Two issues with FR 3.1
Hi Alan, Here's the debug information you requested. Thanks, Chris radiusd: #### Opening IP addresses and Ports #### Listening on command file /var/run/radiusd/control/radiusd.sock Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address 127.0.0.1 port 18122 bound to server eduroam-inner-tunnel Listening on auth address 127.0.0.1 port 28120 bound to server captive-portal Listening on auth address X.X.X.X port 28120 bound to server captive-portal Listening on status address 127.0.0.1 port 18121 bound to server status Listening on proxy address * port 36322 Listening on proxy address :: port 57199 Ready to process requests (1) Received Access-Request Id 77 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 292 (1) User-Name = "testuser@realm" (1) Chargeable-User-Identity = 0x00 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (1) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (1) NAS-Port = 13 (1) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (1) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (1) NAS-IP-Address = Y.Y.Y.Y (1) NAS-Identifier = "WM13" (1) Airespace-Wlan-Id = 8 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "446" (1) EAP-Message = 0x020100170165636c366368406c656564732e61632e756b (1) Message-Authenticator = 0x2f0eff9e4f79f94e7189010a34c8fffe (1) Running section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) local_rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> 64:AE:0C:91:42:60 (1) &Called-Station-Id := 64:AE:0C:91:42:60 (1) } # update request (noop) (1) if ("%{8}") { (1) EXPAND %{8} (1) --> RADIUS-TEST (1) update request { (1) EXPAND %{8} (1) --> RADIUS-TEST (1) &Called-Station-SSID := RADIUS-TEST (1) } # update request (noop) (1) } # if ("%{8}") (noop) (1) updated (updated) (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (1) else { (1) ... skipping else for request 1: Preceding "if" was taken (1) } (1) } # local_rewrite_called_station_id (updated) (1) local_rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> A4:D1:8C:E4:9F:22 (1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (1) } # update request (noop) (1) updated (updated) (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (1) else { (1) ... skipping else for request 1: Preceding "if" was taken (1) } (1) } # local_rewrite_calling_station_id (updated) (1) filter_username { (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) ... (1) } (1) if (&User-Name =~ /@[^@]*@/ ) { (1) ... (1) } (1) if (&User-Name =~ /\.\./ ) { (1) ... (1) } (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (1) ... (1) } (1) if (&User-Name =~ /\.$/) { (1) ... (1) } (1) if (&User-Name =~ /@\./) { (1) ... (1) } (1) } # if (&User-Name) (updated) (1) } # filter_username (updated) (1) bad_realms { (1) if (&User-Name =~ /\.ax\.uk$/i) { (1) ... (1) } (1) if (&User-Name =~ /@ac\.uk$/i) { (1) ... (1) } (1) if (&User-Name =~ /3gppnetwork\.org$/i) { (1) ... (1) } (1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (1) ... (1) } (1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (1) ... (1) } (1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (1) ... (1) } (1) if (&User-Name =~ /myabc\.com$/i) { (1) ... (1) } (1) } # bad_realms (updated) (1) preprocess (ok) (1) operator-name.authorize { (1) if ("%{client:Operator-Name}") { (1) EXPAND %{client:Operator-Name} (1) --> 1realm.ac.uk (1) update request { (1) EXPAND %{client:Operator-Name} (1) --> 1realm.ac.uk (1) &Operator-Name = 1realm.ac.uk (1) } # update request (noop) (1) } # if ("%{client:Operator-Name}") (noop) (1) } # operator-name.authorize (noop) (1) suffix - Checking for suffix after "@" (1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (1) suffix - Found realm "realm.ac.uk" (1) suffix - Adding Stripped-User-Name = "testuser" (1) suffix - Adding Realm = "realm.ac.uk" (1) suffix - Authentication realm is LOCAL (1) suffix (ok) (1) if (&Realm) { (1) update control { (1) &control:Proxy-To-Realm := LOCAL (1) } # update control (noop) (1) } # if (&Realm) (noop) (1) else { (1) ... skipping else for request 1: Preceding "if" was taken (1) } (1) if (&Realm) { (1) if (&Stripped-User-Name != "") { (1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (1) EXPAND %{tolower:%{Stripped-User-Name}} (1) --> testuser (1) ... (1) } (1) group { (1) check_blacklist (ok) (1) if (&control:Local-Banned-User) { (1) ... (1) } (1) else { (1) noop (noop) (1) } # else (noop) (1) } # group (ok) (1) } # if (&Stripped-User-Name != "") (ok) (1) } # if (&Realm) (ok) (1) eap - Peer sent EAP Response (code 2) ID 1 length 23 (1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize (1) eap (ok) (1) } # authorize (ok) (1) Using 'Auth-Type = eap' for authenticate {...} (1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (1) Auth-Type eap { (1) eap - Peer sent packet with EAP method Identity (1) (1) eap - Calling submodule eap_peap to process data (1) eap_peap - Initiating new TLS session (1) eap - Sending EAP Request (code 1) ID 2 length 6 (1) eap (handled) (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) EXPAND Response-Packet-Type (1) --> Access-Challenge (1) attr_filter.access_challenge - EXPAND %{User-Name} (1) attr_filter.access_challenge - --> testuser@realm (1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (1) attr_filter.access_challenge.post-auth (updated) (1) handled (handled) (1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (1) } # Auth-Type eap (handled) (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 77 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (1) EAP-Message = 0x010200061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x010138003637b8d43b39393138ab9701 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 78 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 418 (2) User-Name = "testuser@realm" (2) Chargeable-User-Identity = 0x00 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (2) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (2) NAS-Port = 13 (2) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (2) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (2) NAS-IP-Address = Y.Y.Y.Y (2) NAS-Identifier = "WM13" (2) Airespace-Wlan-Id = 8 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "446" (2) EAP-Message = 0x0202008319800000007916030100740100007003015838561f7c35db9df95d549eb9befc0ca9bbc9fbc9027794c6893d1c9b40e77000002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000 (2) State = 0x010138003637b8d43b39393138ab9701 (2) Message-Authenticator = 0xcf0cbabf5a3dcda1ac3c2f2c0a98eb8b (2,1) Running section authorize from file /etc/raddb/sites-enabled/default (2,1) authorize { (2,1) local_rewrite_called_station_id { (2,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2,1) update request { (2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2,1) --> 64:AE:0C:91:42:60 (2,1) &Called-Station-Id := 64:AE:0C:91:42:60 (2,1) } # update request (noop) (2,1) if ("%{8}") { (2,1) EXPAND %{8} (2,1) --> RADIUS-TEST (2,1) update request { (2,1) EXPAND %{8} (2,1) --> RADIUS-TEST (2,1) &Called-Station-SSID := RADIUS-TEST (2,1) } # update request (noop) (2,1) } # if ("%{8}") (noop) (2,1) updated (updated) (2,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (2,1) else { (2,1) ... skipping else for request 2: Preceding "if" was taken (2,1) } (2,1) } # local_rewrite_called_station_id (updated) (2,1) local_rewrite_calling_station_id { (2,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2,1) update request { (2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2,1) --> A4:D1:8C:E4:9F:22 (2,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (2,1) } # update request (noop) (2,1) updated (updated) (2,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (2,1) else { (2,1) ... skipping else for request 2: Preceding "if" was taken (2,1) } (2,1) } # local_rewrite_calling_station_id (updated) (2,1) filter_username { (2,1) if (&User-Name) { (2,1) if (&User-Name =~ / /) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@[^@]*@/ ) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /\.\./ ) { (2,1) ... (2,1) } (2,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /\.$/) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@\./) { (2,1) ... (2,1) } (2,1) } # if (&User-Name) (updated) (2,1) } # filter_username (updated) (2,1) bad_realms { (2,1) if (&User-Name =~ /\.ax\.uk$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@ac\.uk$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /myabc\.com$/i) { (2,1) ... (2,1) } (2,1) } # bad_realms (updated) (2,1) preprocess (ok) (2,1) operator-name.authorize { (2,1) if ("%{client:Operator-Name}") { (2,1) EXPAND %{client:Operator-Name} (2,1) --> 1realm.ac.uk (2,1) update request { (2,1) EXPAND %{client:Operator-Name} (2,1) --> 1realm.ac.uk (2,1) &Operator-Name = 1realm.ac.uk (2,1) } # update request (noop) (2,1) } # if ("%{client:Operator-Name}") (noop) (2,1) } # operator-name.authorize (noop) (2,1) suffix - Checking for suffix after "@" (2,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (2,1) suffix - Found realm "realm.ac.uk" (2,1) suffix - Adding Stripped-User-Name = "testuser" (2,1) suffix - Adding Realm = "realm.ac.uk" (2,1) suffix - Authentication realm is LOCAL (2,1) suffix (ok) (2,1) if (&Realm) { (2,1) update control { (2,1) &control:Proxy-To-Realm := LOCAL (2,1) } # update control (noop) (2,1) } # if (&Realm) (noop) (2,1) else { (2,1) ... skipping else for request 2: Preceding "if" was taken (2,1) } (2,1) if (&Realm) { (2,1) if (&Stripped-User-Name != "") { (2,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (2,1) EXPAND %{tolower:%{Stripped-User-Name}} (2,1) --> testuser (2,1) ... (2,1) } (2,1) group { (2,1) check_blacklist (ok) (2,1) if (&control:Local-Banned-User) { (2,1) ... (2,1) } (2,1) else { (2,1) noop (noop) (2,1) } # else (noop) (2,1) } # group (ok) (2,1) } # if (&Stripped-User-Name != "") (ok) (2,1) } # if (&Realm) (ok) (2,1) eap - Peer sent EAP Response (code 2) ID 2 length 131 (2,1) eap - Continuing tunnel setup (2,1) eap (ok) (2,1) } # authorize (ok) (2,1) Using 'Auth-Type = eap' for authenticate {...} (2,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (2,1) Auth-Type eap { (2,1) eap - Peer sent packet with EAP method PEAP (25) (2,1) eap - Calling submodule eap_peap to process data (2,1) eap_peap - Continuing EAP-TLS (2,1) eap_peap - Peer indicated complete TLS record size will be 121 bytes (2,1) eap_peap - Got complete TLS record, with length field (121 bytes) (2,1) eap_peap - [eap-tls verify] = complete (2,1) eap_peap - Handshake state - before/accept initialization (2,1) eap_peap - Handshake state - Server before/accept initialization (2,1) eap_peap - <<< recv handshake [length 116], client_hello (2,1) eap_peap - Handshake state - Server SSLv3 read client hello A (2,1) eap_peap - >>> send handshake [length 57], server_hello (2,1) eap_peap - Handshake state - Server SSLv3 write server hello A (2,1) eap_peap - >>> send handshake [length 2643], certificate (2,1) eap_peap - Handshake state - Server SSLv3 write certificate A (2,1) eap_peap - >>> send handshake [length 331], server_key_exchange (2,1) eap_peap - Handshake state - Server SSLv3 write key exchange A (2,1) eap_peap - >>> send handshake [length 4], server_hello_done (2,1) eap_peap - Handshake state - Server SSLv3 write server done A (2,1) eap_peap - Handshake state - Server SSLv3 flush data (2,1) eap_peap - Need more data from client (2,1) eap_peap - Need more data from client (2,1) eap_peap - Complete TLS record (3055 bytes) larger than MTU (990 bytes), will fragment (2,1) eap_peap - Sending first TLS record fragment (990 bytes), 2065 bytes remaining (2,1) eap_peap - [eap-tls process] = handled (2,1) eap - Sending EAP Request (code 1) ID 3 length 1000 (2,1) eap (handled) (2,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (2,1) EXPAND Response-Packet-Type (2,1) --> Access-Challenge (2,1) attr_filter.access_challenge - EXPAND %{User-Name} (2,1) attr_filter.access_challenge - --> testuser@realm (2,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (2,1) attr_filter.access_challenge.post-auth (updated) (2,1) handled (handled) (2,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (2,1) } # Auth-Type eap (handled) (2,1) Using Post-Auth-Type Challenge (2,1) Post-Auth-Type sub-section not found. Ignoring. (2,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (2,1) Sent Access-Challenge Id 78 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (2,1) EAP-Message = 0x010303e819c000000bef16030100390200003503015838561fbe318d85e54c607db0dc6d03c0b5e5d4d2266165638bd4fff41936b900c01400000dff01000100000b0004030001021603010a530b000a4f000a4c0004f6308204f2308203daa003020102021437ff648df0d47ee77e787cee2cab98c71324c34c300d06092a864886f70d01010b0500304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c20494341204732301e170d3136303831313134353330385a170d3139303831313134353330355a307f310b3009060355040613024742311730150603550408130e5765737420596f726b7368697265310e300c060355040713054c45454453311c301a060355040a1313556e6976657273697479206f66204c65656473310c300a060355040b1303492e54311b3019060355040313127261646975732e6c656564732e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100b05f6ffc1d8d9a1d6602e4e3fb505be1df826dbe0e8e2cd96127b2beeea934476f474d835388182926f52f7de4ef5dc0f0c439f59b88f0494c2f2f8724e69790e0c7f9379941b0524d7b74e95ae882f556a1f9df197fcbe00ef20677bb1bfaa66a575783594163b1efffda474b26101c56f6906d9434eab449a96f4d9aaa92d73bd83396f2fba04afb8fc92013d6ea56eb98ee202f87961616a391b33dbca45634aa899c9f5846b19935588fc6874c228bf01c4e5c930ed66feaacc52507d5753582dd7ac994ba1c067e1b22e6c72c1acdd141b4fa8a553f9acde4b6571bea31e280f298a5ace02370bff63b582325a3a8bcd10982f79059bac57a46f26949b70203010001a382019630820192307306082b0601050507010104673065302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d303706082b06010505073002862b687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e637274301d0603551d110416301482127261646975732e6c656564732e61632e756b30510603551d20044a30483046060c2b06010401be5800026401013036303406082b060105050702011628687474703a2f2f7777772e71756f7661646973676c6f62616c2e636f6d2f7265706f7369746f7279300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302301f0603551d23041830168014911962ad5b17a730fbf0de3925b1bd8cb9b85127303a0603551d1f043330 (2,1) Message-Authenticator = 0x00000000000000000000000000000000 (2,1) State = 0x02033800aecc10fa3b39393138ab9701 (2,1) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 79 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293 (3) User-Name = "testuser@realm" (3) Chargeable-User-Identity = 0x00 (3) Location-Capable = Civix-Location (3) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (3) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (3) NAS-Port = 13 (3) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (3) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (3) NAS-IP-Address = Y.Y.Y.Y (3) NAS-Identifier = "WM13" (3) Airespace-Wlan-Id = 8 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) Tunnel-Type:0 = VLAN (3) Tunnel-Medium-Type:0 = IEEE-802 (3) Tunnel-Private-Group-Id:0 = "446" (3) EAP-Message = 0x020300061900 (3) State = 0x02033800aecc10fa3b39393138ab9701 (3) Message-Authenticator = 0x34efdefe25b8b008e5bac82e18ee94ff (3,1) Running section authorize from file /etc/raddb/sites-enabled/default (3,1) authorize { (3,1) local_rewrite_called_station_id { (3,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3,1) update request { (3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3,1) --> 64:AE:0C:91:42:60 (3,1) &Called-Station-Id := 64:AE:0C:91:42:60 (3,1) } # update request (noop) (3,1) if ("%{8}") { (3,1) EXPAND %{8} (3,1) --> RADIUS-TEST (3,1) update request { (3,1) EXPAND %{8} (3,1) --> RADIUS-TEST (3,1) &Called-Station-SSID := RADIUS-TEST (3,1) } # update request (noop) (3,1) } # if ("%{8}") (noop) (3,1) updated (updated) (3,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (3,1) else { (3,1) ... skipping else for request 3: Preceding "if" was taken (3,1) } (3,1) } # local_rewrite_called_station_id (updated) (3,1) local_rewrite_calling_station_id { (3,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3,1) update request { (3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3,1) --> A4:D1:8C:E4:9F:22 (3,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (3,1) } # update request (noop) (3,1) updated (updated) (3,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (3,1) else { (3,1) ... skipping else for request 3: Preceding "if" was taken (3,1) } (3,1) } # local_rewrite_calling_station_id (updated) (3,1) filter_username { (3,1) if (&User-Name) { (3,1) if (&User-Name =~ / /) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@[^@]*@/ ) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /\.\./ ) { (3,1) ... (3,1) } (3,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /\.$/) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@\./) { (3,1) ... (3,1) } (3,1) } # if (&User-Name) (updated) (3,1) } # filter_username (updated) (3,1) bad_realms { (3,1) if (&User-Name =~ /\.ax\.uk$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@ac\.uk$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /myabc\.com$/i) { (3,1) ... (3,1) } (3,1) } # bad_realms (updated) (3,1) preprocess (ok) (3,1) operator-name.authorize { (3,1) if ("%{client:Operator-Name}") { (3,1) EXPAND %{client:Operator-Name} (3,1) --> 1realm.ac.uk (3,1) update request { (3,1) EXPAND %{client:Operator-Name} (3,1) --> 1realm.ac.uk (3,1) &Operator-Name = 1realm.ac.uk (3,1) } # update request (noop) (3,1) } # if ("%{client:Operator-Name}") (noop) (3,1) } # operator-name.authorize (noop) (3,1) suffix - Checking for suffix after "@" (3,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (3,1) suffix - Found realm "realm.ac.uk" (3,1) suffix - Adding Stripped-User-Name = "testuser" (3,1) suffix - Adding Realm = "realm.ac.uk" (3,1) suffix - Authentication realm is LOCAL (3,1) suffix (ok) (3,1) if (&Realm) { (3,1) update control { (3,1) &control:Proxy-To-Realm := LOCAL (3,1) } # update control (noop) (3,1) } # if (&Realm) (noop) (3,1) else { (3,1) ... skipping else for request 3: Preceding "if" was taken (3,1) } (3,1) if (&Realm) { (3,1) if (&Stripped-User-Name != "") { (3,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (3,1) EXPAND %{tolower:%{Stripped-User-Name}} (3,1) --> testuser (3,1) ... (3,1) } (3,1) group { (3,1) check_blacklist (ok) (3,1) if (&control:Local-Banned-User) { (3,1) ... (3,1) } (3,1) else { (3,1) noop (noop) (3,1) } # else (noop) (3,1) } # group (ok) (3,1) } # if (&Stripped-User-Name != "") (ok) (3,1) } # if (&Realm) (ok) (3,1) eap - Peer sent EAP Response (code 2) ID 3 length 6 (3,1) eap - Continuing tunnel setup (3,1) eap (ok) (3,1) } # authorize (ok) (3,1) Using 'Auth-Type = eap' for authenticate {...} (3,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (3,1) Auth-Type eap { (3,1) eap - Peer sent packet with EAP method PEAP (25) (3,1) eap - Calling submodule eap_peap to process data (3,1) eap_peap - Continuing EAP-TLS (3,1) eap_peap - Peer ACKed our handshake fragment (3,1) eap_peap - [eap-tls verify] = request (3,1) eap_peap - Sending additional TLS record fragment (994 bytes), 1071 bytes remaining (3,1) eap_peap - [eap-tls process] = handled (3,1) eap - Sending EAP Request (code 1) ID 4 length 1000 (3,1) eap (handled) (3,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (3,1) EXPAND Response-Packet-Type (3,1) --> Access-Challenge (3,1) attr_filter.access_challenge - EXPAND %{User-Name} (3,1) attr_filter.access_challenge - --> testuser@realm (3,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (3,1) attr_filter.access_challenge.post-auth (updated) (3,1) handled (handled) (3,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (3,1) } # Auth-Type eap (handled) (3,1) Using Post-Auth-Type Challenge (3,1) Post-Auth-Type sub-section not found. Ignoring. (3,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (3,1) Sent Access-Challenge Id 79 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (3,1) EAP-Message = 0x010403e8194031302fa02da02b8629687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e63726c301d0603551d0e0416041431cc0012c0528beb4f3ff6c7fb7f8265057c0dd9300d06092a864886f70d01010b05000382010100a7d52e44c1f46b51a9d7395b2a3822ec0ebd0fb9f6af1fbd6f72ee6495c8a74c83db45fc958dad681d19859b9c8c6bc988c4b727276d669ac9945dee1cf9c7916e21175104d073a1c26c901ba390d68354fdd2296bde3526405803dc37b8df49525a563c2db126dba32be5e33f646624c1e675da984a6bfef13f69019afe7664874b04c9b4b64abd637a8ad66929f0d148e5f8efdb9b298bfcc2d083c67c1fa115dced735d0f184950cbb99c6cfdbebd9e18f57f8735f3b90787cfb1618e2c4bb3a5f54a5f83f5c2683e2c6dfd25c31675d046143c13b5c5fa72b39a93c2242e5308853a9361af20d5a0c5a441246b2255b75870d43c8b2ef14cc183018b6ad20005503082054c30820334a003020102021448982de2a92cb339e1c8f933358275d3e4f88255300d06092a864886f70d01010b05003045310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564311b30190603550403131251756f566164697320526f6f742043412032301e170d3133303630313133333530355a170d3233303630313133333530355a304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c2049434120473230820122300d06092a864886f70d01010105000382010f003082010a0282010100e1e1856994c08f57fa34fec1b868e49990a9887ace57b7d0e4b554c2187dd0c319e8a96380f7b7dcd219a35ab060d976b41d325635f16ca39c42a18b8a233597417b056984288ece1e4d8b6024f1b488fec050f6c28fae9774f940aa6ef686b3a4e9c75f746514f43ddcbe4ea398645fe3066cc18fb61f5c9996c657c2cbad94890eadbeffb80ba5b638fbb54781d40fca09f10a3b120d1c0fe185b01336c3cb287dfca5f8373aa4ab404663829540bb12ac963f457df79de5037e24b89665631c5d8208414e7f6b5a8690c3f2ebe459f45e077b7d84b7ff31a199762f56cb80c489fc1a4f9869ea0b67c1fdb54be70c3de5107cef22c30fc6ab5dec881c55a30203010001a382012a3082012630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d2000307206082b0601050507010104663064302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d30 (3,1) Message-Authenticator = 0x00000000000000000000000000000000 (3,1) State = 0x030138003637b8d43b39393138ab9701 (3,1) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 80 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293 (4) User-Name = "testuser@realm" (4) Chargeable-User-Identity = 0x00 (4) Location-Capable = Civix-Location (4) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (4) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (4) NAS-Port = 13 (4) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (4) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (4) NAS-IP-Address = Y.Y.Y.Y (4) NAS-Identifier = "WM13" (4) Airespace-Wlan-Id = 8 (4) Service-Type = Framed-User (4) Framed-MTU = 1300 (4) NAS-Port-Type = Wireless-802.11 (4) Tunnel-Type:0 = VLAN (4) Tunnel-Medium-Type:0 = IEEE-802 (4) Tunnel-Private-Group-Id:0 = "446" (4) EAP-Message = 0x020400061900 (4) State = 0x030138003637b8d43b39393138ab9701 (4) Message-Authenticator = 0x1443c965ed70ea0cdba34b15c0f14054 (4,1) Running section authorize from file /etc/raddb/sites-enabled/default (4,1) authorize { (4,1) local_rewrite_called_station_id { (4,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4,1) update request { (4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4,1) --> 64:AE:0C:91:42:60 (4,1) &Called-Station-Id := 64:AE:0C:91:42:60 (4,1) } # update request (noop) (4,1) if ("%{8}") { (4,1) EXPAND %{8} (4,1) --> RADIUS-TEST (4,1) update request { (4,1) EXPAND %{8} (4,1) --> RADIUS-TEST (4,1) &Called-Station-SSID := RADIUS-TEST (4,1) } # update request (noop) (4,1) } # if ("%{8}") (noop) (4,1) updated (updated) (4,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (4,1) else { (4,1) ... skipping else for request 4: Preceding "if" was taken (4,1) } (4,1) } # local_rewrite_called_station_id (updated) (4,1) local_rewrite_calling_station_id { (4,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4,1) update request { (4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4,1) --> A4:D1:8C:E4:9F:22 (4,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (4,1) } # update request (noop) (4,1) updated (updated) (4,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (4,1) else { (4,1) ... skipping else for request 4: Preceding "if" was taken (4,1) } (4,1) } # local_rewrite_calling_station_id (updated) (4,1) filter_username { (4,1) if (&User-Name) { (4,1) if (&User-Name =~ / /) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@[^@]*@/ ) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /\.\./ ) { (4,1) ... (4,1) } (4,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /\.$/) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@\./) { (4,1) ... (4,1) } (4,1) } # if (&User-Name) (updated) (4,1) } # filter_username (updated) (4,1) bad_realms { (4,1) if (&User-Name =~ /\.ax\.uk$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@ac\.uk$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /myabc\.com$/i) { (4,1) ... (4,1) } (4,1) } # bad_realms (updated) (4,1) preprocess (ok) (4,1) operator-name.authorize { (4,1) if ("%{client:Operator-Name}") { (4,1) EXPAND %{client:Operator-Name} (4,1) --> 1realm.ac.uk (4,1) update request { (4,1) EXPAND %{client:Operator-Name} (4,1) --> 1realm.ac.uk (4,1) &Operator-Name = 1realm.ac.uk (4,1) } # update request (noop) (4,1) } # if ("%{client:Operator-Name}") (noop) (4,1) } # operator-name.authorize (noop) (4,1) suffix - Checking for suffix after "@" (4,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (4,1) suffix - Found realm "realm.ac.uk" (4,1) suffix - Adding Stripped-User-Name = "testuser" (4,1) suffix - Adding Realm = "realm.ac.uk" (4,1) suffix - Authentication realm is LOCAL (4,1) suffix (ok) (4,1) if (&Realm) { (4,1) update control { (4,1) &control:Proxy-To-Realm := LOCAL (4,1) } # update control (noop) (4,1) } # if (&Realm) (noop) (4,1) else { (4,1) ... skipping else for request 4: Preceding "if" was taken (4,1) } (4,1) if (&Realm) { (4,1) if (&Stripped-User-Name != "") { (4,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (4,1) EXPAND %{tolower:%{Stripped-User-Name}} (4,1) --> testuser (4,1) ... (4,1) } (4,1) group { (4,1) check_blacklist (ok) (4,1) if (&control:Local-Banned-User) { (4,1) ... (4,1) } (4,1) else { (4,1) noop (noop) (4,1) } # else (noop) (4,1) } # group (ok) (4,1) } # if (&Stripped-User-Name != "") (ok) (4,1) } # if (&Realm) (ok) (4,1) eap - Peer sent EAP Response (code 2) ID 4 length 6 (4,1) eap - Continuing tunnel setup (4,1) eap (ok) (4,1) } # authorize (ok) (4,1) Using 'Auth-Type = eap' for authenticate {...} (4,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (4,1) Auth-Type eap { (4,1) eap - Peer sent packet with EAP method PEAP (25) (4,1) eap - Calling submodule eap_peap to process data (4,1) eap_peap - Continuing EAP-TLS (4,1) eap_peap - Peer ACKed our handshake fragment (4,1) eap_peap - [eap-tls verify] = request (4,1) eap_peap - Sending additional TLS record fragment (994 bytes), 77 bytes remaining (4,1) eap_peap - [eap-tls process] = handled (4,1) eap - Sending EAP Request (code 1) ID 5 length 1000 (4,1) eap (handled) (4,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (4,1) EXPAND Response-Packet-Type (4,1) --> Access-Challenge (4,1) attr_filter.access_challenge - EXPAND %{User-Name} (4,1) attr_filter.access_challenge - --> testuser@realm (4,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (4,1) attr_filter.access_challenge.post-auth (updated) (4,1) handled (handled) (4,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (4,1) } # Auth-Type eap (handled) (4,1) Using Post-Auth-Type Challenge (4,1) Post-Auth-Type sub-section not found. Ignoring. (4,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (4,1) Sent Access-Challenge Id 80 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (4,1) EAP-Message = 0x010503e819403606082b06010505073002862a687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f7176726361322e637274300e0603551d0f0101ff040403020106301f0603551d230418301680141a8462bc484c332504d4eed0f603c41946d1946b30390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f7176726361322e63726c301d0603551d0e04160414911962ad5b17a730fbf0de3925b1bd8cb9b85127300d06092a864886f70d01010b050003820201007c0a60820041b52dcc39e5f4db6bce008a9c0c89e6727453b96dc221e54c975a0599e8e3f88dbffa2da89f10c2e34420b4994d781ba3eb3d4fa265088869eed7e446af866113100f096cb2028e20f873d63af9b80cb78b3310f899d9200b3908f5d01af81ca41fcbf3af6de7516cb6b1a7daa50c6e2a2604addee8a40c82526abc7a9a9804417bb4d1464d92211851f78ef215c65eb65bb439e4b9a8950ed33ab3dc98a5ca3217114eace46b120562688ecfdc425a0d8988e880d420f69204ce86ad532268835810c04bd6fda3662f2b5c3634c95b19ff40c021088204d36f4f53634394a7d44f8ef99062a830feac1bc1a0fb08eb275f74ab49babe582fe3a89092b678badc7bcdbcedac0871df053110dc670fcd5f56dcf2e2b27b9382b70a50d1de232f87a6b97c05bfc4ea51b661db1252872cb9edcab0dea5a804eb3f596cdadbdfc7ba7f0f5e442865ea7063fc5cfbd9c8d4d68a33c36a852a89353265bd78fbcdbde67696dedd847d0644973eba2537b97928ec79e2027b909eebeaa25826ec74dc7c8f335d4aa78c1f767d51b02d944396b00ba7e0ff75c4d87655932a898cac2a8789c56a22b910c57b0c7438a09c7d724983c3aa41bc36a83e8917cb375f27bda7fb525f1c63fec28ae472228d95d82a617e89e233eb08810806bb43b5ae10c4fd744f277d445bb5dd7984f12622fd55efadfde7ae241f019fe748160301014b0c0001470300174104356f9c0ffc364039f66ce9ba8838433a255ea2a399b34afbecaa477b7942a55279ca97694b8f9bf039e0cfb476d1d5b7addccdfb40abfd08e74a23a89104c93501002e556ff2c5c79a3c84eae2e8a77fcb7263c10644d4b699a1d5ea92aa93a2c37fb98d01b49885178ef67475a7bfa4c53029c5ff0d9ca42702cc6e7e8ba9cc7149442ed24e26f5ecb814be162323a3f86596628d2357842d946bfb18bcf0eef9421dbe502d58003cc6edfa496b89c0d24c5e04cb7006be2e797a17a603e9ed8d91bfdff22a264a12245e96a6538b148658affc8899f72a0cfd57ecde4d06fcb40957c6b416b686579c01f6415f69b7064f3fdd2e12d8ba96fe861c2c08 (4,1) Message-Authenticator = 0x00000000000000000000000000000000 (4,1) State = 0x04073800aecc10fa3b39393138ab9701 (4,1) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 81 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293 (5) User-Name = "testuser@realm" (5) Chargeable-User-Identity = 0x00 (5) Location-Capable = Civix-Location (5) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (5) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (5) NAS-Port = 13 (5) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (5) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (5) NAS-IP-Address = Y.Y.Y.Y (5) NAS-Identifier = "WM13" (5) Airespace-Wlan-Id = 8 (5) Service-Type = Framed-User (5) Framed-MTU = 1300 (5) NAS-Port-Type = Wireless-802.11 (5) Tunnel-Type:0 = VLAN (5) Tunnel-Medium-Type:0 = IEEE-802 (5) Tunnel-Private-Group-Id:0 = "446" (5) EAP-Message = 0x020500061900 (5) State = 0x04073800aecc10fa3b39393138ab9701 (5) Message-Authenticator = 0x71120286c728aae1154c25c60db52811 (5,1) Running section authorize from file /etc/raddb/sites-enabled/default (5,1) authorize { (5,1) local_rewrite_called_station_id { (5,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5,1) update request { (5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5,1) --> 64:AE:0C:91:42:60 (5,1) &Called-Station-Id := 64:AE:0C:91:42:60 (5,1) } # update request (noop) (5,1) if ("%{8}") { (5,1) EXPAND %{8} (5,1) --> RADIUS-TEST (5,1) update request { (5,1) EXPAND %{8} (5,1) --> RADIUS-TEST (5,1) &Called-Station-SSID := RADIUS-TEST (5,1) } # update request (noop) (5,1) } # if ("%{8}") (noop) (5,1) updated (updated) (5,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (5,1) else { (5,1) ... skipping else for request 5: Preceding "if" was taken (5,1) } (5,1) } # local_rewrite_called_station_id (updated) (5,1) local_rewrite_calling_station_id { (5,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5,1) update request { (5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5,1) --> A4:D1:8C:E4:9F:22 (5,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (5,1) } # update request (noop) (5,1) updated (updated) (5,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (5,1) else { (5,1) ... skipping else for request 5: Preceding "if" was taken (5,1) } (5,1) } # local_rewrite_calling_station_id (updated) (5,1) filter_username { (5,1) if (&User-Name) { (5,1) if (&User-Name =~ / /) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@[^@]*@/ ) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /\.\./ ) { (5,1) ... (5,1) } (5,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /\.$/) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@\./) { (5,1) ... (5,1) } (5,1) } # if (&User-Name) (updated) (5,1) } # filter_username (updated) (5,1) bad_realms { (5,1) if (&User-Name =~ /\.ax\.uk$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@ac\.uk$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /myabc\.com$/i) { (5,1) ... (5,1) } (5,1) } # bad_realms (updated) (5,1) preprocess (ok) (5,1) operator-name.authorize { (5,1) if ("%{client:Operator-Name}") { (5,1) EXPAND %{client:Operator-Name} (5,1) --> 1realm.ac.uk (5,1) update request { (5,1) EXPAND %{client:Operator-Name} (5,1) --> 1realm.ac.uk (5,1) &Operator-Name = 1realm.ac.uk (5,1) } # update request (noop) (5,1) } # if ("%{client:Operator-Name}") (noop) (5,1) } # operator-name.authorize (noop) (5,1) suffix - Checking for suffix after "@" (5,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (5,1) suffix - Found realm "realm.ac.uk" (5,1) suffix - Adding Stripped-User-Name = "testuser" (5,1) suffix - Adding Realm = "realm.ac.uk" (5,1) suffix - Authentication realm is LOCAL (5,1) suffix (ok) (5,1) if (&Realm) { (5,1) update control { (5,1) &control:Proxy-To-Realm := LOCAL (5,1) } # update control (noop) (5,1) } # if (&Realm) (noop) (5,1) else { (5,1) ... skipping else for request 5: Preceding "if" was taken (5,1) } (5,1) if (&Realm) { (5,1) if (&Stripped-User-Name != "") { (5,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (5,1) EXPAND %{tolower:%{Stripped-User-Name}} (5,1) --> testuser (5,1) ... (5,1) } (5,1) group { (5,1) check_blacklist (ok) (5,1) if (&control:Local-Banned-User) { (5,1) ... (5,1) } (5,1) else { (5,1) noop (noop) (5,1) } # else (noop) (5,1) } # group (ok) (5,1) } # if (&Stripped-User-Name != "") (ok) (5,1) } # if (&Realm) (ok) (5,1) eap - Peer sent EAP Response (code 2) ID 5 length 6 (5,1) eap - Continuing tunnel setup (5,1) eap (ok) (5,1) } # authorize (ok) (5,1) Using 'Auth-Type = eap' for authenticate {...} (5,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (5,1) Auth-Type eap { (5,1) eap - Peer sent packet with EAP method PEAP (25) (5,1) eap - Calling submodule eap_peap to process data (5,1) eap_peap - Continuing EAP-TLS (5,1) eap_peap - Peer ACKed our handshake fragment (5,1) eap_peap - [eap-tls verify] = request (5,1) eap_peap - Sending final TLS record fragment (77 bytes) (5,1) eap_peap - [eap-tls process] = handled (5,1) eap - Sending EAP Request (code 1) ID 6 length 83 (5,1) eap (handled) (5,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (5,1) EXPAND Response-Packet-Type (5,1) --> Access-Challenge (5,1) attr_filter.access_challenge - EXPAND %{User-Name} (5,1) attr_filter.access_challenge - --> testuser@realm (5,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (5,1) attr_filter.access_challenge.post-auth (updated) (5,1) handled (handled) (5,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (5,1) } # Auth-Type eap (handled) (5,1) Using Post-Auth-Type Challenge (5,1) Post-Auth-Type sub-section not found. Ignoring. (5,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (5,1) Sent Access-Challenge Id 81 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (5,1) EAP-Message = 0x0106005319004e06bbcfa59586d7b2ff4301f7a4dced7726344b96c142ba4f7edda40388cd1960d4509a41a041f4a249841cb2d310f71b7289440659999943f6e9e8d339d98ba10c468116030100040e000000 (5,1) Message-Authenticator = 0x00000000000000000000000000000000 (5,1) State = 0x050138003637b8d43b39393138ab9701 (5,1) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 82 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 431 (6) User-Name = "testuser@realm" (6) Chargeable-User-Identity = 0x00 (6) Location-Capable = Civix-Location (6) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (6) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (6) NAS-Port = 13 (6) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (6) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (6) NAS-IP-Address = Y.Y.Y.Y (6) NAS-Identifier = "WM13" (6) Airespace-Wlan-Id = 8 (6) Service-Type = Framed-User (6) Framed-MTU = 1300 (6) NAS-Port-Type = Wireless-802.11 (6) Tunnel-Type:0 = VLAN (6) Tunnel-Medium-Type:0 = IEEE-802 (6) Tunnel-Private-Group-Id:0 = "446" (6) EAP-Message = 0x0206009019800000008616030100461000004241042a5475e41a0623c852b7ef77add0a1b3f495bfe644190191922bd6567c29c76dd46784c71d47f29e9688a6fe7998febd4ebee0a3b1dd33fe0b604b4c3ec38308140301000101160301003048686a4b033d40f5f9526b1c98c9c4ea528ac0c54e84251ef82fb6efe6c197f662f7468f1631afe64f0846e6f63ad3bf (6) State = 0x050138003637b8d43b39393138ab9701 (6) Message-Authenticator = 0x8c61c24db4bce0512a7cfd792ebe1ec6 (6,1) Running section authorize from file /etc/raddb/sites-enabled/default (6,1) authorize { (6,1) local_rewrite_called_station_id { (6,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6,1) update request { (6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6,1) --> 64:AE:0C:91:42:60 (6,1) &Called-Station-Id := 64:AE:0C:91:42:60 (6,1) } # update request (noop) (6,1) if ("%{8}") { (6,1) EXPAND %{8} (6,1) --> RADIUS-TEST (6,1) update request { (6,1) EXPAND %{8} (6,1) --> RADIUS-TEST (6,1) &Called-Station-SSID := RADIUS-TEST (6,1) } # update request (noop) (6,1) } # if ("%{8}") (noop) (6,1) updated (updated) (6,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (6,1) else { (6,1) ... skipping else for request 6: Preceding "if" was taken (6,1) } (6,1) } # local_rewrite_called_station_id (updated) (6,1) local_rewrite_calling_station_id { (6,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6,1) update request { (6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6,1) --> A4:D1:8C:E4:9F:22 (6,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (6,1) } # update request (noop) (6,1) updated (updated) (6,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (6,1) else { (6,1) ... skipping else for request 6: Preceding "if" was taken (6,1) } (6,1) } # local_rewrite_calling_station_id (updated) (6,1) filter_username { (6,1) if (&User-Name) { (6,1) if (&User-Name =~ / /) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@[^@]*@/ ) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /\.\./ ) { (6,1) ... (6,1) } (6,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /\.$/) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@\./) { (6,1) ... (6,1) } (6,1) } # if (&User-Name) (updated) (6,1) } # filter_username (updated) (6,1) bad_realms { (6,1) if (&User-Name =~ /\.ax\.uk$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@ac\.uk$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /myabc\.com$/i) { (6,1) ... (6,1) } (6,1) } # bad_realms (updated) (6,1) preprocess (ok) (6,1) operator-name.authorize { (6,1) if ("%{client:Operator-Name}") { (6,1) EXPAND %{client:Operator-Name} (6,1) --> 1realm.ac.uk (6,1) update request { (6,1) EXPAND %{client:Operator-Name} (6,1) --> 1realm.ac.uk (6,1) &Operator-Name = 1realm.ac.uk (6,1) } # update request (noop) (6,1) } # if ("%{client:Operator-Name}") (noop) (6,1) } # operator-name.authorize (noop) (6,1) suffix - Checking for suffix after "@" (6,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (6,1) suffix - Found realm "realm.ac.uk" (6,1) suffix - Adding Stripped-User-Name = "testuser" (6,1) suffix - Adding Realm = "realm.ac.uk" (6,1) suffix - Authentication realm is LOCAL (6,1) suffix (ok) (6,1) if (&Realm) { (6,1) update control { (6,1) &control:Proxy-To-Realm := LOCAL (6,1) } # update control (noop) (6,1) } # if (&Realm) (noop) (6,1) else { (6,1) ... skipping else for request 6: Preceding "if" was taken (6,1) } (6,1) if (&Realm) { (6,1) if (&Stripped-User-Name != "") { (6,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (6,1) EXPAND %{tolower:%{Stripped-User-Name}} (6,1) --> testuser (6,1) ... (6,1) } (6,1) group { (6,1) check_blacklist (ok) (6,1) if (&control:Local-Banned-User) { (6,1) ... (6,1) } (6,1) else { (6,1) noop (noop) (6,1) } # else (noop) (6,1) } # group (ok) (6,1) } # if (&Stripped-User-Name != "") (ok) (6,1) } # if (&Realm) (ok) (6,1) eap - Peer sent EAP Response (code 2) ID 6 length 144 (6,1) eap - Continuing tunnel setup (6,1) eap (ok) (6,1) } # authorize (ok) (6,1) Using 'Auth-Type = eap' for authenticate {...} (6,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (6,1) Auth-Type eap { (6,1) eap - Peer sent packet with EAP method PEAP (25) (6,1) eap - Calling submodule eap_peap to process data (6,1) eap_peap - Continuing EAP-TLS (6,1) eap_peap - Peer indicated complete TLS record size will be 134 bytes (6,1) eap_peap - Got complete TLS record, with length field (134 bytes) (6,1) eap_peap - [eap-tls verify] = complete (6,1) eap_peap - <<< recv handshake [length 70], client_key_exchange (6,1) eap_peap - Handshake state - Server SSLv3 read client key exchange A (6,1) eap_peap - <<< recv change_cipher_spec [length 1] (6,1) eap_peap - <<< recv handshake [length 16], finished (6,1) eap_peap - Handshake state - Server SSLv3 read finished A (6,1) eap_peap - >>> send change_cipher_spec [length 1] (6,1) eap_peap - Handshake state - Server SSLv3 write change cipher spec A (6,1) eap_peap - >>> send handshake [length 16], finished (6,1) eap_peap - Handshake state - Server SSLv3 write finished A (6,1) eap_peap - Handshake state - Server SSLv3 flush data (6,1) eap_peap - Handshake state - SSL negotiation finished successfully (6,1) eap_peap - Cipher suite: CDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 (6,1) eap_peap - Sending complete TLS record (59 bytes) (6,1) eap_peap - [eap-tls process] = handled (6,1) eap - Sending EAP Request (code 1) ID 7 length 65 (6,1) eap (handled) (6,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (6,1) EXPAND Response-Packet-Type (6,1) --> Access-Challenge (6,1) attr_filter.access_challenge - EXPAND %{User-Name} (6,1) attr_filter.access_challenge - --> testuser@realm (6,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (6,1) attr_filter.access_challenge.post-auth (updated) (6,1) handled (handled) (6,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (6,1) } # Auth-Type eap (handled) (6,1) Using Post-Auth-Type Challenge (6,1) Post-Auth-Type sub-section not found. Ignoring. (6,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (6,1) Sent Access-Challenge Id 82 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (6,1) EAP-Message = 0x01070041190014030100010116030100306c8dcb9afcb8f73b414f202b96d6efd0bab2bd9ad150291d1ce462a9f4c7055f7c55a31447a4b2d6e724095cfc6c65d1 (6,1) Message-Authenticator = 0x00000000000000000000000000000000 (6,1) State = 0x06033800aecc10fa3b39393138ab9701 (6,1) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 83 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293 (7) User-Name = "testuser@realm" (7) Chargeable-User-Identity = 0x00 (7) Location-Capable = Civix-Location (7) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (7) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (7) NAS-Port = 13 (7) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (7) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (7) NAS-IP-Address = Y.Y.Y.Y (7) NAS-Identifier = "WM13" (7) Airespace-Wlan-Id = 8 (7) Service-Type = Framed-User (7) Framed-MTU = 1300 (7) NAS-Port-Type = Wireless-802.11 (7) Tunnel-Type:0 = VLAN (7) Tunnel-Medium-Type:0 = IEEE-802 (7) Tunnel-Private-Group-Id:0 = "446" (7) EAP-Message = 0x020700061900 (7) State = 0x06033800aecc10fa3b39393138ab9701 (7) Message-Authenticator = 0x555162762d19bd82d35f798dba8e28aa (7,1) Running section authorize from file /etc/raddb/sites-enabled/default (7,1) authorize { (7,1) local_rewrite_called_station_id { (7,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7,1) update request { (7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (7,1) --> 64:AE:0C:91:42:60 (7,1) &Called-Station-Id := 64:AE:0C:91:42:60 (7,1) } # update request (noop) (7,1) if ("%{8}") { (7,1) EXPAND %{8} (7,1) --> RADIUS-TEST (7,1) update request { (7,1) EXPAND %{8} (7,1) --> RADIUS-TEST (7,1) &Called-Station-SSID := RADIUS-TEST (7,1) } # update request (noop) (7,1) } # if ("%{8}") (noop) (7,1) updated (updated) (7,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (7,1) else { (7,1) ... skipping else for request 7: Preceding "if" was taken (7,1) } (7,1) } # local_rewrite_called_station_id (updated) (7,1) local_rewrite_calling_station_id { (7,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7,1) update request { (7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (7,1) --> A4:D1:8C:E4:9F:22 (7,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (7,1) } # update request (noop) (7,1) updated (updated) (7,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (7,1) else { (7,1) ... skipping else for request 7: Preceding "if" was taken (7,1) } (7,1) } # local_rewrite_calling_station_id (updated) (7,1) filter_username { (7,1) if (&User-Name) { (7,1) if (&User-Name =~ / /) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@[^@]*@/ ) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /\.\./ ) { (7,1) ... (7,1) } (7,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /\.$/) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@\./) { (7,1) ... (7,1) } (7,1) } # if (&User-Name) (updated) (7,1) } # filter_username (updated) (7,1) bad_realms { (7,1) if (&User-Name =~ /\.ax\.uk$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@ac\.uk$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /myabc\.com$/i) { (7,1) ... (7,1) } (7,1) } # bad_realms (updated) (7,1) preprocess (ok) (7,1) operator-name.authorize { (7,1) if ("%{client:Operator-Name}") { (7,1) EXPAND %{client:Operator-Name} (7,1) --> 1realm.ac.uk (7,1) update request { (7,1) EXPAND %{client:Operator-Name} (7,1) --> 1realm.ac.uk (7,1) &Operator-Name = 1realm.ac.uk (7,1) } # update request (noop) (7,1) } # if ("%{client:Operator-Name}") (noop) (7,1) } # operator-name.authorize (noop) (7,1) suffix - Checking for suffix after "@" (7,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (7,1) suffix - Found realm "realm.ac.uk" (7,1) suffix - Adding Stripped-User-Name = "testuser" (7,1) suffix - Adding Realm = "realm.ac.uk" (7,1) suffix - Authentication realm is LOCAL (7,1) suffix (ok) (7,1) if (&Realm) { (7,1) update control { (7,1) &control:Proxy-To-Realm := LOCAL (7,1) } # update control (noop) (7,1) } # if (&Realm) (noop) (7,1) else { (7,1) ... skipping else for request 7: Preceding "if" was taken (7,1) } (7,1) if (&Realm) { (7,1) if (&Stripped-User-Name != "") { (7,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (7,1) EXPAND %{tolower:%{Stripped-User-Name}} (7,1) --> testuser (7,1) ... (7,1) } (7,1) group { (7,1) check_blacklist (ok) (7,1) if (&control:Local-Banned-User) { (7,1) ... (7,1) } (7,1) else { (7,1) noop (noop) (7,1) } # else (noop) (7,1) } # group (ok) (7,1) } # if (&Stripped-User-Name != "") (ok) (7,1) } # if (&Realm) (ok) (7,1) eap - Peer sent EAP Response (code 2) ID 7 length 6 (7,1) eap - Continuing tunnel setup (7,1) eap (ok) (7,1) } # authorize (ok) (7,1) Using 'Auth-Type = eap' for authenticate {...} (7,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (7,1) Auth-Type eap { (7,1) eap - Peer sent packet with EAP method PEAP (25) (7,1) eap - Calling submodule eap_peap to process data (7,1) eap_peap - Continuing EAP-TLS (7,1) eap_peap - Peer ACKed our handshake fragment. handshake is finished (7,1) eap_peap - [eap-tls verify] = established (7,1) eap_peap - [eap-tls process] = established (7,1) eap_peap - Session established. Decoding tunneled data (7,1) eap_peap - PEAP state TUNNEL ESTABLISHED (7,1) eap_peap - TLS application data to encrypt (5 bytes) (7,1) eap_peap - Sending complete TLS record (37 bytes) (7,1) eap - Sending EAP Request (code 1) ID 8 length 43 (7,1) eap (handled) (7,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (7,1) EXPAND Response-Packet-Type (7,1) --> Access-Challenge (7,1) attr_filter.access_challenge - EXPAND %{User-Name} (7,1) attr_filter.access_challenge - --> testuser@realm (7,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (7,1) attr_filter.access_challenge.post-auth (updated) (7,1) handled (handled) (7,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (7,1) } # Auth-Type eap (handled) (7,1) Using Post-Auth-Type Challenge (7,1) Post-Auth-Type sub-section not found. Ignoring. (7,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (7,1) Sent Access-Challenge Id 83 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (7,1) EAP-Message = 0x0108002b1900170301002029a24f1d8456037b9aeceb8fbc4df51362f49d1b863dae0ea1e7e356cad48d55 (7,1) Message-Authenticator = 0x00000000000000000000000000000000 (7,1) State = 0x070138003637b8d43b39393138ab9701 (7,1) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 84 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 346 (8) User-Name = "testuser@realm" (8) Chargeable-User-Identity = 0x00 (8) Location-Capable = Civix-Location (8) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (8) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (8) NAS-Port = 13 (8) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (8) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (8) NAS-IP-Address = Y.Y.Y.Y (8) NAS-Identifier = "WM13" (8) Airespace-Wlan-Id = 8 (8) Service-Type = Framed-User (8) Framed-MTU = 1300 (8) NAS-Port-Type = Wireless-802.11 (8) Tunnel-Type:0 = VLAN (8) Tunnel-Medium-Type:0 = IEEE-802 (8) Tunnel-Private-Group-Id:0 = "446" (8) EAP-Message = 0x0208003b1900170301003012630f02d6ebc7a949180390128f6ca3bd2643ce89f12b1ea709648094fa2265ecdef69755c881656faf5d6debdb50f2 (8) State = 0x070138003637b8d43b39393138ab9701 (8) Message-Authenticator = 0x19dac562b9479efa42ea2766dc140211 (8,1) Running section authorize from file /etc/raddb/sites-enabled/default (8,1) authorize { (8,1) local_rewrite_called_station_id { (8,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8,1) update request { (8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (8,1) --> 64:AE:0C:91:42:60 (8,1) &Called-Station-Id := 64:AE:0C:91:42:60 (8,1) } # update request (noop) (8,1) if ("%{8}") { (8,1) EXPAND %{8} (8,1) --> RADIUS-TEST (8,1) update request { (8,1) EXPAND %{8} (8,1) --> RADIUS-TEST (8,1) &Called-Station-SSID := RADIUS-TEST (8,1) } # update request (noop) (8,1) } # if ("%{8}") (noop) (8,1) updated (updated) (8,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (8,1) else { (8,1) ... skipping else for request 8: Preceding "if" was taken (8,1) } (8,1) } # local_rewrite_called_station_id (updated) (8,1) local_rewrite_calling_station_id { (8,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8,1) update request { (8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (8,1) --> A4:D1:8C:E4:9F:22 (8,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (8,1) } # update request (noop) (8,1) updated (updated) (8,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (8,1) else { (8,1) ... skipping else for request 8: Preceding "if" was taken (8,1) } (8,1) } # local_rewrite_calling_station_id (updated) (8,1) filter_username { (8,1) if (&User-Name) { (8,1) if (&User-Name =~ / /) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@[^@]*@/ ) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /\.\./ ) { (8,1) ... (8,1) } (8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /\.$/) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@\./) { (8,1) ... (8,1) } (8,1) } # if (&User-Name) (updated) (8,1) } # filter_username (updated) (8,1) bad_realms { (8,1) if (&User-Name =~ /\.ax\.uk$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@ac\.uk$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /myabc\.com$/i) { (8,1) ... (8,1) } (8,1) } # bad_realms (updated) (8,1) preprocess (ok) (8,1) operator-name.authorize { (8,1) if ("%{client:Operator-Name}") { (8,1) EXPAND %{client:Operator-Name} (8,1) --> 1realm.ac.uk (8,1) update request { (8,1) EXPAND %{client:Operator-Name} (8,1) --> 1realm.ac.uk (8,1) &Operator-Name = 1realm.ac.uk (8,1) } # update request (noop) (8,1) } # if ("%{client:Operator-Name}") (noop) (8,1) } # operator-name.authorize (noop) (8,1) suffix - Checking for suffix after "@" (8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (8,1) suffix - Found realm "realm.ac.uk" (8,1) suffix - Adding Stripped-User-Name = "testuser" (8,1) suffix - Adding Realm = "realm.ac.uk" (8,1) suffix - Authentication realm is LOCAL (8,1) suffix (ok) (8,1) if (&Realm) { (8,1) update control { (8,1) &control:Proxy-To-Realm := LOCAL (8,1) } # update control (noop) (8,1) } # if (&Realm) (noop) (8,1) else { (8,1) ... skipping else for request 8: Preceding "if" was taken (8,1) } (8,1) if (&Realm) { (8,1) if (&Stripped-User-Name != "") { (8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (8,1) EXPAND %{tolower:%{Stripped-User-Name}} (8,1) --> testuser (8,1) ... (8,1) } (8,1) group { (8,1) check_blacklist (ok) (8,1) if (&control:Local-Banned-User) { (8,1) ... (8,1) } (8,1) else { (8,1) noop (noop) (8,1) } # else (noop) (8,1) } # group (ok) (8,1) } # if (&Stripped-User-Name != "") (ok) (8,1) } # if (&Realm) (ok) (8,1) eap - Peer sent EAP Response (code 2) ID 8 length 59 (8,1) eap - Continuing tunnel setup (8,1) eap (ok) (8,1) } # authorize (ok) (8,1) Using 'Auth-Type = eap' for authenticate {...} (8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (8,1) Auth-Type eap { (8,1) eap - Peer sent packet with EAP method PEAP (25) (8,1) eap - Calling submodule eap_peap to process data (8,1) eap_peap - Continuing EAP-TLS (8,1) eap_peap - Got complete TLS record (53 bytes) (8,1) eap_peap - [eap-tls verify] = complete (8,1) eap_peap - Decrypted TLS application data (19 bytes) (8,1) eap_peap - [eap-tls process] = complete (8,1) eap_peap - Session established. Decoding tunneled data (8,1) eap_peap - PEAP state WAITING FOR INNER IDENTITY (8,1) eap_peap - Received EAP-Identity-Response (8,1) eap_peap - Got inner identity 'testuser@realm' (8,1) eap_peap - Got tunneled request (8,1) eap_peap - &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b (8,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm" (8,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel" (8,1) Virtual server inner-tunnel received request (8,1) &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b (8,1) &FreeRADIUS-Proxied-To = 127.0.0.1 (8,1) &User-Name = "testuser@realm" (8,1) WARNING: Outer and inner identities are the same. User privacy is compromised. (8,1) server inner-tunnel { (8,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8,1) authorize { (8,1) filter_username { (8,1) if (&User-Name) { (8,1) if (&User-Name =~ / /) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@[^@]*@/ ) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /\.\./ ) { (8,1) ... (8,1) } (8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /\.$/) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@\./) { (8,1) ... (8,1) } (8,1) } # if (&User-Name) (notfound) (8,1) } # filter_username (notfound) (8,1) local_filter_inner_identity { (8,1) if (!&outer.request:User-Name || !&User-Name) { (8,1) ... (8,1) } (8,1) if (&outer.request:User-Name != &User-Name) { (8,1) ... (8,1) } (8,1) } # local_filter_inner_identity (notfound) (8,1) chap (noop) (8,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (8,1) mschap-ds (noop) (8,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop) (8,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (8,1) ... skipping elsif for request 8: Preceding "if" was taken (8,1) } (8,1) suffix - Checking for suffix after "@" (8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (8,1) suffix - Found realm "realm.ac.uk" (8,1) suffix - Adding Stripped-User-Name = "testuser" (8,1) suffix - Adding Realm = "realm.ac.uk" (8,1) suffix - Authentication realm is LOCAL (8,1) suffix (ok) (8,1) if (&User-Name =~ /^@/) { (8,1) ... (8,1) } (8,1) if (!(&Stripped-User-Name)) { (8,1) ... (8,1) } (8,1) else { (8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (8,1) EXPAND %{tolower:%{Stripped-User-Name}} (8,1) --> testuser (8,1) ... (8,1) } (8,1) } # else (ok) (8,1) group { (8,1) check_blacklist (ok) (8,1) if (&control:Local-Banned-User) { (8,1) ... (8,1) } (8,1) else { (8,1) noop (noop) (8,1) } # else (noop) (8,1) } # group (ok) (8,1) update control { (8,1) &control:Proxy-To-Realm := LOCAL (8,1) } # update control (noop) (8,1) eap - Peer sent EAP Response (code 2) ID 8 length 23 (8,1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize (8,1) eap (ok) (8,1) } # authorize (ok) (8,1) Using 'Auth-Type = eap' for authenticate {...} (8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel (8,1) Auth-Type eap { (8,1) eap - Peer sent packet with EAP method Identity (1) (8,1) eap - Calling submodule eap_peap to process data (8,1) eap_peap - Initiating new TLS session (8,1) eap - Sending EAP Request (code 1) ID 9 length 6 (8,1) eap (handled) (8,1) } # Auth-Type eap (handled) (8,1) } # server inner-tunnel (8,1) Virtual server sending reply (8,1) &EAP-Message = 0x010900061920 (8,1) &Message-Authenticator = 0x00000000000000000000000000000000 (8,1) eap_peap - Got tunneled reply Access-Challenge (8,1) eap_peap - &EAP-Message = 0x010900061920 (8,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000 (8,1) eap_peap - Got tunneled Access-Challenge (8,1) eap_peap - TLS application data to encrypt (2 bytes) (8,1) eap_peap - Sending complete TLS record (37 bytes) (8,1) eap - Sending EAP Request (code 1) ID 9 length 43 (8,1) eap (handled) (8,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (8,1) EXPAND Response-Packet-Type (8,1) --> Access-Challenge (8,1) attr_filter.access_challenge - EXPAND %{User-Name} (8,1) attr_filter.access_challenge - --> testuser@realm (8,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (8,1) attr_filter.access_challenge.post-auth (updated) (8,1) handled (handled) (8,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (8,1) } # Auth-Type eap (handled) (8,1) Using Post-Auth-Type Challenge (8,1) Post-Auth-Type sub-section not found. Ignoring. (8,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (8,1) Sent Access-Challenge Id 84 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (8,1) EAP-Message = 0x0109002b1900170301002082145b33c41958c36bec8f18c2f9da22934d020d4e6d14b2a45a7258b2f336af (8,1) Message-Authenticator = 0x00000000000000000000000000000000 (8,1) State = 0x080f3800aecc10fa3b39393138ab9701 (8,1) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 85 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330 (9) User-Name = "testuser@realm" (9) Chargeable-User-Identity = 0x00 (9) Location-Capable = Civix-Location (9) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (9) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (9) NAS-Port = 13 (9) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (9) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (9) NAS-IP-Address = Y.Y.Y.Y (9) NAS-Identifier = "WM13" (9) Airespace-Wlan-Id = 8 (9) Service-Type = Framed-User (9) Framed-MTU = 1300 (9) NAS-Port-Type = Wireless-802.11 (9) Tunnel-Type:0 = VLAN (9) Tunnel-Medium-Type:0 = IEEE-802 (9) Tunnel-Private-Group-Id:0 = "446" (9) EAP-Message = 0x0209002b19001703010020b5d3b91965958352c3a2297f539ee8f56616a107a36423c6b065b5bf73f4c0de (9) State = 0x080f3800aecc10fa3b39393138ab9701 (9) Message-Authenticator = 0x1e0662ee3ffb7f6c36d8f70ecd544acf (9,1) Running section authorize from file /etc/raddb/sites-enabled/default (9,1) authorize { (9,1) local_rewrite_called_station_id { (9,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9,1) update request { (9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (9,1) --> 64:AE:0C:91:42:60 (9,1) &Called-Station-Id := 64:AE:0C:91:42:60 (9,1) } # update request (noop) (9,1) if ("%{8}") { (9,1) EXPAND %{8} (9,1) --> RADIUS-TEST (9,1) update request { (9,1) EXPAND %{8} (9,1) --> RADIUS-TEST (9,1) &Called-Station-SSID := RADIUS-TEST (9,1) } # update request (noop) (9,1) } # if ("%{8}") (noop) (9,1) updated (updated) (9,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (9,1) else { (9,1) ... skipping else for request 9: Preceding "if" was taken (9,1) } (9,1) } # local_rewrite_called_station_id (updated) (9,1) local_rewrite_calling_station_id { (9,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9,1) update request { (9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (9,1) --> A4:D1:8C:E4:9F:22 (9,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (9,1) } # update request (noop) (9,1) updated (updated) (9,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (9,1) else { (9,1) ... skipping else for request 9: Preceding "if" was taken (9,1) } (9,1) } # local_rewrite_calling_station_id (updated) (9,1) filter_username { (9,1) if (&User-Name) { (9,1) if (&User-Name =~ / /) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@[^@]*@/ ) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /\.\./ ) { (9,1) ... (9,1) } (9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /\.$/) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@\./) { (9,1) ... (9,1) } (9,1) } # if (&User-Name) (updated) (9,1) } # filter_username (updated) (9,1) bad_realms { (9,1) if (&User-Name =~ /\.ax\.uk$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@ac\.uk$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /myabc\.com$/i) { (9,1) ... (9,1) } (9,1) } # bad_realms (updated) (9,1) preprocess (ok) (9,1) operator-name.authorize { (9,1) if ("%{client:Operator-Name}") { (9,1) EXPAND %{client:Operator-Name} (9,1) --> 1realm.ac.uk (9,1) update request { (9,1) EXPAND %{client:Operator-Name} (9,1) --> 1realm.ac.uk (9,1) &Operator-Name = 1realm.ac.uk (9,1) } # update request (noop) (9,1) } # if ("%{client:Operator-Name}") (noop) (9,1) } # operator-name.authorize (noop) (9,1) suffix - Checking for suffix after "@" (9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (9,1) suffix - Found realm "realm.ac.uk" (9,1) suffix - Adding Stripped-User-Name = "testuser" (9,1) suffix - Adding Realm = "realm.ac.uk" (9,1) suffix - Authentication realm is LOCAL (9,1) suffix (ok) (9,1) if (&Realm) { (9,1) update control { (9,1) &control:Proxy-To-Realm := LOCAL (9,1) } # update control (noop) (9,1) } # if (&Realm) (noop) (9,1) else { (9,1) ... skipping else for request 9: Preceding "if" was taken (9,1) } (9,1) if (&Realm) { (9,1) if (&Stripped-User-Name != "") { (9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (9,1) EXPAND %{tolower:%{Stripped-User-Name}} (9,1) --> testuser (9,1) ... (9,1) } (9,1) group { (9,1) check_blacklist (ok) (9,1) if (&control:Local-Banned-User) { (9,1) ... (9,1) } (9,1) else { (9,1) noop (noop) (9,1) } # else (noop) (9,1) } # group (ok) (9,1) } # if (&Stripped-User-Name != "") (ok) (9,1) } # if (&Realm) (ok) (9,1) eap - Peer sent EAP Response (code 2) ID 9 length 43 (9,1) eap - Continuing tunnel setup (9,1) eap (ok) (9,1) } # authorize (ok) (9,1) Using 'Auth-Type = eap' for authenticate {...} (9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (9,1) Auth-Type eap { (9,1) eap - Peer sent packet with EAP method PEAP (25) (9,1) eap - Calling submodule eap_peap to process data (9,1) eap_peap - Continuing EAP-TLS (9,1) eap_peap - Got complete TLS record (37 bytes) (9,1) eap_peap - [eap-tls verify] = complete (9,1) eap_peap - Decrypted TLS application data (2 bytes) (9,1) eap_peap - [eap-tls process] = complete (9,1) eap_peap - Session established. Decoding tunneled data (9,1) eap_peap - PEAP state phase2 (9,1) eap_peap - EAP method NAK (3) (9,1) eap_peap - Got tunneled request (9,1) eap_peap - &EAP-Message = 0x02090006031a (9,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm" (9,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel" (9,1) Virtual server inner-tunnel received request (9,1) &EAP-Message = 0x02090006031a (9,1) &FreeRADIUS-Proxied-To = 127.0.0.1 (9,1) &User-Name = "testuser@realm" (9,1) WARNING: Outer and inner identities are the same. User privacy is compromised. (9,1) server inner-tunnel { (9,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9,1) authorize { (9,1) filter_username { (9,1) if (&User-Name) { (9,1) if (&User-Name =~ / /) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@[^@]*@/ ) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /\.\./ ) { (9,1) ... (9,1) } (9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /\.$/) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@\./) { (9,1) ... (9,1) } (9,1) } # if (&User-Name) (notfound) (9,1) } # filter_username (notfound) (9,1) local_filter_inner_identity { (9,1) if (!&outer.request:User-Name || !&User-Name) { (9,1) ... (9,1) } (9,1) if (&outer.request:User-Name != &User-Name) { (9,1) ... (9,1) } (9,1) } # local_filter_inner_identity (notfound) (9,1) chap (noop) (9,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (9,1) mschap-ds (noop) (9,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop) (9,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (9,1) ... skipping elsif for request 9: Preceding "if" was taken (9,1) } (9,1) suffix - Checking for suffix after "@" (9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (9,1) suffix - Found realm "realm.ac.uk" (9,1) suffix - Adding Stripped-User-Name = "testuser" (9,1) suffix - Adding Realm = "realm.ac.uk" (9,1) suffix - Authentication realm is LOCAL (9,1) suffix (ok) (9,1) if (&User-Name =~ /^@/) { (9,1) ... (9,1) } (9,1) if (!(&Stripped-User-Name)) { (9,1) ... (9,1) } (9,1) else { (9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (9,1) EXPAND %{tolower:%{Stripped-User-Name}} (9,1) --> testuser (9,1) ... (9,1) } (9,1) } # else (ok) (9,1) group { (9,1) check_blacklist (ok) (9,1) if (&control:Local-Banned-User) { (9,1) ... (9,1) } (9,1) else { (9,1) noop (noop) (9,1) } # else (noop) (9,1) } # group (ok) (9,1) update control { (9,1) &control:Proxy-To-Realm := LOCAL (9,1) } # update control (noop) (9,1) eap - Peer sent EAP Response (code 2) ID 9 length 6 (9,1) eap - Continuing on-going EAP conversation (9,1) eap (updated) (9,1) files (noop) (9,1) expiration (noop) (9,1) logintime (noop) (9,1) pap (noop) (9,1) } # authorize (updated) (9,1) Using 'Auth-Type = eap' for authenticate {...} (9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel (9,1) Auth-Type eap { (9,1) eap - Peer sent packet with EAP method NAK (3) (9,1) eap - Found mutually acceptable type MSCHAPv2 (26) (9,1) eap - Calling submodule eap_mschapv2 to process data (9,1) eap_mschapv2 - Issuing Challenge (9,1) eap - Sending EAP Request (code 1) ID 10 length 47 (9,1) eap (handled) (9,1) } # Auth-Type eap (handled) (9,1) } # server inner-tunnel (9,1) Virtual server sending reply (9,1) &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164 (9,1) &Message-Authenticator = 0x00000000000000000000000000000000 (9,1) eap_peap - Got tunneled reply Access-Challenge (9,1) eap_peap - &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164 (9,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000 (9,1) eap_peap - Got tunneled Access-Challenge (9,1) eap_peap - TLS application data to encrypt (43 bytes) (9,1) eap_peap - Sending complete TLS record (69 bytes) (9,1) eap - Sending EAP Request (code 1) ID 10 length 75 (9,1) eap (handled) (9,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (9,1) EXPAND Response-Packet-Type (9,1) --> Access-Challenge (9,1) attr_filter.access_challenge - EXPAND %{User-Name} (9,1) attr_filter.access_challenge - --> testuser@realm (9,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (9,1) attr_filter.access_challenge.post-auth (updated) (9,1) handled (handled) (9,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (9,1) } # Auth-Type eap (handled) (9,1) Using Post-Auth-Type Challenge (9,1) Post-Auth-Type sub-section not found. Ignoring. (9,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (9,1) Sent Access-Challenge Id 85 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (9,1) EAP-Message = 0x010a004b19001703010040fd1adfa6152afb79c1fa0529c132191cc6180186595d874f715ef0b31bf5417fd2acb727f784d6ae580609b6434fb822695b8a0db91b849dbd55cd39f83f1b56 (9,1) Message-Authenticator = 0x00000000000000000000000000000000 (9,1) State = 0x090138003637b8d43b39393138ab9701 (9,1) Finished request Waking up in 4.8 seconds. (10) Received Access-Request Id 86 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 394 (10) User-Name = "testuser@realm" (10) Chargeable-User-Identity = 0x00 (10) Location-Capable = Civix-Location (10) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (10) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (10) NAS-Port = 13 (10) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (10) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (10) NAS-IP-Address = Y.Y.Y.Y (10) NAS-Identifier = "WM13" (10) Airespace-Wlan-Id = 8 (10) Service-Type = Framed-User (10) Framed-MTU = 1300 (10) NAS-Port-Type = Wireless-802.11 (10) Tunnel-Type:0 = VLAN (10) Tunnel-Medium-Type:0 = IEEE-802 (10) Tunnel-Private-Group-Id:0 = "446" (10) EAP-Message = 0x020a006b19001703010060fb7b84dad699698f8e133528ec8b1ef0f8199de9c6170fb4c86582a647d47520ec17b41fc65471c47ceb60d9a206b2b54936ec02000e6b4894b77cf2a1c4f99e2747be80011ff04e7304a9ed47826067966d1318fd9ef8f95697e149a3355eea (10) State = 0x090138003637b8d43b39393138ab9701 (10) Message-Authenticator = 0x431e4c764049d08fa9567dfadb9ac07f (10,1) Running section authorize from file /etc/raddb/sites-enabled/default (10,1) authorize { (10,1) local_rewrite_called_station_id { (10,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (10,1) update request { (10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (10,1) --> 64:AE:0C:91:42:60 (10,1) &Called-Station-Id := 64:AE:0C:91:42:60 (10,1) } # update request (noop) (10,1) if ("%{8}") { (10,1) EXPAND %{8} (10,1) --> RADIUS-TEST (10,1) update request { (10,1) EXPAND %{8} (10,1) --> RADIUS-TEST (10,1) &Called-Station-SSID := RADIUS-TEST (10,1) } # update request (noop) (10,1) } # if ("%{8}") (noop) (10,1) updated (updated) (10,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (10,1) else { (10,1) ... skipping else for request 10: Preceding "if" was taken (10,1) } (10,1) } # local_rewrite_called_station_id (updated) (10,1) local_rewrite_calling_station_id { (10,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (10,1) update request { (10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (10,1) --> A4:D1:8C:E4:9F:22 (10,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (10,1) } # update request (noop) (10,1) updated (updated) (10,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (10,1) else { (10,1) ... skipping else for request 10: Preceding "if" was taken (10,1) } (10,1) } # local_rewrite_calling_station_id (updated) (10,1) filter_username { (10,1) if (&User-Name) { (10,1) if (&User-Name =~ / /) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@[^@]*@/ ) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /\.\./ ) { (10,1) ... (10,1) } (10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /\.$/) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@\./) { (10,1) ... (10,1) } (10,1) } # if (&User-Name) (updated) (10,1) } # filter_username (updated) (10,1) bad_realms { (10,1) if (&User-Name =~ /\.ax\.uk$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@ac\.uk$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /myabc\.com$/i) { (10,1) ... (10,1) } (10,1) } # bad_realms (updated) (10,1) preprocess (ok) (10,1) operator-name.authorize { (10,1) if ("%{client:Operator-Name}") { (10,1) EXPAND %{client:Operator-Name} (10,1) --> 1realm.ac.uk (10,1) update request { (10,1) EXPAND %{client:Operator-Name} (10,1) --> 1realm.ac.uk (10,1) &Operator-Name = 1realm.ac.uk (10,1) } # update request (noop) (10,1) } # if ("%{client:Operator-Name}") (noop) (10,1) } # operator-name.authorize (noop) (10,1) suffix - Checking for suffix after "@" (10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (10,1) suffix - Found realm "realm.ac.uk" (10,1) suffix - Adding Stripped-User-Name = "testuser" (10,1) suffix - Adding Realm = "realm.ac.uk" (10,1) suffix - Authentication realm is LOCAL (10,1) suffix (ok) (10,1) if (&Realm) { (10,1) update control { (10,1) &control:Proxy-To-Realm := LOCAL (10,1) } # update control (noop) (10,1) } # if (&Realm) (noop) (10,1) else { (10,1) ... skipping else for request 10: Preceding "if" was taken (10,1) } (10,1) if (&Realm) { (10,1) if (&Stripped-User-Name != "") { (10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (10,1) EXPAND %{tolower:%{Stripped-User-Name}} (10,1) --> testuser (10,1) ... (10,1) } (10,1) group { (10,1) check_blacklist (ok) (10,1) if (&control:Local-Banned-User) { (10,1) ... (10,1) } (10,1) else { (10,1) noop (noop) (10,1) } # else (noop) (10,1) } # group (ok) (10,1) } # if (&Stripped-User-Name != "") (ok) (10,1) } # if (&Realm) (ok) (10,1) eap - Peer sent EAP Response (code 2) ID 10 length 107 (10,1) eap - Continuing tunnel setup (10,1) eap (ok) (10,1) } # authorize (ok) (10,1) Using 'Auth-Type = eap' for authenticate {...} (10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (10,1) Auth-Type eap { (10,1) eap - Peer sent packet with EAP method PEAP (25) (10,1) eap - Calling submodule eap_peap to process data (10,1) eap_peap - Continuing EAP-TLS (10,1) eap_peap - Got complete TLS record (101 bytes) (10,1) eap_peap - [eap-tls verify] = complete (10,1) eap_peap - Decrypted TLS application data (73 bytes) (10,1) eap_peap - [eap-tls process] = complete (10,1) eap_peap - Session established. Decoding tunneled data (10,1) eap_peap - PEAP state phase2 (10,1) eap_peap - EAP method MSCHAPv2 (26) (10,1) eap_peap - Got tunneled request (10,1) eap_peap - &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b (10,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm" (10,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel" (10,1) Virtual server inner-tunnel received request (10,1) &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b (10,1) &FreeRADIUS-Proxied-To = 127.0.0.1 (10,1) &User-Name = "testuser@realm" (10,1) WARNING: Outer and inner identities are the same. User privacy is compromised. (10,1) server inner-tunnel { (10,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel (10,1) authorize { (10,1) filter_username { (10,1) if (&User-Name) { (10,1) if (&User-Name =~ / /) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@[^@]*@/ ) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /\.\./ ) { (10,1) ... (10,1) } (10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /\.$/) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@\./) { (10,1) ... (10,1) } (10,1) } # if (&User-Name) (notfound) (10,1) } # filter_username (notfound) (10,1) local_filter_inner_identity { (10,1) if (!&outer.request:User-Name || !&User-Name) { (10,1) ... (10,1) } (10,1) if (&outer.request:User-Name != &User-Name) { (10,1) ... (10,1) } (10,1) } # local_filter_inner_identity (notfound) (10,1) chap (noop) (10,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (10,1) mschap-ds (noop) (10,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop) (10,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (10,1) ... skipping elsif for request 10: Preceding "if" was taken (10,1) } (10,1) suffix - Checking for suffix after "@" (10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (10,1) suffix - Found realm "realm.ac.uk" (10,1) suffix - Adding Stripped-User-Name = "testuser" (10,1) suffix - Adding Realm = "realm.ac.uk" (10,1) suffix - Authentication realm is LOCAL (10,1) suffix (ok) (10,1) if (&User-Name =~ /^@/) { (10,1) ... (10,1) } (10,1) if (!(&Stripped-User-Name)) { (10,1) ... (10,1) } (10,1) else { (10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (10,1) EXPAND %{tolower:%{Stripped-User-Name}} (10,1) --> testuser (10,1) ... (10,1) } (10,1) } # else (ok) (10,1) group { (10,1) check_blacklist (ok) (10,1) if (&control:Local-Banned-User) { (10,1) ... (10,1) } (10,1) else { (10,1) noop (noop) (10,1) } # else (noop) (10,1) } # group (ok) (10,1) update control { (10,1) &control:Proxy-To-Realm := LOCAL (10,1) } # update control (noop) (10,1) eap - Peer sent EAP Response (code 2) ID 10 length 77 (10,1) eap - Continuing on-going EAP conversation (10,1) eap (updated) (10,1) files (noop) (10,1) expiration (noop) (10,1) logintime (noop) (10,1) pap (noop) (10,1) } # authorize (updated) (10,1) Using 'Auth-Type = eap' for authenticate {...} (10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel (10,1) Auth-Type eap { (10,1) eap - Peer sent packet with EAP method MSCHAPv2 (26) (10,1) eap - Calling submodule eap_mschapv2 to process data (10,1) eap_mschapv2 - Running Auth-Type MS-CHAP from file /etc/raddb/sites-enabled/inner-tunnel (10,1) Auth-Type MS-CHAP { (10,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (10,1) mschap-ds - Creating challenge hash with username: testuser@realm (10,1) mschap-ds - Client is using MS-CHAPv2 (10,1) mschap-ds - EXPAND %{%{Stripped-User-Name}:-%{mschap-ds:User-Name}} (10,1) mschap-ds - --> testuser (10,1) mschap-ds - Reserved connection (0) (10,1) mschap-ds - sending authentication request user='testuser' domain='DS' (10,1) mschap-ds - Released connection (0) (10,1) mschap-ds - Need 10 more connections to reach 20 spares (10,1) mschap-ds - Opening additional connection (10), 1 of 54 pending slots used (10,1) mschap-ds - Authenticated successfully (10,1) mschap-ds - Adding MS-CHAPv2 MPPE keys (10,1) mschap-ds (ok) (10,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (ok) (10,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (10,1) ... skipping elsif for request 10: Preceding "if" was taken (10,1) } (10,1) } # Auth-Type MS-CHAP (ok) (10,1) eap_mschapv2 - MSCHAP Success (10,1) eap - Sending EAP Request (code 1) ID 11 length 51 (10,1) eap (handled) (10,1) } # Auth-Type eap (handled) (10,1) } # server inner-tunnel (10,1) Virtual server sending reply (10,1) &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932 (10,1) &Message-Authenticator = 0x00000000000000000000000000000000 (10,1) eap_peap - Got tunneled reply Access-Challenge (10,1) eap_peap - &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932 (10,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000 (10,1) eap_peap - Got tunneled Access-Challenge (10,1) eap_peap - TLS application data to encrypt (47 bytes) (10,1) eap_peap - Sending complete TLS record (85 bytes) (10,1) eap - Sending EAP Request (code 1) ID 11 length 91 (10,1) eap (handled) (10,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (10,1) EXPAND Response-Packet-Type (10,1) --> Access-Challenge (10,1) attr_filter.access_challenge - EXPAND %{User-Name} (10,1) attr_filter.access_challenge - --> testuser@realm (10,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (10,1) attr_filter.access_challenge.post-auth (updated) (10,1) handled (handled) (10,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (10,1) } # Auth-Type eap (handled) (10,1) Using Post-Auth-Type Challenge (10,1) Post-Auth-Type sub-section not found. Ignoring. (10,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (10,1) Sent Access-Challenge Id 86 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (10,1) EAP-Message = 0x010b005b19001703010050434a180e3726928b4d1485ba6b2897630e9165184c8e7b1b32265ba04908704d15ee8673ef1b5f4b1cb58c229d9ca96c31528959c7f338b7d83c0deca515c327d242225f1874037a58481664fc1f1360 (10,1) Message-Authenticator = 0x00000000000000000000000000000000 (10,1) State = 0x0a033800aecc10fa3b39393138ab9701 (10,1) Finished request Waking up in 4.8 seconds. (11) Received Access-Request Id 87 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330 (11) User-Name = "testuser@realm" (11) Chargeable-User-Identity = 0x00 (11) Location-Capable = Civix-Location (11) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (11) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (11) NAS-Port = 13 (11) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (11) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (11) NAS-IP-Address = Y.Y.Y.Y (11) NAS-Identifier = "WM13" (11) Airespace-Wlan-Id = 8 (11) Service-Type = Framed-User (11) Framed-MTU = 1300 (11) NAS-Port-Type = Wireless-802.11 (11) Tunnel-Type:0 = VLAN (11) Tunnel-Medium-Type:0 = IEEE-802 (11) Tunnel-Private-Group-Id:0 = "446" (11) EAP-Message = 0x020b002b19001703010020b5ec1928d5a22217345c5344b5ea9e8a35fa15ad8681bfb8c9873d10febf5798 (11) State = 0x0a033800aecc10fa3b39393138ab9701 (11) Message-Authenticator = 0x62328bab8c9d2ffc5877e080f63230c8 (11,1) Running section authorize from file /etc/raddb/sites-enabled/default (11,1) authorize { (11,1) local_rewrite_called_station_id { (11,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11,1) update request { (11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (11,1) --> 64:AE:0C:91:42:60 (11,1) &Called-Station-Id := 64:AE:0C:91:42:60 (11,1) } # update request (noop) (11,1) if ("%{8}") { (11,1) EXPAND %{8} (11,1) --> RADIUS-TEST (11,1) update request { (11,1) EXPAND %{8} (11,1) --> RADIUS-TEST (11,1) &Called-Station-SSID := RADIUS-TEST (11,1) } # update request (noop) (11,1) } # if ("%{8}") (noop) (11,1) updated (updated) (11,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (11,1) else { (11,1) ... skipping else for request 11: Preceding "if" was taken (11,1) } (11,1) } # local_rewrite_called_station_id (updated) (11,1) local_rewrite_calling_station_id { (11,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11,1) update request { (11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (11,1) --> A4:D1:8C:E4:9F:22 (11,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (11,1) } # update request (noop) (11,1) updated (updated) (11,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (11,1) else { (11,1) ... skipping else for request 11: Preceding "if" was taken (11,1) } (11,1) } # local_rewrite_calling_station_id (updated) (11,1) filter_username { (11,1) if (&User-Name) { (11,1) if (&User-Name =~ / /) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@[^@]*@/ ) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /\.\./ ) { (11,1) ... (11,1) } (11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /\.$/) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@\./) { (11,1) ... (11,1) } (11,1) } # if (&User-Name) (updated) (11,1) } # filter_username (updated) (11,1) bad_realms { (11,1) if (&User-Name =~ /\.ax\.uk$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@ac\.uk$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /myabc\.com$/i) { (11,1) ... (11,1) } (11,1) } # bad_realms (updated) (11,1) preprocess (ok) (11,1) operator-name.authorize { (11,1) if ("%{client:Operator-Name}") { (11,1) EXPAND %{client:Operator-Name} (11,1) --> 1realm.ac.uk (11,1) update request { (11,1) EXPAND %{client:Operator-Name} (11,1) --> 1realm.ac.uk (11,1) &Operator-Name = 1realm.ac.uk (11,1) } # update request (noop) (11,1) } # if ("%{client:Operator-Name}") (noop) (11,1) } # operator-name.authorize (noop) (11,1) suffix - Checking for suffix after "@" (11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (11,1) suffix - Found realm "realm.ac.uk" (11,1) suffix - Adding Stripped-User-Name = "testuser" (11,1) suffix - Adding Realm = "realm.ac.uk" (11,1) suffix - Authentication realm is LOCAL (11,1) suffix (ok) (11,1) if (&Realm) { (11,1) update control { (11,1) &control:Proxy-To-Realm := LOCAL (11,1) } # update control (noop) (11,1) } # if (&Realm) (noop) (11,1) else { (11,1) ... skipping else for request 11: Preceding "if" was taken (11,1) } (11,1) if (&Realm) { (11,1) if (&Stripped-User-Name != "") { (11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (11,1) EXPAND %{tolower:%{Stripped-User-Name}} (11,1) --> testuser (11,1) ... (11,1) } (11,1) group { (11,1) check_blacklist (ok) (11,1) if (&control:Local-Banned-User) { (11,1) ... (11,1) } (11,1) else { (11,1) noop (noop) (11,1) } # else (noop) (11,1) } # group (ok) (11,1) } # if (&Stripped-User-Name != "") (ok) (11,1) } # if (&Realm) (ok) (11,1) eap - Peer sent EAP Response (code 2) ID 11 length 43 (11,1) eap - Continuing tunnel setup (11,1) eap (ok) (11,1) } # authorize (ok) (11,1) Using 'Auth-Type = eap' for authenticate {...} (11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (11,1) Auth-Type eap { (11,1) eap - Peer sent packet with EAP method PEAP (25) (11,1) eap - Calling submodule eap_peap to process data (11,1) eap_peap - Continuing EAP-TLS (11,1) eap_peap - Got complete TLS record (37 bytes) (11,1) eap_peap - [eap-tls verify] = complete (11,1) eap_peap - Decrypted TLS application data (2 bytes) (11,1) eap_peap - [eap-tls process] = complete (11,1) eap_peap - Session established. Decoding tunneled data (11,1) eap_peap - PEAP state phase2 (11,1) eap_peap - EAP method MSCHAPv2 (26) (11,1) eap_peap - Got tunneled request (11,1) eap_peap - &EAP-Message = 0x020b00061a03 (11,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm" (11,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel" (11,1) Virtual server inner-tunnel received request (11,1) &EAP-Message = 0x020b00061a03 (11,1) &FreeRADIUS-Proxied-To = 127.0.0.1 (11,1) &User-Name = "testuser@realm" (11,1) WARNING: Outer and inner identities are the same. User privacy is compromised. (11,1) server inner-tunnel { (11,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel (11,1) authorize { (11,1) filter_username { (11,1) if (&User-Name) { (11,1) if (&User-Name =~ / /) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@[^@]*@/ ) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /\.\./ ) { (11,1) ... (11,1) } (11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /\.$/) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@\./) { (11,1) ... (11,1) } (11,1) } # if (&User-Name) (notfound) (11,1) } # filter_username (notfound) (11,1) local_filter_inner_identity { (11,1) if (!&outer.request:User-Name || !&User-Name) { (11,1) ... (11,1) } (11,1) if (&outer.request:User-Name != &User-Name) { (11,1) ... (11,1) } (11,1) } # local_filter_inner_identity (notfound) (11,1) chap (noop) (11,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (11,1) mschap-ds (noop) (11,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop) (11,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (11,1) ... skipping elsif for request 11: Preceding "if" was taken (11,1) } (11,1) suffix - Checking for suffix after "@" (11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (11,1) suffix - Found realm "realm.ac.uk" (11,1) suffix - Adding Stripped-User-Name = "testuser" (11,1) suffix - Adding Realm = "realm.ac.uk" (11,1) suffix - Authentication realm is LOCAL (11,1) suffix (ok) (11,1) if (&User-Name =~ /^@/) { (11,1) ... (11,1) } (11,1) if (!(&Stripped-User-Name)) { (11,1) ... (11,1) } (11,1) else { (11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (11,1) EXPAND %{tolower:%{Stripped-User-Name}} (11,1) --> testuser (11,1) ... (11,1) } (11,1) } # else (ok) (11,1) group { (11,1) check_blacklist (ok) (11,1) if (&control:Local-Banned-User) { (11,1) ... (11,1) } (11,1) else { (11,1) noop (noop) (11,1) } # else (noop) (11,1) } # group (ok) (11,1) update control { (11,1) &control:Proxy-To-Realm := LOCAL (11,1) } # update control (noop) (11,1) eap - Peer sent EAP Response (code 2) ID 11 length 6 (11,1) eap - Continuing on-going EAP conversation (11,1) eap (updated) (11,1) files (noop) (11,1) expiration (noop) (11,1) logintime (noop) (11,1) pap (noop) (11,1) } # authorize (updated) (11,1) Using 'Auth-Type = eap' for authenticate {...} (11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel (11,1) Auth-Type eap { (11,1) eap - Peer sent packet with EAP method MSCHAPv2 (26) (11,1) eap - Calling submodule eap_mschapv2 to process data (11,1) eap - Sending EAP Success (code 3) ID 11 length 4 (11,1) eap - Cleaning up EAP session (11,1) eap (ok) (11,1) } # Auth-Type eap (ok) (11,1) Login OK: [testuser@realm] (from client wism13 port 0 via TLS tunnel) (11,1) Running section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (11,1) post-auth { (11,1) update reply { (11,1) &reply:Reply-Message := successful authentication (11,1) } # update reply (noop) (11,1) inner-tunnel-accept-log - Using default message (11,1) inner-tunnel-accept-log - EXPAND %S (%l) id %I INNER ACCEPT %{User-Name} cli %{%{outer.request:Calling-Station-Id}:--} outer-id %{outer.request:User-Name} auth-type %{outer.control:Auth-Type}/%{outer.request:EAP-Type} realm %{Realm} operator %{%{outer.request:Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{outer.request:Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}' (11,1) inner-tunnel-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 11 INNER ACCEPT testuser@realm cli A4:D1:8C:E4:9F:22 outer-id testuser@realm.ac.uk auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication' (11,1) inner-tunnel-accept-log - EXPAND /var/log/radius/auth.log (11,1) inner-tunnel-accept-log - --> /var/log/radius/auth.log (11,1) inner-tunnel-accept-log (ok) (11,1) update { (11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Policy -> Encryption-Required (11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Types -> 4 (11,1) &outer.session-state: += &reply:MS-MPPE-Send-Key -> 0xd8d3d48df0050ef926fee45a7025a880 (11,1) &outer.session-state: += &reply:MS-MPPE-Recv-Key -> 0x1d3a468cf7a531c07677d5c70e683dd0 (11,1) &outer.session-state: += &reply:EAP-Message -> 0x030b0004 (11,1) &outer.session-state: += &reply:Message-Authenticator -> 0x00000000000000000000000000000000 (11,1) &outer.session-state: += &reply:Stripped-User-Name -> "testuser" (11,1) &outer.session-state: += &reply:Reply-Message -> "successful authentication" (11,1) } # update (noop) (11,1) update outer.session-state { (11,1) &outer.session-state:MS-MPPE-Encryption-Policy !* ANY (11,1) &outer.session-state:MS-MPPE-Encryption-Types !* ANY (11,1) &outer.session-state:MS-MPPE-Send-Key !* ANY (11,1) &outer.session-state:MS-MPPE-Recv-Key !* ANY (11,1) &outer.session-state:Message-Authenticator !* ANY (11,1) &outer.session-state:EAP-Message !* ANY (11,1) &outer.session-state:Proxy-State !* ANY (11,1) } # update outer.session-state (noop) (11,1) } # post-auth (ok) (11,1) } # server inner-tunnel (11,1) Virtual server sending reply (11,1) &MS-MPPE-Encryption-Policy = Encryption-Required (11,1) &MS-MPPE-Encryption-Types = 4 (11,1) &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880 (11,1) &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0 (11,1) &EAP-Message = 0x030b0004 (11,1) &Message-Authenticator = 0x00000000000000000000000000000000 (11,1) &Stripped-User-Name = "testuser" (11,1) &Reply-Message := "successful authentication" (11,1) eap_peap - Got tunneled reply Access-Accept (11,1) eap_peap - &MS-MPPE-Encryption-Policy = Encryption-Required (11,1) eap_peap - &MS-MPPE-Encryption-Types = 4 (11,1) eap_peap - &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880 (11,1) eap_peap - &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0 (11,1) eap_peap - &EAP-Message = 0x030b0004 (11,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000 (11,1) eap_peap - &Stripped-User-Name = "testuser" (11,1) eap_peap - &Reply-Message := "successful authentication" (11,1) eap_peap - Tunneled authentication was successful (11,1) eap_peap - SUCCESS (11,1) eap_peap - TLS application data to encrypt (11 bytes) (11,1) eap_peap - Sending complete TLS record (37 bytes) (11,1) eap - Sending EAP Request (code 1) ID 12 length 43 (11,1) eap (handled) (11,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (11,1) EXPAND Response-Packet-Type (11,1) --> Access-Challenge (11,1) attr_filter.access_challenge - EXPAND %{User-Name} (11,1) attr_filter.access_challenge - --> testuser@realm (11,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (11,1) attr_filter.access_challenge.post-auth (updated) (11,1) handled (handled) (11,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (11,1) } # Auth-Type eap (handled) (11,1) Using Post-Auth-Type Challenge (11,1) Post-Auth-Type sub-section not found. Ignoring. (11,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (11,1) Saving &session-state (11,1) &session-state:Stripped-User-Name += "testuser" (11,1) &session-state:Reply-Message += "successful authentication" (11,1) Sent Access-Challenge Id 87 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (11,1) EAP-Message = 0x010c002b1900170301002075fcd60b064f8189f89cd88d8ea3821c5e02316d81a985ae28e6772c0f91527a (11,1) Message-Authenticator = 0x00000000000000000000000000000000 (11,1) State = 0x0b0138003637b8d43b39393138ab9701 (11,1) Finished request Waking up in 4.8 seconds. (12) Received Access-Request Id 88 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330 (12) User-Name = "testuser@realm" (12) Chargeable-User-Identity = 0x00 (12) Location-Capable = Civix-Location (12) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (12) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (12) NAS-Port = 13 (12) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (12) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (12) NAS-IP-Address = Y.Y.Y.Y (12) NAS-Identifier = "WM13" (12) Airespace-Wlan-Id = 8 (12) Service-Type = Framed-User (12) Framed-MTU = 1300 (12) NAS-Port-Type = Wireless-802.11 (12) Tunnel-Type:0 = VLAN (12) Tunnel-Medium-Type:0 = IEEE-802 (12) Tunnel-Private-Group-Id:0 = "446" (12) EAP-Message = 0x020c002b190017030100205260e734aa19b0c57421ab4de8ee9119c043f03f0751f165dc6cc2a0f5157a8c (12) State = 0x0b0138003637b8d43b39393138ab9701 (12) Message-Authenticator = 0xa330d14becbcd2b557c3aeb3deb98ff4 (12,1) Restored &session-state (12,1) &session-state:Stripped-User-Name += "testuser" (12,1) &session-state:Reply-Message += "successful authentication" (12,1) Running section authorize from file /etc/raddb/sites-enabled/default (12,1) authorize { (12,1) local_rewrite_called_station_id { (12,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (12,1) update request { (12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (12,1) --> 64:AE:0C:91:42:60 (12,1) &Called-Station-Id := 64:AE:0C:91:42:60 (12,1) } # update request (noop) (12,1) if ("%{8}") { (12,1) EXPAND %{8} (12,1) --> RADIUS-TEST (12,1) update request { (12,1) EXPAND %{8} (12,1) --> RADIUS-TEST (12,1) &Called-Station-SSID := RADIUS-TEST (12,1) } # update request (noop) (12,1) } # if ("%{8}") (noop) (12,1) updated (updated) (12,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (12,1) else { (12,1) ... skipping else for request 12: Preceding "if" was taken (12,1) } (12,1) } # local_rewrite_called_station_id (updated) (12,1) local_rewrite_calling_station_id { (12,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (12,1) update request { (12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (12,1) --> A4:D1:8C:E4:9F:22 (12,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (12,1) } # update request (noop) (12,1) updated (updated) (12,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (12,1) else { (12,1) ... skipping else for request 12: Preceding "if" was taken (12,1) } (12,1) } # local_rewrite_calling_station_id (updated) (12,1) filter_username { (12,1) if (&User-Name) { (12,1) if (&User-Name =~ / /) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@[^@]*@/ ) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /\.\./ ) { (12,1) ... (12,1) } (12,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /\.$/) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@\./) { (12,1) ... (12,1) } (12,1) } # if (&User-Name) (updated) (12,1) } # filter_username (updated) (12,1) bad_realms { (12,1) if (&User-Name =~ /\.ax\.uk$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@ac\.uk$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /myabc\.com$/i) { (12,1) ... (12,1) } (12,1) } # bad_realms (updated) (12,1) preprocess (ok) (12,1) operator-name.authorize { (12,1) if ("%{client:Operator-Name}") { (12,1) EXPAND %{client:Operator-Name} (12,1) --> 1realm.ac.uk (12,1) update request { (12,1) EXPAND %{client:Operator-Name} (12,1) --> 1realm.ac.uk (12,1) &Operator-Name = 1realm.ac.uk (12,1) } # update request (noop) (12,1) } # if ("%{client:Operator-Name}") (noop) (12,1) } # operator-name.authorize (noop) (12,1) suffix - Checking for suffix after "@" (12,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (12,1) suffix - Found realm "realm.ac.uk" (12,1) suffix - Adding Stripped-User-Name = "testuser" (12,1) suffix - Adding Realm = "realm.ac.uk" (12,1) suffix - Authentication realm is LOCAL (12,1) suffix (ok) (12,1) if (&Realm) { (12,1) update control { (12,1) &control:Proxy-To-Realm := LOCAL (12,1) } # update control (noop) (12,1) } # if (&Realm) (noop) (12,1) else { (12,1) ... skipping else for request 12: Preceding "if" was taken (12,1) } (12,1) if (&Realm) { (12,1) if (&Stripped-User-Name != "") { (12,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (12,1) EXPAND %{tolower:%{Stripped-User-Name}} (12,1) --> testuser (12,1) ... (12,1) } (12,1) group { (12,1) check_blacklist (ok) (12,1) if (&control:Local-Banned-User) { (12,1) ... (12,1) } (12,1) else { (12,1) noop (noop) (12,1) } # else (noop) (12,1) } # group (ok) (12,1) } # if (&Stripped-User-Name != "") (ok) (12,1) } # if (&Realm) (ok) (12,1) eap - Peer sent EAP Response (code 2) ID 12 length 43 (12,1) eap - Continuing tunnel setup (12,1) eap (ok) (12,1) } # authorize (ok) (12,1) Using 'Auth-Type = eap' for authenticate {...} (12,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (12,1) Auth-Type eap { (12,1) eap - Peer sent packet with EAP method PEAP (25) (12,1) eap - Calling submodule eap_peap to process data (12,1) eap_peap - Continuing EAP-TLS (12,1) eap_peap - Got complete TLS record (37 bytes) (12,1) eap_peap - [eap-tls verify] = complete (12,1) eap_peap - Decrypted TLS application data (11 bytes) (12,1) eap_peap - [eap-tls process] = complete (12,1) eap_peap - Session established. Decoding tunneled data (12,1) eap_peap - PEAP state send tlv success (12,1) eap_peap - Received EAP-TLV response (12,1) eap_peap - Success (12,1) eap_peap - Adding session keys (12,1) eap_peap - &reply:MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec (12,1) eap_peap - &reply:MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e (12,1) eap_peap - &reply:EAP-MSK = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e (12,1) eap_peap - &reply:EAP-EMSK = 0x4d4889f2308cc16ca2dfb5c43fd14af93e7a927a9ab73d43433258508c312fa5d2774e063dd8d0ceb56bea3134b9fb99691718545b00139d8dc9e61bf277a526 (12,1) eap - Sending EAP Success (code 3) ID 12 length 4 (12,1) eap - Cleaning up EAP session (12,1) eap (ok) (12,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (12,1) ... (12,1) } (12,1) } # Auth-Type eap (ok) (12,1) Login OK: [testuser@realm] (from client wism13 port 13 cli A4:D1:8C:E4:9F:22) (12,1) Running section post-auth from file /etc/raddb/sites-enabled/default (12,1) post-auth { (12,1) update { (12,1) &reply: += &session-state:Stripped-User-Name -> "testuser" (12,1) &reply: += &session-state:Reply-Message -> "successful authentication" (12,1) } # update (noop) (12,1) update reply { (12,1) &reply:Reply-Message := successful authentication (12,1) } # update reply (noop) (12,1) default-accept-log - Using default message (12,1) default-accept-log - EXPAND %S (%l) id %I DEFAULT ACCEPT %{User-Name} cli %{%{Calling-Station-Id}:--} auth-type %{control:Auth-Type}/%{EAP-Type} realm %{Realm} operator %{%{Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}' (12,1) default-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 88 DEFAULT ACCEPT testuser@realm cli A4:D1:8C:E4:9F:22 auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication' (12,1) default-accept-log - EXPAND /var/log/radius/auth.log (12,1) default-accept-log - --> /var/log/radius/auth.log (12,1) default-accept-log (ok) (12,1) exec (noop) (12,1) remove_reply_message_if_eap { (12,1) if (&reply:EAP-Message && &reply:Reply-Message) { (12,1) update reply { (12,1) &reply:Reply-Message !* ANY (12,1) } # update reply (noop) (12,1) } # if (&reply:EAP-Message && &reply:Reply-Message) (noop) (12,1) else { (12,1) ... skipping else for request 12: Preceding "if" was taken (12,1) } (12,1) } # remove_reply_message_if_eap (noop) (12,1) } # post-auth (ok) (12,1) Sent Access-Accept Id 88 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (12,1) MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec (12,1) MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e (12,1) EAP-Message = 0x030c0004 (12,1) Message-Authenticator = 0x00000000000000000000000000000000 (12,1) Finished request Waking up in 4.8 seconds. ^CWaking up in 3.1 seconds.
On Nov 25, 2016, at 11:04 AM, Chris Howley <C.P.Howley@leeds.ac.uk> wrote:
Hi Alan,
Here's the debug information you requested.
Hmm... it all looks OK, except the User-Name is missing from the Access-Accept. The EAP module adds that in the "authenticate" section. So it should all work. It works for other EAP types, so I'm not sure what's going on here. Alan DeKok.
participants (2)
-
Alan DeKok -
Chris Howley