e6603c734ef610afcab EAP-Message = 0x020200061900 Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb (2) Received Access-Request packet from host 192.168.0.2 port 1812, id=184, length=141 (2) NAS-IP-Address = 192.168.0.2 (2) NAS-Port = 50024 (2) NAS-Port-Type = Ethernet (2) User-Name = 'newuser' (2) Called-Station-Id = '00-16-9D-D3-40-D8' (2) Calling-Station-Id = '68-B5-99-C8-B0-5E' (2) Service-Type = Framed-User (2) Framed-MTU = 1500 (2) State = 0x0e9027300f923e6603c734ef610afcab (2) EAP-Message = 0x020200061900 (2) Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (!&User-Name) (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : Checking for suffix after "@" (2) suffix : No '@' in User-Name = "newuser", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : Peer sent code Response (2) ID 2 length 6 (2) eap : Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x0e9027300f923e66 (2) eap : Finished EAP session with state 0x0e9027300f923e66 (2) eap : Previous EAP request found for state 0x0e9027300f923e66, released from the list (2) eap : Peer sent method PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS (2) eap_peap : Received TLS ACK (2) eap_peap : Received TLS ACK (2) eap_peap : ACK handshake fragment handler (2) eap_peap : eaptls_verify returned 1 (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300c933e66 (2) [eap] = handled (2) } # authenticate = handled (2) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=184, length=0 (2) EAP-Message = 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x0e9027300c933e6603c734ef610afcab Sending Access-Challenge Id 184 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f00308 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300c933e6603c734ef610afcab (2) Finished request Waking up in 0.3 seconds. Received Access-Request Id 185 from 192.168.0.2:1812 to 192.168.0.10:1812 length 141 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300c933e6603c734ef610afcab EAP-Message = 0x020300061900 Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3 (3) Received Access-Request packet from host 192.168.0.2 port 1812, id=185, length=141 (3) NAS-IP-Address = 192.168.0.2 (3) NAS-Port = 50024 (3) NAS-Port-Type = Ethernet (3) User-Name = 'newuser' (3) Called-Station-Id = '00-16-9D-D3-40-D8' (3) Calling-Station-Id = '68-B5-99-C8-B0-5E' (3) Service-Type = Framed-User (3) Framed-MTU = 1500 (3) State = 0x0e9027300c933e6603c734ef610afcab (3) EAP-Message = 0x020300061900 (3) Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3 (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (!&User-Name) (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\\.\\./ ) (3) if (&User-Name =~ /\\.\\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\\.$/) (3) if (&User-Name =~ /\\.$/) -> FALSE (3) if (&User-Name =~ /@\\./) (3) if (&User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Checking for suffix after "@" (3) suffix : No '@' in User-Name = "newuser", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : Peer sent code Response (2) ID 3 length 6 (3) eap : Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x0e9027300c933e66 (3) eap : Finished EAP session with state 0x0e9027300c933e66 (3) eap : Previous EAP request found for state 0x0e9027300c933e66, released from the list (3) eap : Peer sent method PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300d943e66 (3) [eap] = handled (3) } # authenticate = handled (3) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=185, length=0 (3) EAP-Message = 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x0e9027300d943e6603c734ef610afcab Sending Access-Challenge Id 185 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300d943e6603c734ef610afcab (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 186 from 192.168.0.2:1812 to 192.168.0.10:1812 length 473 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300d943e6603c734ef610afcab EAP-Message = 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54 (4) Received Access-Request packet from host 192.168.0.2 port 1812, id=186, length=473 (4) NAS-IP-Address = 192.168.0.2 (4) NAS-Port = 50024 (4) NAS-Port-Type = Ethernet (4) User-Name = 'newuser' (4) Called-Station-Id = '00-16-9D-D3-40-D8' (4) Calling-Station-Id = '68-B5-99-C8-B0-5E' (4) Service-Type = Framed-User (4) Framed-MTU = 1500 (4) State = 0x0e9027300d943e6603c734ef610afcab (4) EAP-Message = 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd (4) Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54 (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (!&User-Name) (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\\.\\./ ) (4) if (&User-Name =~ /\\.\\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\\.$/) (4) if (&User-Name =~ /\\.$/) -> FALSE (4) if (&User-Name =~ /@\\./) (4) if (&User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : Checking for suffix after "@" (4) suffix : No '@' in User-Name = "newuser", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : Peer sent code Response (2) ID 4 length 336 (4) eap : Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0x0e9027300d943e66 (4) eap : Finished EAP session with state 0x0e9027300d943e66 (4) eap : Previous EAP request found for state 0x0e9027300d943e66, released from the list (4) eap : Peer sent method PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS TLS Length 326 (4) eap_peap : Length Included (4) eap_peap : eaptls_verify returned 11 (4) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (4) eap_peap : TLS_accept: SSLv3 read client key exchange A (4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_peap : TLS_accept: SSLv3 read finished A (4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap : TLS_accept: SSLv3 write change cipher spec A (4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (4) eap_peap : TLS_accept: SSLv3 write finished A (4) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 to cache (4) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300a953e66 (4) [eap] = handled (4) } # authenticate = handled (4) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=186, length=0 (4) EAP-Message = 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x0e9027300a953e6603c734ef610afcab Sending Access-Challenge Id 186 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300a953e6603c734ef610afcab (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 187 from 192.168.0.2:1812 to 192.168.0.10:1812 length 141 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300a953e6603c734ef610afcab EAP-Message = 0x020500061900 Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2 (5) Received Access-Request packet from host 192.168.0.2 port 1812, id=187, length=141 (5) NAS-IP-Address = 192.168.0.2 (5) NAS-Port = 50024 (5) NAS-Port-Type = Ethernet (5) User-Name = 'newuser' (5) Called-Station-Id = '00-16-9D-D3-40-D8' (5) Calling-Station-Id = '68-B5-99-C8-B0-5E' (5) Service-Type = Framed-User (5) Framed-MTU = 1500 (5) State = 0x0e9027300a953e6603c734ef610afcab (5) EAP-Message = 0x020500061900 (5) Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2 (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (!&User-Name) (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\\.\\./ ) (5) if (&User-Name =~ /\\.\\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\\.$/) (5) if (&User-Name =~ /\\.$/) -> FALSE (5) if (&User-Name =~ /@\\./) (5) if (&User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : Checking for suffix after "@" (5) suffix : No '@' in User-Name = "newuser", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : Peer sent code Response (2) ID 5 length 6 (5) eap : Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0x0e9027300a953e66 (5) eap : Finished EAP session with state 0x0e9027300a953e66 (5) eap : Previous EAP request found for state 0x0e9027300a953e66, released from the list (5) eap : Peer sent method PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS (5) eap_peap : Received TLS ACK (5) eap_peap : Received TLS ACK (5) eap_peap : ACK handshake is finished (5) eap_peap : eaptls_verify returned 3 (5) eap_peap : eaptls_process returned 3 (5) eap_peap : FR_TLS_SUCCESS (5) eap_peap : Session established. Decoding tunneled attributes (5) eap_peap : Peap state TUNNEL ESTABLISHED (5) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300b963e66 (5) [eap] = handled (5) } # authenticate = handled (5) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=187, length=0 (5) EAP-Message = 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x0e9027300b963e6603c734ef610afcab Sending Access-Challenge Id 187 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300b963e6603c734ef610afcab (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 188 from 192.168.0.2:1812 to 192.168.0.10:1812 length 178 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300b963e6603c734ef610afcab EAP-Message = 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390 (6) Received Access-Request packet from host 192.168.0.2 port 1812, id=188, length=178 (6) NAS-IP-Address = 192.168.0.2 (6) NAS-Port = 50024 (6) NAS-Port-Type = Ethernet (6) User-Name = 'newuser' (6) Called-Station-Id = '00-16-9D-D3-40-D8' (6) Calling-Station-Id = '68-B5-99-C8-B0-5E' (6) Service-Type = Framed-User (6) Framed-MTU = 1500 (6) State = 0x0e9027300b963e6603c734ef610afcab (6) EAP-Message = 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a (6) Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390 (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (!&User-Name) (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\\.\\./ ) (6) if (&User-Name =~ /\\.\\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\\.$/) (6) if (&User-Name =~ /\\.$/) -> FALSE (6) if (&User-Name =~ /@\\./) (6) if (&User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : Checking for suffix after "@" (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : Peer sent code Response (2) ID 6 length 43 (6) eap : Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0x0e9027300b963e66 (6) eap : Finished EAP session with state 0x0e9027300b963e66 (6) eap : Previous EAP request found for state 0x0e9027300b963e66, released from the list (6) eap : Peer sent method PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : eaptls_verify returned 7 (6) eap_peap : Done initial handshake (6) eap_peap : eaptls_process returned 7 (6) eap_peap : FR_TLS_OK (6) eap_peap : Session established. Decoding tunneled attributes (6) eap_peap : Peap state WAITING FOR INNER IDENTITY (6) eap_peap : Identity - newuser (6) eap_peap : Got inner identity 'newuser' (6) eap_peap : Setting default EAP type for tunneled EAP session (6) eap_peap : Got tunneled request EAP-Message = 0x0206000c016e657775736572 server default { (6) eap_peap : Setting User-Name to newuser Sending tunneled request EAP-Message = 0x0206000c016e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' server inner-tunnel { (6) server inner-tunnel { (6) Request: EAP-Message = 0x0206000c016e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) [chap] = noop (6) [mschap] = noop (6) suffix : Checking for suffix after "@" (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) update control { (6) Proxy-To-Realm := 'LOCAL' (6) } # update control = noop (6) eap : Peer sent code Response (2) ID 6 length 12 (6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap : Peer sent method Identity (1) (6) eap : Calling eap_mschapv2 to process EAP data (6) eap_mschapv2 : Issuing Challenge (6) eap : New EAP session, adding 'State' attribute to reply 0x51469e48514184c8 (6) [eap] = handled (6) } # authenticate = handled (6) Reply: EAP-Message = 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48514184c89c06397edfb2b9f6 (6) } # server inner-tunnel } # server inner-tunnel (6) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48514184c89c06397edfb2b9f6 (6) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48514184c89c06397edfb2b9f6 (6) eap_peap : Got tunneled Access-Challenge (6) eap : New EAP session, adding 'State' attribute to reply 0x0e90273008973e66 (6) [eap] = handled (6) } # authenticate = handled (6) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=188, length=0 (6) EAP-Message = 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x0e90273008973e6603c734ef610afcab Sending Access-Challenge Id 188 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e90273008973e6603c734ef610afcab (6) Finished request Waking up in 0.2 seconds. Received Access-Request Id 189 from 192.168.0.2:1812 to 192.168.0.10:1812 length 242 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e90273008973e6603c734ef610afcab EAP-Message = 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7 (7) Received Access-Request packet from host 192.168.0.2 port 1812, id=189, length=242 (7) NAS-IP-Address = 192.168.0.2 (7) NAS-Port = 50024 (7) NAS-Port-Type = Ethernet (7) User-Name = 'newuser' (7) Called-Station-Id = '00-16-9D-D3-40-D8' (7) Calling-Station-Id = '68-B5-99-C8-B0-5E' (7) Service-Type = Framed-User (7) Framed-MTU = 1500 (7) State = 0x0e90273008973e6603c734ef610afcab (7) EAP-Message = 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb (7) Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7 (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (!&User-Name) (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\\.\\./ ) (7) if (&User-Name =~ /\\.\\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\\.$/) (7) if (&User-Name =~ /\\.$/) -> FALSE (7) if (&User-Name =~ /@\\./) (7) if (&User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : Checking for suffix after "@" (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : Peer sent code Response (2) ID 7 length 107 (7) eap : Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0x51469e48514184c8 (7) eap : Finished EAP session with state 0x0e90273008973e66 (7) eap : Previous EAP request found for state 0x0e90273008973e66, released from the list (7) eap : Peer sent method PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes (7) eap_peap : Peap state phase2 (7) eap_peap : EAP type MSCHAPv2 (26) (7) eap_peap : Got tunneled request EAP-Message = 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572 server default { (7) eap_peap : Setting User-Name to newuser Sending tunneled request EAP-Message = 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48514184c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' server inner-tunnel { (7) server inner-tunnel { (7) Request: EAP-Message = 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48514184c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : Checking for suffix after "@" (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : Peer sent code Response (2) ID 7 length 66 (7) eap : No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (4) (7) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap : --> (uid=newuser) (7) ldap : EXPAND dc=test,dc=ad,dc=com (7) ldap : --> dc=test,dc=ad,dc=com (7) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (7) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (7) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (4) (7) [ldap] = notfound (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Expiring EAP session with state 0x51469e48514184c8 (7) eap : Finished EAP session with state 0x51469e48514184c8 (7) eap : Previous EAP request found for state 0x51469e48514184c8, released from the list (7) eap : Peer sent method MSCHAPv2 (26) (7) eap : EAP MSCHAPv2 (26) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2 : Auth-Type MS-CHAP { (7) mschap : Creating challenge hash with username: newuser (7) mschap : Client is using MS-CHAPv2 Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap : --> --username=newuser (7) mschap : Creating challenge hash with username: newuser (7) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap : --> --challenge=141c75ef267aec37 (7) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap : --> --nt-response=8e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e Program returned code (0) and output 'NT_KEY: 917FDA71960ECCF4DF81D38405F86F42' (7) mschap : Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # Auth-Type MS-CHAP = ok MSCHAP Success (7) eap : New EAP session, adding 'State' attribute to reply 0x51469e48504e84c8 (7) [eap] = handled (7) } # authenticate = handled (7) Reply: EAP-Message = 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48504e84c89c06397edfb2b9f6 (7) } # server inner-tunnel } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48504e84c89c06397edfb2b9f6 (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48504e84c89c06397edfb2b9f6 (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0x0e90273009983e66 (7) [eap] = handled (7) } # authenticate = handled (7) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=189, length=0 (7) EAP-Message = 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x0e90273009983e6603c734ef610afcab Sending Access-Challenge Id 189 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e90273009983e6603c734ef610afcab (7) Finished request Waking up in 4.5 seconds. Received Access-Request Id 190 from 192.168.0.2:1812 to 192.168.0.10:1812 length 178 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e90273009983e6603c734ef610afcab EAP-Message = 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99 (8) Received Access-Request packet from host 192.168.0.2 port 1812, id=190, length=178 (8) NAS-IP-Address = 192.168.0.2 (8) NAS-Port = 50024 (8) NAS-Port-Type = Ethernet (8) User-Name = 'newuser' (8) Called-Station-Id = '00-16-9D-D3-40-D8' (8) Calling-Station-Id = '68-B5-99-C8-B0-5E' (8) Service-Type = Framed-User (8) Framed-MTU = 1500 (8) State = 0x0e90273009983e6603c734ef610afcab (8) EAP-Message = 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d (8) Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99 (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) if (!&User-Name) (8) if (!&User-Name) -> FALSE (8) if (&User-Name =~ / /) (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@.*@/ ) (8) if (&User-Name =~ /@.*@/ ) -> FALSE (8) if (&User-Name =~ /\\.\\./ ) (8) if (&User-Name =~ /\\.\\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\\.$/) (8) if (&User-Name =~ /\\.$/) -> FALSE (8) if (&User-Name =~ /@\\./) (8) if (&User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : Checking for suffix after "@" (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : Peer sent code Response (2) ID 8 length 43 (8) eap : Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0x51469e48504e84c8 (8) eap : Finished EAP session with state 0x0e90273009983e66 (8) eap : Previous EAP request found for state 0x0e90273009983e66, released from the list (8) eap : Peer sent method PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type MSCHAPv2 (26) (8) eap_peap : Got tunneled request EAP-Message = 0x020800061a03 server default { (8) eap_peap : Setting User-Name to newuser Sending tunneled request EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48504e84c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' server inner-tunnel { (8) server inner-tunnel { (8) Request: EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48504e84c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : Checking for suffix after "@" (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : Peer sent code Response (2) ID 8 length 6 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (3) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=newuser) (8) ldap : EXPAND dc=test,dc=ad,dc=com (8) ldap : --> dc=test,dc=ad,dc=com (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (8) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (8) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (3) rlm_ldap (ldap): 0 of 3 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (5) rlm_ldap (ldap): Connecting to 192.168.0.20:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (8) [ldap] = notfound (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x51469e48504e84c8 (8) eap : Finished EAP session with state 0x51469e48504e84c8 (8) eap : Previous EAP request found for state 0x51469e48504e84c8, released from the list (8) eap : Peer sent method MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap : Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) ldap : EXPAND . (8) ldap : --> . (8) ldap : EXPAND Authenticated at %S (8) ldap : --> Authenticated at 2015-07-03 14:28:13 rlm_ldap (ldap): Reserved connection (5) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=newuser) (8) ldap : EXPAND dc=test,dc=ad,dc=com (8) ldap : --> dc=test,dc=ad,dc=com (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (8) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (8) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (5) (8) [ldap] = notfound (8) } # post-auth = notfound (8) Reply: MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9 MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'newuser' (8) } # server inner-tunnel } # server inner-tunnel (8) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9 MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'newuser' (8) eap_peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9 MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'newuser' (8) eap_peap : Tunneled authentication was successful (8) eap_peap : SUCCESS (8) eap_peap : Saving tunneled attributes for later (8) eap : New EAP session, adding 'State' attribute to reply 0x0e90273006993e66 (8) [eap] = handled (8) } # authenticate = handled (8) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=190, length=0 (8) EAP-Message = 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x0e90273006993e6603c734ef610afcab Sending Access-Challenge Id 190 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e90273006993e6603c734ef610afcab (8) Finished request Waking up in 3.8 seconds. Received Access-Request Id 191 from 192.168.0.2:1812 to 192.168.0.10:1812 length 178 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e90273006993e6603c734ef610afcab EAP-Message = 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17 (9) Received Access-Request packet from host 192.168.0.2 port 1812, id=191, length=178 (9) NAS-IP-Address = 192.168.0.2 (9) NAS-Port = 50024 (9) NAS-Port-Type = Ethernet (9) User-Name = 'newuser' (9) Called-Station-Id = '00-16-9D-D3-40-D8' (9) Calling-Station-Id = '68-B5-99-C8-B0-5E' (9) Service-Type = Framed-User (9) Framed-MTU = 1500 (9) State = 0x0e90273006993e6603c734ef610afcab (9) EAP-Message = 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb (9) Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17 (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (!&User-Name) (9) if (!&User-Name) -> FALSE (9) if (&User-Name =~ / /) (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\\.\\./ ) (9) if (&User-Name =~ /\\.\\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\\.$/) (9) if (&User-Name =~ /\\.$/) -> FALSE (9) if (&User-Name =~ /@\\./) (9) if (&User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : Checking for suffix after "@" (9) suffix : No '@' in User-Name = "newuser", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : Peer sent code Response (2) ID 9 length 43 (9) eap : Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0x0e90273006993e66 (9) eap : Finished EAP session with state 0x0e90273006993e66 (9) eap : Previous EAP request found for state 0x0e90273006993e66, released from the list (9) eap : Peer sent method PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes (9) eap_peap : Peap state send tlv success (9) eap_peap : Received EAP-TLV response (9) eap_peap : Success (9) eap_peap : Using saved attributes from the original Access-Accept User-Name = 'newuser' (9) eap_peap : Saving session 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 vps 0x7f6012aedf20 in the cache (9) eap : Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default (9) post-auth { (9) ldap : EXPAND . (9) ldap : --> . (9) ldap : EXPAND Authenticated at %S (9) ldap : --> Authenticated at 2015-07-03 14:28:14 rlm_ldap (ldap): Reserved connection (2) (9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap : --> (uid=newuser) (9) ldap : EXPAND dc=test,dc=ad,dc=com (9) ldap : --> dc=test,dc=ad,dc=com (9) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (9) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (9) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (2) (9) [ldap] = notfound (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") (9) Searching for user in group "cn=computers,cn=Users,dc=test,dc=ad,dc=com" rlm_ldap (ldap): Reserved connection (1) (9) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) --> (uid=newuser) (9) EXPAND dc=test,dc=ad,dc=com (9) --> dc=test,dc=ad,dc=com (9) Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (9) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (9) Search returned no results rlm_ldap (ldap): Deleting connection (1) (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") -> FALSE (9) [exec] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sending Access-Accept packet to host 192.168.0.2 port 1812, id=191, length=0 (9) User-Name = 'newuser' (9) MS-MPPE-Recv-Key = 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2 (9) MS-MPPE-Send-Key = 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce (9) EAP-MSK = 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda271f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce (9) EAP-EMSK = 0x1b54d22a41027762199d0673d2024afb9b75034f4486286e1ce600f42266b87c01bf8b7801e44f136c405e7098f74a39062c8d0fd8199ad362af3aa3fd939603 (9) EAP-Session-Id = 0x19559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f355967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b313 (9) EAP-Message = 0x03090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Accept Id 191 from 192.168.0.10:1812 to 192.168.0.2:1812 User-Name = 'newuser' MS-MPPE-Recv-Key = 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2 MS-MPPE-Send-Key = 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 (9) Finished request
in ldap config file, part related user and groups looks like below:
user { base_dn = "dc=test,dc=ad,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } group {
base_dn ="dc=test,dc=ad,dc=com" filter = "(objectClass=posixGroup)" name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = "memberOf" }
Why freeradius can't match group "computers" to user "newuser"?
I would be very glad on any help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html your filter and membership_filter directives conflict.
the objectClass posixGroup uses the memberUid attribute, while the objectClass groupOfNames uses the member attribute.
because you are using AD, it should support RFC 2307bis, which makes the posixGroup an auxiliary objectClass, and not structural. both attributes (member and memberUid) can be defined for the same object, but it is likely that only one is used.
get our your favorite LDAP browser (phpLdapAdmin, gq, lat, luma, or SoftTerra LDAP Browser for windows) and look at the group object you are trying to match on. note the used attributes and adjust your filter and membership_filter directives accordingly. Thank you for reply,
as I understood I've changed :
filter = "(objectClass=posixgroup)" to-> filter = "(objectClass=group)"
and
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" to -> membership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
and still nothing.
by the way I can't figure out in freeradius output logs part where system is trying match this filters.
does my configuration is correct to searching groups?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html since i am using openldap, and not AD, my setting are slightly different than yours.
... filter = "(objectClass=groupOfNames)" ... membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" the filter should be set to the objectClass that AD uses, which is likely "group". the membership filter should not be changed, as it looks for member OR memberUid. you need to make sure that all of the specifics match. also, are you sure newuser exists in the directory? logs show the ID is not being found. any line that has ldap or rlm_ldap is where you should be looking for hints...
participants (2)
-
Brendan Kearney -
stefan nowak