FreeRADIUS (packetfence) - Azure AD - Authentication - Regarding
Hi all, I learned a lot with the support of the users mailing list My environment is FreeRADIUS (Packetfence) running with the Azure AD Configured the Azure AD for the application packetfence. This is the O/P of the the FreeRADIUS server --------------------- } # policy rewrite_called_station_id = updated (0) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) { (0) EXPAND %{client:shortname} (0) --> 172.16.20.210/32 (0) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = updated (0) } # policy filter_username = updated (0) policy filter_password { (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (0) } # policy filter_password = updated (0) [preprocess] = ok (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@ tanuvas.edu.in" (0) suffix: Found realm "tanuvas.edu.in" (0) suffix: Adding Stripped-User-Name = "" (0) suffix: Adding Realm = "tanuvas.edu.in" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) ntdomain: Request already has destination realm set. Ignoring (0) [ntdomain] = noop (0) eap: Peer sent EAP Response (code 2) ID 2 length 20 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: (TLS) Initiating new session (0) eap: Sending EAP Request (code 1) ID 3 length 6 (0) eap: EAP session adding &reply:State = 0xc7239dc8c720845a (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 61 from 172.16.11.10:1812 to 172.16.20.210:57049 length 64 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xc7239dc8c720845ac7ab04a38861e476 (0) Finished request Thread 1 waiting to be assigned a request Threads: total/active/spare threads = 3/0/3 Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) (1) Received Access-Request Id 62 from 172.16.20.210:57049 to 172.16.11.10:1812 length 221 (1) User-Name = "@tanuvas.edu.in" (1) NAS-IP-Address = 172.16.20.210 (1) NAS-Port = 0 (1) NAS-Identifier = "172.16.20.101" (1) NAS-Port-Type = Wireless-802.11 (1) Calling-Station-Id = "706655fca6f1" (1) Called-Station-Id = "b83a5ac71008" (1) Service-Type = Framed-User (1) Framed-MTU = 1100 (1) EAP-Message = 0x020300060315 (1) State = 0xc7239dc8c720845ac7ab04a38861e476 (1) Aruba-Essid-Name = "TANUVAS" (1) Aruba-Location-Id = "CECONDS" (1) Aruba-AP-Group = "MVC_AcademicAP_VC" (1) Aruba-Device-Type = "NOFP" (1) Message-Authenticator = 0xbcc9ecdc45d8912c7c26adf13026d1c9 (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence (1) authorize { (1) policy packetfence-nas-ip-address { (1) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (1) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (1) } # policy packetfence-nas-ip-address = notfound (1) update { (1) EXPAND %{Packet-Src-IP-Address} (1) --> 172.16.20.210 (1) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210 (1) EXPAND %{Packet-Dst-IP-Address} (1) --> 172.16.11.10 (1) &request:PacketFence-Radius-Ip := 172.16.11.10 (1) &control:PacketFence-RPC-Server = 127.0.0.1 (1) &control:PacketFence-RPC-Port = 7070 (1) &control:PacketFence-RPC-User = (1) &control:PacketFence-RPC-Pass = '' (1) &control:PacketFence-RPC-Proto = http (1) EXPAND %l (1) --> 1647449682 (1) &control:Tmp-Integer-0 := 1647449682 (1) &control:PacketFence-Request-Time := 0 (1) } # update = noop (1) policy packetfence-set-realm-if-machine { (1) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { (1) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE (1) } # policy packetfence-set-realm-if-machine = noop (1) policy packetfence-balanced-key-policy { (1) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) { (1) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) -> FALSE (1) else { (1) update { (1) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (1) --> 676ae0f0be13d41f008250df0c25be53 (1) &request:PacketFence-KeyBalanced := 676ae0f0be13d41f008250df0c25be53 (1) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (1) --> 676ae0f0be13d41f008250df0c25be53 (1) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53 (1) } # update = noop (1) } # else = noop (1) } # policy packetfence-balanced-key-policy = noop (1) policy packetfence-set-tenant-id { (1) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (1) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (1) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (1) --> 0 (1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (1) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (1) EXPAND %{request:Called-Station-Id} (1) --> b83a5ac71008 (1) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) -> TRUE (1) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (1) update control { rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) (1) EXPAND %{User-Name} (1) --> @tanuvas.edu.in (1) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (1) (1) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0) rlm_sql (sql): Released connection (1) (1) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)} (1) --> 0 (1) &PacketFence-Tenant-Id = 0 (1) } # update control = noop (1) } # if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) = noop (1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (1) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (1) --> 0 (1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (1) update control { rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) (1) EXPAND %{User-Name} (1) --> @tanuvas.edu.in (1) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (2) (1) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '172.16.20.210'), 0) rlm_sql (sql): Released connection (2) (1) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)} (1) --> 1 (1) &PacketFence-Tenant-Id = 1 (1) } # update control = noop (1) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (1) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (1) if ( &control:PacketFence-Tenant-Id == 0 ) { (1) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE (1) if ( &control:PacketFence-Tenant-Id == 0 ) { (1) update control { rlm_sql (sql): Reserved connection (1) rlm_sql (sql): Released connection (1) rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) (1) EXPAND %{User-Name} (1) --> @tanuvas.edu.in (1) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (2) (1) Executing select query: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1) rlm_sql (sql): Released connection (2) (1) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)} (1) --> 1 (1) &PacketFence-Tenant-Id := 1 (1) } # update control = noop (1) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop (1) } # policy packetfence-set-tenant-id = noop (1) policy rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> 70:66:55:fc:a6:f1 (1) &Calling-Station-Id := 70:66:55:fc:a6:f1 (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_calling_station_id = updated (1) policy rewrite_called_station_id { (1) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (1) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE (1) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (1) update request { (1) &Called-Station-Id !* ANY (1) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> b8:3a:5a:c7:10:08 (1) &Called-Station-Id := b8:3a:5a:c7:10:08 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> (1) if ("%{8}") -> FALSE (1) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) { (1) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE (1) elsif (Aruba-Essid-Name) { (1) elsif (Aruba-Essid-Name) -> TRUE (1) elsif (Aruba-Essid-Name) { (1) update request { (1) EXPAND %{Aruba-Essid-Name} (1) --> TANUVAS (1) &Called-Station-SSID := TANUVAS (1) } # update request = noop (1) } # elsif (Aruba-Essid-Name) = noop (1) ... skipping elsif: Preceding "if" was taken (1) [updated] = updated (1) } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) { (1) EXPAND %{client:shortname} (1) --> 172.16.20.210/32 (1) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = updated (1) } # policy filter_username = updated (1) policy filter_password { (1) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (1) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (1) } # policy filter_password = updated (1) [preprocess] = ok (1) [mschap] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@ tanuvas.edu.in" (1) suffix: Found realm "tanuvas.edu.in" (1) suffix: Adding Stripped-User-Name = "" (1) suffix: Adding Realm = "tanuvas.edu.in" (1) suffix: Authentication realm is LOCAL (1) [suffix] = ok (1) ntdomain: Request already has destination realm set. Ignoring (1) [ntdomain] = noop (1) eap: Peer sent EAP Response (code 2) ID 3 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) if ( !EAP-Message && "%{%{Control:Auth-type}:-No-MS_CHAP}" != "MS-CHAP") { (1) if ( !EAP-Message && "%{%{Control:Auth-type}:-No-MS_CHAP}" != "MS-CHAP") -> FALSE (1) if ("%{%{Control:Auth-type}:-No-MS_CHAP}" == "MS-CHAP") { (1) EXPAND %{%{Control:Auth-type}:-No-MS_CHAP} (1) --> eap (1) if ("%{%{Control:Auth-type}:-No-MS_CHAP}" == "MS-CHAP") -> FALSE (1) policy packetfence-eap-mac-policy { (1) if ( &EAP-Type ) { (1) if ( &EAP-Type ) -> TRUE (1) if ( &EAP-Type ) { (1) if (&User-Name && (&User-Name =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&User-Name && (&User-Name =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE (1) } # if ( &EAP-Type ) = updated (1) [noop] = noop (1) } # policy packetfence-eap-mac-policy = updated (1) * pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(1) pap: WARNING: !!! Ignoring control:User-Password. Update your !!!(1) pap: WARNING: !!! configuration so that the "known good" clear text !!!(1) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!!(1) pap: WARNING: !!! User-Password. !!!(1) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!* Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (1) authenticate { (1) eap: Expiring EAP session with state 0xc7239dc8c720845a (1) eap: Finished EAP session with state 0xc7239dc8c720845a (1) eap: Previous EAP request found for state 0xc7239dc8c720845a, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: (TLS) Initiating new session (1) eap: Sending EAP Request (code 1) ID 4 length 6 (1) eap: EAP session adding &reply:State = 0xc7239dc8c627885a (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 62 from 172.16.11.10:1812 to 172.16.20.210:57049 length 64 (1) EAP-Message = 0x010400061520 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xc7239dc8c627885ac7ab04a38861e476 (1) Finished request Thread 2 waiting to be assigned a request Waking up in 0.2 seconds. Thread 3 got semaphore Thread 3 handling request 2, (1 handled so far) (2) Received Access-Request Id 63 from 172.16.20.210:57049 to 172.16.11.10:1812 length 387 (2) User-Name = "@tanuvas.edu.in" (2) NAS-IP-Address = 172.16.20.210 (2) NAS-Port = 0 (2) NAS-Identifier = "172.16.20.101" (2) NAS-Port-Type = Wireless-802.11 (2) Calling-Station-Id = "706655fca6f1" (2) Called-Station-Id = "b83a5ac71008" (2) Service-Type = Framed-User (2) Framed-MTU = 1100 (2) EAP-Message = 0x020400ac1580000000a2160303009d0100009903036231ca9a72f5c07f0ade35438b2f397936b99ab972e37955c1a24cfce5ae3ef900002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100 (2) State = 0xc7239dc8c627885ac7ab04a38861e476 (2) Aruba-Essid-Name = "TANUVAS" (2) Aruba-Location-Id = "CECONDS" (2) Aruba-AP-Group = "MVC_AcademicAP_VC" (2) Aruba-Device-Type = "NOFP" (2) Message-Authenticator = 0x145b706d2f82d33aabdf94b983a619bf (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence (2) authorize { (2) policy packetfence-nas-ip-address { (2) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (2) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (2) } # policy packetfence-nas-ip-address = notfound (2) update { (2) EXPAND %{Packet-Src-IP-Address} (2) --> 172.16.20.210 (2) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210 (2) EXPAND %{Packet-Dst-IP-Address} (2) --> 172.16.11.10 (2) &request:PacketFence-Radius-Ip := 172.16.11.10 (2) &control:PacketFence-RPC-Server = 127.0.0.1 (2) &control:PacketFence-RPC-Port = 7070 (2) &control:PacketFence-RPC-User = (2) &control:PacketFence-RPC-Pass = '' (2) &control:PacketFence-RPC-Proto = http (2) EXPAND %l (2) --> 1647449682 (2) &control:Tmp-Integer-0 := 1647449682 (2) &control:PacketFence-Request-Time := 0 (2) } # update = noop (2) policy packetfence-set-realm-if-machine { (2) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { (2) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE (2) } # policy packetfence-set-realm-if-machine = noop (2) policy packetfence-balanced-key-policy { (2) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) { (2) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) -> FALSE (2) else { (2) update { (2) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (2) --> 676ae0f0be13d41f008250df0c25be53 (2) &request:PacketFence-KeyBalanced := 676ae0f0be13d41f008250df0c25be53 (2) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (2) --> 676ae0f0be13d41f008250df0c25be53 (2) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53 (2) } # update = noop (2) } # else = noop (2) } # policy packetfence-balanced-key-policy = noop (2) policy packetfence-set-tenant-id { (2) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (2) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (2) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (2) --> 0 (2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (2) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (2) EXPAND %{request:Called-Station-Id} (2) --> b83a5ac71008 (2) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) -> TRUE (2) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (2) update control { rlm_sql (sql): Reserved connection (1) rlm_sql (sql): Released connection (1) (2) EXPAND %{User-Name} (2) --> @tanuvas.edu.in (2) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (0) (2) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0) rlm_sql (sql): Released connection (0) (2) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)} (2) --> 0 (2) &PacketFence-Tenant-Id = 0 (2) } # update control = noop (2) } # if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) = noop (2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (2) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (2) --> 0 (2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (2) update control { rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) (2) EXPAND %{User-Name} (2) --> @tanuvas.edu.in (2) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (1) (2) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '172.16.20.210'), 0) rlm_sql (sql): Released connection (1) (2) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)} (2) --> 1 (2) &PacketFence-Tenant-Id = 1 (2) } # update control = noop (2) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (2) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (2) if ( &control:PacketFence-Tenant-Id == 0 ) { (2) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE (2) if ( &control:PacketFence-Tenant-Id == 0 ) { (2) update control { rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) (2) EXPAND %{User-Name} (2) --> @tanuvas.edu.in (2) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (1) (2) Executing select query: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1) rlm_sql (sql): Released connection (1) (2) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)} (2) --> 1 (2) &PacketFence-Tenant-Id := 1 (2) } # update control = noop (2) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop (2) } # policy packetfence-set-tenant-id = noop (2) policy rewrite_calling_station_id { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) update request { (2) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2) --> 70:66:55:fc:a6:f1 (2) &Calling-Station-Id := 70:66:55:fc:a6:f1 (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_calling_station_id = updated (2) policy rewrite_called_station_id { (2) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (2) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE (2) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (2) update request { (2) &Called-Station-Id !* ANY (2) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2) --> b8:3a:5a:c7:10:08 (2) &Called-Station-Id := b8:3a:5a:c7:10:08 (2) } # update request = noop (2) if ("%{8}") { (2) EXPAND %{8} (2) --> (2) if ("%{8}") -> FALSE (2) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) { (2) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE (2) elsif (Aruba-Essid-Name) { (2) elsif (Aruba-Essid-Name) -> TRUE (2) elsif (Aruba-Essid-Name) { (2) update request { (2) EXPAND %{Aruba-Essid-Name} (2) --> TANUVAS (2) &Called-Station-SSID := TANUVAS (2) } # update request = noop (2) } # elsif (Aruba-Essid-Name) = noop (2) ... skipping elsif: Preceding "if" was taken (2) [updated] = updated (2) } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_called_station_id = updated (2) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) { (2) EXPAND %{client:shortname} (2) --> 172.16.20.210/32 (2) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = updated (2) } # policy filter_username = updated (2) policy filter_password { (2) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (2) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (2) } # policy filter_password = updated (2) [preprocess] = ok (2) [mschap] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@ tanuvas.edu.in" (2) suffix: Found realm "tanuvas.edu.in" (2) suffix: Adding Stripped-User-Name = "" (2) suffix: Adding Realm = "tanuvas.edu.in" (2) suffix: Authentication realm is LOCAL (2) [suffix] = ok (2) ntdomain: Request already has destination realm set. Ignoring (2) [ntdomain] = noop (2) eap: Peer sent EAP Response (code 2) ID 4 length 172 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (2) authenticate { (2) eap: Expiring EAP session with state 0xc7239dc8c627885a (2) eap: Finished EAP session with state 0xc7239dc8c627885a (2) eap: Previous EAP request found for state 0xc7239dc8c627885a, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: (TLS) EAP Peer says that the final record size will be 162 bytes (2) eap_ttls: (TLS) EAP Got all data (162 bytes) (2) eap_ttls: (TLS) Handshake state - before SSL initialization (2) eap_ttls: (TLS) Handshake state - Server before SSL initialization (2) eap_ttls: (TLS) Handshake state - Server before SSL initialization (2) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello (2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello (2) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate (2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (2) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (2) eap_ttls: (TLS) In Handshake Phase (2) eap: Sending EAP Request (code 1) ID 5 length 1004 (2) eap: EAP session adding &reply:State = 0xc7239dc8c526885a (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 63 from 172.16.11.10:1812 to 172.16.20.210:57049 length 1068 (2) EAP-Message = 0x010503ec15c000000a8b160303003d0200003903032841295d51eab237d088feb0035e05f9749f13ac3d96eec57b778e02ccbb95d100c030000011ff01000100000b0004030001020017000016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303232333135343635315a170d3237303232323135343635315a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xc7239dc8c526885ac7ab04a38861e476 (2) Finished request Thread 3 waiting to be assigned a request Waking up in 0.2 seconds. Thread 1 got semaphore Thread 1 handling request 3, (2 handled so far) (3) Received Access-Request Id 64 from 172.16.20.210:57049 to 172.16.11.10:1812 length 221 (3) User-Name = "@tanuvas.edu.in" (3) NAS-IP-Address = 172.16.20.210 (3) NAS-Port = 0 (3) NAS-Identifier = "172.16.20.101" (3) NAS-Port-Type = Wireless-802.11 (3) Calling-Station-Id = "706655fca6f1" (3) Called-Station-Id = "b83a5ac71008" (3) Service-Type = Framed-User (3) Framed-MTU = 1100 (3) EAP-Message = 0x020500061500 (3) State = 0xc7239dc8c526885ac7ab04a38861e476 (3) Aruba-Essid-Name = "TANUVAS" (3) Aruba-Location-Id = "CECONDS" (3) Aruba-AP-Group = "MVC_AcademicAP_VC" (3) Aruba-Device-Type = "NOFP" (3) Message-Authenticator = 0x43eb1f46e1ff7c7eae412bd848fe45e6 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence (3) authorize { (3) policy packetfence-nas-ip-address { (3) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (3) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (3) } # policy packetfence-nas-ip-address = notfound (3) update { (3) EXPAND %{Packet-Src-IP-Address} (3) --> 172.16.20.210 (3) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210 (3) EXPAND %{Packet-Dst-IP-Address} (3) --> 172.16.11.10 (3) &request:PacketFence-Radius-Ip := 172.16.11.10 (3) &control:PacketFence-RPC-Server = 127.0.0.1 (3) &control:PacketFence-RPC-Port = 7070 (3) &control:PacketFence-RPC-User = (3) &control:PacketFence-RPC-Pass = '' (3) &control:PacketFence-RPC-Proto = http (3) EXPAND %l (3) --> 1647449682 (3) &control:Tmp-Integer-0 := 1647449682 (3) &control:PacketFence-Request-Time := 0 (3) } # update = noop (3) policy packetfence-set-realm-if-machine { (3) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { (3) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE (3) } # policy packetfence-set-realm-if-machine = noop (3) policy packetfence-balanced-key-policy { (3) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) { (3) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) -> FALSE (3) else { (3) update { (3) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (3) --> 676ae0f0be13d41f008250df0c25be53 (3) &request:PacketFence-KeyBalanced := 676ae0f0be13d41f008250df0c25be53 (3) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (3) --> 676ae0f0be13d41f008250df0c25be53 (3) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53 (3) } # update = noop (3) } # else = noop (3) } # policy packetfence-balanced-key-policy = noop (3) policy packetfence-set-tenant-id { (3) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (3) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (3) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (3) --> 0 (3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (3) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (3) EXPAND %{request:Called-Station-Id} (3) --> b83a5ac71008 (3) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) -> TRUE (3) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (3) update control { rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) (3) EXPAND %{User-Name} (3) --> @tanuvas.edu.in (3) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (2) (3) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0) rlm_sql (sql): Released connection (2) (3) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)} (3) --> 0 (3) &PacketFence-Tenant-Id = 0 (3) } # update control = noop (3) } # if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) = noop (3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (3) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (3) --> 0 (3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (3) update control { rlm_sql (sql): Reserved connection (1) rlm_sql (sql): Released connection (1) (3) EXPAND %{User-Name} (3) --> @tanuvas.edu.in (3) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (0) (3) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '172.16.20.210'), 0) rlm_sql (sql): Released connection (0) (3) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)} (3) --> 1 (3) &PacketFence-Tenant-Id = 1 (3) } # update control = noop (3) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (3) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (3) if ( &control:PacketFence-Tenant-Id == 0 ) { (3) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE (3) if ( &control:PacketFence-Tenant-Id == 0 ) { (3) update control { rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) rlm_sql (sql): Reserved connection (1) rlm_sql (sql): Released connection (1) (3) EXPAND %{User-Name} (3) --> @tanuvas.edu.in (3) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (0) (3) Executing select query: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1) rlm_sql (sql): Released connection (0) (3) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)} (3) --> 1 (3) &PacketFence-Tenant-Id := 1 (3) } # update control = noop (3) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop (3) } # policy packetfence-set-tenant-id = noop (3) policy rewrite_calling_station_id { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) update request { (3) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3) --> 70:66:55:fc:a6:f1 (3) &Calling-Station-Id := 70:66:55:fc:a6:f1 (3) } # update request = noop (3) [updated] = updated (3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_calling_station_id = updated (3) policy rewrite_called_station_id { (3) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (3) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE (3) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (3) update request { (3) &Called-Station-Id !* ANY (3) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3) --> b8:3a:5a:c7:10:08 (3) &Called-Station-Id := b8:3a:5a:c7:10:08 (3) } # update request = noop (3) if ("%{8}") { (3) EXPAND %{8} (3) --> (3) if ("%{8}") -> FALSE (3) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) { (3) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE (3) elsif (Aruba-Essid-Name) { (3) elsif (Aruba-Essid-Name) -> TRUE (3) elsif (Aruba-Essid-Name) { (3) update request { (3) EXPAND %{Aruba-Essid-Name} (3) --> TANUVAS (3) &Called-Station-SSID := TANUVAS (3) } # update request = noop (3) } # elsif (Aruba-Essid-Name) = noop (3) ... skipping elsif: Preceding "if" was taken (3) [updated] = updated (3) } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_called_station_id = updated (3) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) { (3) EXPAND %{client:shortname} (3) --> 172.16.20.210/32 (3) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = updated (3) } # policy filter_username = updated (3) policy filter_password { (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (3) } # policy filter_password = updated (3) [preprocess] = ok (3) [mschap] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@ tanuvas.edu.in" (3) suffix: Found realm "tanuvas.edu.in" (3) suffix: Adding Stripped-User-Name = "" (3) suffix: Adding Realm = "tanuvas.edu.in" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) ntdomain: Request already has destination realm set. Ignoring (3) [ntdomain] = noop (3) eap: Peer sent EAP Response (code 2) ID 5 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (3) authenticate { (3) eap: Expiring EAP session with state 0xc7239dc8c526885a (3) eap: Finished EAP session with state 0xc7239dc8c526885a (3) eap: Previous EAP request found for state 0xc7239dc8c526885a, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 6 length 1004 (3) eap: EAP session adding &reply:State = 0xc7239dc8c425885a (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 64 from 172.16.11.10:1812 to 172.16.20.210:57049 length 1068 (3) EAP-Message = 0x010603ec15c000000a8bc6c0465e8b9b1914ddac5ac4ae059c4943885a50b9993dd88a9b4f3086b66218cf8cf569d65fa4c6450c031c9cbc745dcdf3d766f8dc6d0e6b64439afa773b334255c4009f6591d212b3e222e50004fe308204fa308203e2a00302010202140141a16ddfd9fce3a7d1f13ab4552f2136efcca6300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303232333135343635315a170d3237303232323135343635315a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d657768657265 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xc7239dc8c425885ac7ab04a38861e476 (3) Finished request Thread 1 waiting to be assigned a request Waking up in 0.1 seconds. Thread 2 got semaphore Thread 2 handling request 4, (2 handled so far) (4) Received Access-Request Id 65 from 172.16.20.210:57049 to 172.16.11.10:1812 length 221 (4) User-Name = "@tanuvas.edu.in" (4) NAS-IP-Address = 172.16.20.210 (4) NAS-Port = 0 (4) NAS-Identifier = "172.16.20.101" (4) NAS-Port-Type = Wireless-802.11 (4) Calling-Station-Id = "706655fca6f1" (4) Called-Station-Id = "b83a5ac71008" (4) Service-Type = Framed-User (4) Framed-MTU = 1100 (4) EAP-Message = 0x020600061500 (4) State = 0xc7239dc8c425885ac7ab04a38861e476 (4) Aruba-Essid-Name = "TANUVAS" (4) Aruba-Location-Id = "CECONDS" (4) Aruba-AP-Group = "MVC_AcademicAP_VC" (4) Aruba-Device-Type = "NOFP" (4) Message-Authenticator = 0xead7c4879b2f4265eda427f33bc83889 (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence (4) authorize { (4) policy packetfence-nas-ip-address { (4) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (4) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (4) } # policy packetfence-nas-ip-address = notfound (4) update { (4) EXPAND %{Packet-Src-IP-Address} (4) --> 172.16.20.210 (4) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210 (4) EXPAND %{Packet-Dst-IP-Address} (4) --> 172.16.11.10 (4) &request:PacketFence-Radius-Ip := 172.16.11.10 (4) &control:PacketFence-RPC-Server = 127.0.0.1 (4) &control:PacketFence-RPC-Port = 7070 (4) &control:PacketFence-RPC-User = (4) &control:PacketFence-RPC-Pass = '' (4) &control:PacketFence-RPC-Proto = http (4) EXPAND %l (4) --> 1647449682 (4) &control:Tmp-Integer-0 := 1647449682 (4) &control:PacketFence-Request-Time := 0 (4) } # update = noop (4) policy packetfence-set-realm-if-machine { (4) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { (4) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE (4) } # policy packetfence-set-realm-if-machine = noop (4) policy packetfence-balanced-key-policy { (4) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) { (4) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) -> FALSE (4) else { (4) update { (4) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (4) --> 676ae0f0be13d41f008250df0c25be53 (4) &request:PacketFence-KeyBalanced := 676ae0f0be13d41f008250df0c25be53 (4) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (4) --> 676ae0f0be13d41f008250df0c25be53 (4) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53 (4) } # update = noop (4) } # else = noop (4) } # policy packetfence-balanced-key-policy = noop (4) policy packetfence-set-tenant-id { (4) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (4) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (4) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (4) --> 0 (4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (4) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (4) EXPAND %{request:Called-Station-Id} (4) --> b83a5ac71008 (4) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) -> TRUE (4) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (4) update control { rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) (4) EXPAND %{User-Name} (4) --> @tanuvas.edu.in (4) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (1) (4) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0) rlm_sql (sql): Released connection (1) (4) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)} (4) --> 0 (4) &PacketFence-Tenant-Id = 0 (4) } # update control = noop (4) } # if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) = noop (4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (4) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (4) --> 0 (4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (4) update control { rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) (4) EXPAND %{User-Name} (4) --> @tanuvas.edu.in (4) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (2) (4) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '172.16.20.210'), 0) rlm_sql (sql): Released connection (2) (4) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)} (4) --> 1 (4) &PacketFence-Tenant-Id = 1 (4) } # update control = noop (4) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (4) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (4) if ( &control:PacketFence-Tenant-Id == 0 ) { (4) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE (4) if ( &control:PacketFence-Tenant-Id == 0 ) { (4) update control { rlm_sql (sql): Reserved connection (1) rlm_sql (sql): Released connection (1) rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) (4) EXPAND %{User-Name} (4) --> @tanuvas.edu.in (4) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (2) (4) Executing select query: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1) rlm_sql (sql): Released connection (2) (4) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)} (4) --> 1 (4) &PacketFence-Tenant-Id := 1 (4) } # update control = noop (4) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop (4) } # policy packetfence-set-tenant-id = noop (4) policy rewrite_calling_station_id { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) update request { (4) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4) --> 70:66:55:fc:a6:f1 (4) &Calling-Station-Id := 70:66:55:fc:a6:f1 (4) } # update request = noop (4) [updated] = updated (4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_calling_station_id = updated (4) policy rewrite_called_station_id { (4) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (4) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE (4) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (4) update request { (4) &Called-Station-Id !* ANY (4) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4) --> b8:3a:5a:c7:10:08 (4) &Called-Station-Id := b8:3a:5a:c7:10:08 (4) } # update request = noop (4) if ("%{8}") { (4) EXPAND %{8} (4) --> (4) if ("%{8}") -> FALSE (4) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) { (4) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE (4) elsif (Aruba-Essid-Name) { (4) elsif (Aruba-Essid-Name) -> TRUE (4) elsif (Aruba-Essid-Name) { (4) update request { (4) EXPAND %{Aruba-Essid-Name} (4) --> TANUVAS (4) &Called-Station-SSID := TANUVAS (4) } # update request = noop (4) } # elsif (Aruba-Essid-Name) = noop (4) ... skipping elsif: Preceding "if" was taken (4) [updated] = updated (4) } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_called_station_id = updated (4) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) { (4) EXPAND %{client:shortname} (4) --> 172.16.20.210/32 (4) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = updated (4) } # policy filter_username = updated (4) policy filter_password { (4) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (4) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (4) } # policy filter_password = updated (4) [preprocess] = ok (4) [mschap] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@ tanuvas.edu.in" (4) suffix: Found realm "tanuvas.edu.in" (4) suffix: Adding Stripped-User-Name = "" (4) suffix: Adding Realm = "tanuvas.edu.in" (4) suffix: Authentication realm is LOCAL (4) [suffix] = ok (4) ntdomain: Request already has destination realm set. Ignoring (4) [ntdomain] = noop (4) eap: Peer sent EAP Response (code 2) ID 6 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (4) authenticate { (4) eap: Expiring EAP session with state 0xc7239dc8c425885a (4) eap: Finished EAP session with state 0xc7239dc8c425885a (4) eap: Previous EAP request found for state 0xc7239dc8c425885a, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 7 length 721 (4) eap: EAP session adding &reply:State = 0xc7239dc8c324885a (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 65 from 172.16.11.10:1812 to 172.16.20.210:57049 length 783 (4) EAP-Message = 0x010702d1158000000a8bd9fce3a7d1f13ab4552f2136efcca6300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101007d3559bea4e88af5447e8015ba0c5dd35f625272cbcf8fe8ceb746a6a64f4d54c4314cefa8222f53e87356da0cf679f75a8ce780c6d6b77fbc9b8cbfb6634f29020ae42a235f229e90d9fdaae0a84effd08a6be10b5c1b48460c855dae766dfb6ca602c579acd5e2c335b18117745367df7ce9be5297e53881ae94f3bb926dca3c3b041264187636d2097562a5b60adc05e759bbe0caad844f3aeb2e2ee543273b2d4e9b3e27625441d77d8f77ac8d787551311a1e692c63ceee11a0087d4c416ef248147201980b214b85ec85bc74c5b000a748231281f8c06806b42a2d46b13e7a8265fa75f36eb36e18353ca442a0e0f8d2500e327aa2490114142f1f310716 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xc7239dc8c324885ac7ab04a38861e476 (4) Finished request Thread 2 waiting to be assigned a request Waking up in 0.1 seconds. Thread 3 got semaphore Thread 3 handling request 5, (2 handled so far) (5) Received Access-Request Id 66 from 172.16.20.210:57049 to 172.16.11.10:1812 length 351 (5) User-Name = "@tanuvas.edu.in" (5) NAS-IP-Address = 172.16.20.210 (5) NAS-Port = 0 (5) NAS-Identifier = "172.16.20.101" (5) NAS-Port-Type = Wireless-802.11 (5) Calling-Station-Id = "706655fca6f1" (5) Called-Station-Id = "b83a5ac71008" (5) Service-Type = Framed-User (5) Framed-MTU = 1100 (5) EAP-Message = 0x0207008815800000007e1603030046100000424104c4dd5151d2477fc7b889af09a48bc315a77aee2bc39f8058883c0d7dad0f9935eb1bc5ca46dd3b93f80ad04cae257662de9c199d16ce622e7880007f6dc6d138140303000101160303002800000000000000001e22c3cf379434e69dd52d8f6a8ea0c084f0b6f35efcb916f01b52d96bf8246c (5) State = 0xc7239dc8c324885ac7ab04a38861e476 (5) Aruba-Essid-Name = "TANUVAS" (5) Aruba-Location-Id = "CECONDS" (5) Aruba-AP-Group = "MVC_AcademicAP_VC" (5) Aruba-Device-Type = "NOFP" (5) Message-Authenticator = 0xb275fc254168c0bf148aaafcb1979511 (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence (5) authorize { (5) policy packetfence-nas-ip-address { (5) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (5) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (5) } # policy packetfence-nas-ip-address = notfound (5) update { (5) EXPAND %{Packet-Src-IP-Address} (5) --> 172.16.20.210 (5) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210 (5) EXPAND %{Packet-Dst-IP-Address} (5) --> 172.16.11.10 (5) &request:PacketFence-Radius-Ip := 172.16.11.10 (5) &control:PacketFence-RPC-Server = 127.0.0.1 (5) &control:PacketFence-RPC-Port = 7070 (5) &control:PacketFence-RPC-User = (5) &control:PacketFence-RPC-Pass = '' (5) &control:PacketFence-RPC-Proto = http (5) EXPAND %l (5) --> 1647449682 (5) &control:Tmp-Integer-0 := 1647449682 (5) &control:PacketFence-Request-Time := 0 (5) } # update = noop (5) policy packetfence-set-realm-if-machine { (5) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { (5) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE (5) } # policy packetfence-set-realm-if-machine = noop (5) policy packetfence-balanced-key-policy { (5) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) { (5) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) -> FALSE (5) else { (5) update { (5) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (5) --> 676ae0f0be13d41f008250df0c25be53 (5) &request:PacketFence-KeyBalanced := 676ae0f0be13d41f008250df0c25be53 (5) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (5) --> 676ae0f0be13d41f008250df0c25be53 (5) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53 (5) } # update = noop (5) } # else = noop (5) } # policy packetfence-balanced-key-policy = noop (5) policy packetfence-set-tenant-id { (5) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (5) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (5) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (5) --> 0 (5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (5) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (5) EXPAND %{request:Called-Station-Id} (5) --> b83a5ac71008 (5) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) -> TRUE (5) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (5) update control { rlm_sql (sql): Reserved connection (1) rlm_sql (sql): Released connection (1) (5) EXPAND %{User-Name} (5) --> @tanuvas.edu.in (5) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (0) (5) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0) rlm_sql (sql): Released connection (0) (5) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)} (5) --> 0 (5) &PacketFence-Tenant-Id = 0 (5) } # update control = noop (5) } # if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) = noop (5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (5) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (5) --> 0 (5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (5) update control { rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) (5) EXPAND %{User-Name} (5) --> @tanuvas.edu.in (5) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (1) (5) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '172.16.20.210'), 0) rlm_sql (sql): Released connection (1) (5) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)} (5) --> 1 (5) &PacketFence-Tenant-Id = 1 (5) } # update control = noop (5) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (5) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (5) if ( &control:PacketFence-Tenant-Id == 0 ) { (5) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE (5) if ( &control:PacketFence-Tenant-Id == 0 ) { (5) update control { rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) (5) EXPAND %{User-Name} (5) --> @tanuvas.edu.in (5) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (1) (5) Executing select query: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1) rlm_sql (sql): Released connection (1) (5) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)} (5) --> 1 (5) &PacketFence-Tenant-Id := 1 (5) } # update control = noop (5) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop (5) } # policy packetfence-set-tenant-id = noop (5) policy rewrite_calling_station_id { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) update request { (5) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5) --> 70:66:55:fc:a6:f1 (5) &Calling-Station-Id := 70:66:55:fc:a6:f1 (5) } # update request = noop (5) [updated] = updated (5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_calling_station_id = updated (5) policy rewrite_called_station_id { (5) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (5) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE (5) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (5) update request { (5) &Called-Station-Id !* ANY (5) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5) --> b8:3a:5a:c7:10:08 (5) &Called-Station-Id := b8:3a:5a:c7:10:08 (5) } # update request = noop (5) if ("%{8}") { (5) EXPAND %{8} (5) --> (5) if ("%{8}") -> FALSE (5) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) { (5) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE (5) elsif (Aruba-Essid-Name) { (5) elsif (Aruba-Essid-Name) -> TRUE (5) elsif (Aruba-Essid-Name) { (5) update request { (5) EXPAND %{Aruba-Essid-Name} (5) --> TANUVAS (5) &Called-Station-SSID := TANUVAS (5) } # update request = noop (5) } # elsif (Aruba-Essid-Name) = noop (5) ... skipping elsif: Preceding "if" was taken (5) [updated] = updated (5) } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_called_station_id = updated (5) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) { (5) EXPAND %{client:shortname} (5) --> 172.16.20.210/32 (5) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = updated (5) } # policy filter_username = updated (5) policy filter_password { (5) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (5) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (5) } # policy filter_password = updated (5) [preprocess] = ok (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@ tanuvas.edu.in" (5) suffix: Found realm "tanuvas.edu.in" (5) suffix: Adding Stripped-User-Name = "" (5) suffix: Adding Realm = "tanuvas.edu.in" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) ntdomain: Request already has destination realm set. Ignoring (5) [ntdomain] = noop (5) eap: Peer sent EAP Response (code 2) ID 7 length 136 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (5) authenticate { (5) eap: Expiring EAP session with state 0xc7239dc8c324885a (5) eap: Finished EAP session with state 0xc7239dc8c324885a (5) eap: Previous EAP request found for state 0xc7239dc8c324885a, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes (5) eap_ttls: (TLS) EAP Got all data (126 bytes) (5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (5) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (5) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished (5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished (5) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec (5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (5) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished (5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished (5) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully (5) eap_ttls: (TLS) Connection Established (5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) eap_ttls: TLS-Session-Version = "TLS 1.2" (5) eap: Sending EAP Request (code 1) ID 8 length 61 (5) eap: EAP session adding &reply:State = 0xc7239dc8c22b885a (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 66 from 172.16.11.10:1812 to 172.16.20.210:57049 length 119 (5) EAP-Message = 0x0108003d15800000003314030300010116030300283855ef975928a19d03d3a260ac0e925065588253e7a88e732f42724b673faa0f609197353425f0e6 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xc7239dc8c22b885ac7ab04a38861e476 (5) Finished request Thread 3 waiting to be assigned a request Waking up in 4.4 seconds. Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 6, (3 handled so far) (6) Received Access-Request Id 67 from 172.16.20.210:57049 to 172.16.11.10:1812 length 306 (6) User-Name = "@tanuvas.edu.in" (6) NAS-IP-Address = 172.16.20.210 (6) NAS-Port = 0 (6) NAS-Identifier = "172.16.20.101" (6) NAS-Port-Type = Wireless-802.11 (6) Calling-Station-Id = "706655fca6f1" (6) Called-Station-Id = "b83a5ac71008" (6) Service-Type = Framed-User (6) Framed-MTU = 1100 (6) EAP-Message = 0x0208005b158000000051170303004c000000000000000140aaec26e769e54b6155a3c1048c4ff2b9398f03fb1076c83982c34bbfeca12cb54843909f0c70fb51b301cd4542c5b6911ffb2e17d33c910e9e4fe6caf1b8fe03d93321 (6) State = 0xc7239dc8c22b885ac7ab04a38861e476 (6) Aruba-Essid-Name = "TANUVAS" (6) Aruba-Location-Id = "CECONDS" (6) Aruba-AP-Group = "MVC_AcademicAP_VC" (6) Aruba-Device-Type = "NOFP" (6) Message-Authenticator = 0x169466c3949f358044792e7fbf909c5c (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence (6) authorize { (6) policy packetfence-nas-ip-address { (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (6) } # policy packetfence-nas-ip-address = notfound (6) update { (6) EXPAND %{Packet-Src-IP-Address} (6) --> 172.16.20.210 (6) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210 (6) EXPAND %{Packet-Dst-IP-Address} (6) --> 172.16.11.10 (6) &request:PacketFence-Radius-Ip := 172.16.11.10 (6) &control:PacketFence-RPC-Server = 127.0.0.1 (6) &control:PacketFence-RPC-Port = 7070 (6) &control:PacketFence-RPC-User = (6) &control:PacketFence-RPC-Pass = '' (6) &control:PacketFence-RPC-Proto = http (6) EXPAND %l (6) --> 1647449684 (6) &control:Tmp-Integer-0 := 1647449684 (6) &control:PacketFence-Request-Time := 0 (6) } # update = noop (6) policy packetfence-set-realm-if-machine { (6) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { (6) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE (6) } # policy packetfence-set-realm-if-machine = noop (6) policy packetfence-balanced-key-policy { (6) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) { (6) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) -> FALSE (6) else { (6) update { (6) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (6) --> 676ae0f0be13d41f008250df0c25be53 (6) &request:PacketFence-KeyBalanced := 676ae0f0be13d41f008250df0c25be53 (6) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}} (6) --> 676ae0f0be13d41f008250df0c25be53 (6) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53 (6) } # update = noop (6) } # else = noop (6) } # policy packetfence-balanced-key-policy = noop (6) policy packetfence-set-tenant-id { (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (6) --> 0 (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (6) EXPAND %{request:Called-Station-Id} (6) --> b83a5ac71008 (6) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) -> TRUE (6) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (6) update control { rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (3), 1 of 61 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket, server version 10.5.15-MariaDB-1:10.5.15+maria~bullseye, protocol version 10 (6) EXPAND %{User-Name} (6) --> @tanuvas.edu.in (6) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (2) (6) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0) rlm_sql (sql): Released connection (2) (6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)} (6) --> 0 (6) &PacketFence-Tenant-Id = 0 (6) } # update control = noop (6) } # if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) = noop (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (6) --> 0 (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) update control { rlm_sql (sql): Reserved connection (1) rlm_sql (sql): Released connection (1) (6) EXPAND %{User-Name} (6) --> @tanuvas.edu.in (6) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (0) (6) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '172.16.20.210'), 0) rlm_sql (sql): Released connection (0) (6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)} (6) --> 1 (6) &PacketFence-Tenant-Id = 1 (6) } # update control = noop (6) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (6) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (6) if ( &control:PacketFence-Tenant-Id == 0 ) { (6) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE (6) if ( &control:PacketFence-Tenant-Id == 0 ) { (6) update control { rlm_sql (sql): Reserved connection (3) rlm_sql (sql): Released connection (3) rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) (6) EXPAND %{User-Name} (6) --> @tanuvas.edu.in (6) SQL-User-Name set to '@tanuvas.edu.in' rlm_sql (sql): Reserved connection (1) (6) Executing select query: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1) rlm_sql (sql): Released connection (1) (6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)} (6) --> 1 (6) &PacketFence-Tenant-Id := 1 (6) } # update control = noop (6) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop (6) } # policy packetfence-set-tenant-id = noop (6) policy rewrite_calling_station_id { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) update request { (6) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6) --> 70:66:55:fc:a6:f1 (6) &Calling-Station-Id := 70:66:55:fc:a6:f1 (6) } # update request = noop (6) [updated] = updated (6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_calling_station_id = updated (6) policy rewrite_called_station_id { (6) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (6) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE (6) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (6) update request { (6) &Called-Station-Id !* ANY (6) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6) --> b8:3a:5a:c7:10:08 (6) &Called-Station-Id := b8:3a:5a:c7:10:08 (6) } # update request = noop (6) if ("%{8}") { (6) EXPAND %{8} (6) --> (6) if ("%{8}") -> FALSE (6) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) { (6) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE (6) elsif (Aruba-Essid-Name) { (6) elsif (Aruba-Essid-Name) -> TRUE (6) elsif (Aruba-Essid-Name) { (6) update request { (6) EXPAND %{Aruba-Essid-Name} (6) --> TANUVAS (6) &Called-Station-SSID := TANUVAS (6) } # update request = noop (6) } # elsif (Aruba-Essid-Name) = noop (6) ... skipping elsif: Preceding "if" was taken (6) [updated] = updated (6) } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) { (6) EXPAND %{client:shortname} (6) --> 172.16.20.210/32 (6) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = updated (6) } # policy filter_username = updated (6) policy filter_password { (6) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (6) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (6) } # policy filter_password = updated (6) [preprocess] = ok (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@ tanuvas.edu.in" (6) suffix: Found realm "tanuvas.edu.in" (6) suffix: Adding Stripped-User-Name = "" (6) suffix: Adding Realm = "tanuvas.edu.in" (6) suffix: Authentication realm is LOCAL (6) [suffix] = ok (6) ntdomain: Request already has destination realm set. Ignoring (6) [ntdomain] = noop (6) eap: Peer sent EAP Response (code 2) ID 8 length 91 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (6) authenticate { (6) eap: Expiring EAP session with state 0xc7239dc8c22b885a (6) eap: Finished EAP session with state 0xc7239dc8c22b885a (6) eap: Previous EAP request found for state 0xc7239dc8c22b885a, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: (TLS) EAP Peer says that the final record size will be 81 bytes (6) eap_ttls: (TLS) EAP Got all data (81 bytes) (6) eap_ttls: Session established. Proceeding to decode tunneled attributes (6) eap_ttls: Got tunneled request (6) eap_ttls: User-Name = "MTP19003@tanuvas.edu.in" (6) eap_ttls: User-Password = "Tanuvas@2020" (6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_ttls: Sending tunneled request (6) Virtual server packetfence-tunnel received request (6) User-Name = "MTP19003@tanuvas.edu.in" (6) User-Password = "Tanuvas@2020" (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) NAS-IP-Address = 172.16.20.210 (6) NAS-Port = 0 (6) NAS-Identifier = "172.16.20.101" (6) NAS-Port-Type = Wireless-802.11 (6) Calling-Station-Id := "70:66:55:fc:a6:f1" (6) Service-Type = Framed-User (6) Framed-MTU = 1100 (6) Aruba-Essid-Name = "TANUVAS" (6) Aruba-Location-Id = "CECONDS" (6) Aruba-AP-Group = "MVC_AcademicAP_VC" (6) Aruba-Device-Type = "NOFP" (6) PacketFence-Radius-Ip := "172.16.11.10" (6) PacketFence-KeyBalanced := "676ae0f0be13d41f008250df0c25be53" (6) Called-Station-Id := "b8:3a:5a:c7:10:08" (6) Event-Timestamp = "Mar 16 2022 22:24:44 IST" (6) server packetfence-tunnel { (6) # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence-tunnel (6) authorize { (6) if ( outer.EAP-Type == TTLS) { (6) if ( outer.EAP-Type == TTLS) -> TRUE (6) if ( outer.EAP-Type == TTLS) { (6) update request { (6) &EAP-Type := TTLS (6) } # update request = noop (6) } # if ( outer.EAP-Type == TTLS) = noop (6) policy packetfence-set-realm-if-machine { (6) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { (6) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE (6) } # policy packetfence-set-realm-if-machine = noop (6) policy packetfence-set-tenant-id { (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (6) --> 0 (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (6) EXPAND %{request:Called-Station-Id} (6) --> b8:3a:5a:c7:10:08 (6) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) -> TRUE (6) if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) { (6) update control { rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) (6) EXPAND %{User-Name} (6) --> MTP19003@tanuvas.edu.in (6) SQL-User-Name set to 'MTP19003@tanuvas.edu.in' rlm_sql (sql): Reserved connection (3) (6) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0) rlm_sql (sql): Released connection (3) (6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)} (6) --> 0 (6) &PacketFence-Tenant-Id = 0 (6) } # update control = noop (6) } # if ("%{request:Called-Station-Id}" =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i) = noop (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (6) --> 0 (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) update control { rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) (6) EXPAND %{User-Name} (6) --> MTP19003@tanuvas.edu.in (6) SQL-User-Name set to 'MTP19003@tanuvas.edu.in' rlm_sql (sql): Reserved connection (1) (6) Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '172.16.20.210'), 0) rlm_sql (sql): Released connection (1) (6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)} (6) --> 1 (6) &PacketFence-Tenant-Id = 1 (6) } # update control = noop (6) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (6) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (6) if ( &control:PacketFence-Tenant-Id == 0 ) { (6) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE (6) if ( &control:PacketFence-Tenant-Id == 0 ) { (6) update control { rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Released connection (0) rlm_sql (sql): Reserved connection (3) rlm_sql (sql): Released connection (3) (6) EXPAND %{User-Name} (6) --> MTP19003@tanuvas.edu.in (6) SQL-User-Name set to 'MTP19003@tanuvas.edu.in' rlm_sql (sql): Reserved connection (2) (6) Executing select query: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1) rlm_sql (sql): Released connection (2) (6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)} (6) --> 1 (6) &PacketFence-Tenant-Id := 1 (6) } # update control = noop (6) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop (6) } # policy packetfence-set-tenant-id = noop (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = noop (6) } # policy filter_username = noop (6) update { (6) EXPAND %{outer.request:User-Name} (6) --> @tanuvas.edu.in (6) &request:PacketFence-Outer-User := @tanuvas.edu.in (6) } # update = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "tanuvas.edu.in" for User-Name = " MTP19003@tanuvas.edu.in" (6) suffix: Found realm "tanuvas.edu.in" (6) suffix: Adding Stripped-User-Name = "MTP19003" (6) suffix: Adding Realm = "tanuvas.edu.in" (6) suffix: Authentication realm is LOCAL (6) [suffix] = ok (6) ntdomain: Request already has destination realm set. Ignoring (6) [ntdomain] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: No EAP-Message, not doing EAP (6) [eap] = noop (6) if (Realm =~ /^tanuvas.org.in$/) { (6) if (Realm =~ /^tanuvas.org.in$/) -> FALSE (6) if (Realm =~ /^tanuvas.edu.in$/) { (6) if (Realm =~ /^tanuvas.edu.in$/) -> TRUE (6) if (Realm =~ /^tanuvas.edu.in$/) { (6) policy oauth2.authorize { (6) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (6) EXPAND realm[tanuvas.edu.in].oauth2.discovery (6) --> realm[tanuvas.edu.in].oauth2.discovery (6) EXPAND %{config:realm[%{Realm}].oauth2.discovery} (6) --> https://login.microsoftonline.com/%{Realm}/v2.0 (6) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") -> TRUE (6) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (6) oauth2_perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> ' MTP19003@tanuvas.edu.in' (6) oauth2_perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'Tanuvas@2020' (6) oauth2_perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '172.16.20.210' (6) oauth2_perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0' (6) oauth2_perl: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User' (6) oauth2_perl: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1100' (6) oauth2_perl: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> 'b8:3a:5a:c7:10:08' (6) oauth2_perl: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '70:66:55:fc:a6:f1' (6) oauth2_perl: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> '172.16.20.101' (6) oauth2_perl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Wireless-802.11' (6) oauth2_perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Mar 16 2022 22:24:44 IST' (6) oauth2_perl: $RAD_REQUEST{'Aruba-Essid-Name'} = &request:Aruba-Essid-Name -> 'TANUVAS' (6) oauth2_perl: $RAD_REQUEST{'Aruba-Location-Id'} = &request:Aruba-Location-Id -> 'CECONDS' (6) oauth2_perl: $RAD_REQUEST{'Aruba-AP-Group'} = &request:Aruba-AP-Group -> 'MVC_AcademicAP_VC' (6) oauth2_perl: $RAD_REQUEST{'Aruba-Device-Type'} = &request:Aruba-Device-Type -> 'NOFP' (6) oauth2_perl: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = &request:FreeRADIUS-Proxied-To -> '127.0.0.1' (6) oauth2_perl: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'TTLS' (6) oauth2_perl: $RAD_REQUEST{'Stripped-User-Name'} = &request:Stripped-User-Name -> 'MTP19003' (6) oauth2_perl: $RAD_REQUEST{'Realm'} = &request:Realm -> 'tanuvas.edu.in ' (6) oauth2_perl: $RAD_REQUEST{'SQL-User-Name'} = &request:SQL-User-Name -> 'MTP19003@tanuvas.edu.in' (6) oauth2_perl: $RAD_REQUEST{'PacketFence-KeyBalanced'} = &request:PacketFence-KeyBalanced -> '676ae0f0be13d41f008250df0c25be53' (6) oauth2_perl: $RAD_REQUEST{'PacketFence-Radius-Ip'} = &request:PacketFence-Radius-Ip -> '172.16.11.10' (6) oauth2_perl: $RAD_REQUEST{'PacketFence-Outer-User'} = &request:PacketFence-Outer-User -> '@tanuvas.edu.in' (6) oauth2_perl: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL' (6) oauth2_perl: $RAD_CHECK{'PacketFence-Tenant-Id'} = &control:PacketFence-Tenant-Id -> '1' (6) oauth2_perl: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL' (6) oauth2_perl: $RAD_CONFIG{'PacketFence-Tenant-Id'} = &control:PacketFence-Tenant-Id -> '1' rlm_perl: oauth2 authorize (6) oauth2_perl: EXPAND realm[tanuvas.edu.in].oauth2.discovery (6) oauth2_perl: --> realm[tanuvas.edu.in].oauth2.discovery (6) oauth2_perl: EXPAND %{config:realm[tanuvas.edu.in].oauth2.discovery} (6) oauth2_perl: --> https://login.microsoftonline.com/%{Realm}/v2.0 (6) oauth2_perl: EXPAND https://login.microsoftonline.com/%{Realm}/v2.0 (6) oauth2_perl: --> https://login.microsoftonline.com/tanuvas.edu.in/v2.0 (6) oauth2_perl: EXPAND realm[tanuvas.edu.in].oauth2.client_id (6) oauth2_perl: --> realm[tanuvas.edu.in].oauth2.client_id (6) oauth2_perl: EXPAND %{config:realm[tanuvas.edu.in].oauth2.client_id} (6) oauth2_perl: --> 06f29276-f381-4e8b-8618-e62e701ec2a7 (6) oauth2_perl: EXPAND realm[tanuvas.edu.in].oauth2.client_secret (6) oauth2_perl: --> realm[tanuvas.edu.in].oauth2.client_secret (6) oauth2_perl: EXPAND %{config:realm[tanuvas.edu.in].oauth2.client_secret} (6) oauth2_perl: --> b43401d0-0a12-42fd-a27d-32437248d01b rlm_perl: oauth2 worker (tanuvas.edu.in): supervisor started (tid=1) rlm_perl: oauth2 worker (tanuvas.edu.in): fetching discovery document Waking up in 0.4 seconds. rlm_perl: oauth2 worker (tanuvas.edu.in): started (tid=2) rlm_perl: oauth2 worker (tanuvas.edu.in): sync rlm_perl: oauth2 worker (tanuvas.edu.in): sync users rlm_perl: oauth2 worker (tanuvas.edu.in): users page rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized Waking up in 0.7 seconds. Use of uninitialized value $v in concatenation (.) or string at /usr/local/pf/lib_perl/lib/perl5/Net/HTTP/Methods.pm line 167. rlm_perl: oauth2 worker (tanuvas.edu.in): users failed: 400 Bad Request rlm_perl: oauth2 worker (tanuvas.edu.in): sync groups rlm_perl: oauth2 worker (tanuvas.edu.in): groups page rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized rlm_perl: oauth2 worker (tanuvas.edu.in): groups failed: 500 Can't connect to graph.microsoft.com:443 (SSL connect attempt failed error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error) Thread 2 terminated abnormally: token (tanuvas.edu.in): 500 Can't connect to graph.microsoft.com:443 (SSL connect attempt failed error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error) at /usr/local/pf/raddb/mods-config/perl/oauth2.pm line 191. rlm_perl: oauth2 worker (tanuvas.edu.in): died, sleeping for 0 seconds rlm_perl: oauth2 worker (tanuvas.edu.in): started (tid=3) rlm_perl: oauth2 worker (tanuvas.edu.in): sync rlm_perl: oauth2 worker (tanuvas.edu.in): sync users rlm_perl: oauth2 worker (tanuvas.edu.in): users page rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token Waking up in 1.1 seconds. rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized Use of uninitialized value $v in concatenation (.) or string at /usr/local/pf/lib_perl/lib/perl5/Net/HTTP/Methods.pm line 167. rlm_perl: oauth2 worker (tanuvas.edu.in): users failed: 400 Bad Request rlm_perl: oauth2 worker (tanuvas.edu.in): sync groups rlm_perl: oauth2 worker (tanuvas.edu.in): groups page rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized Use of uninitialized value $v in concatenation (.) or string at /usr/local/pf/lib_perl/lib/perl5/Net/HTTP/Methods.pm line 167. rlm_perl: oauth2 worker (tanuvas.edu.in): groups failed: 400 Bad Request rlm_perl: oauth2 worker (tanuvas.edu.in): apply (6) oauth2_perl: &request:Stripped-User-Name = $RAD_REQUEST{'Stripped-User-Name'} -> 'MTP19003' (6) oauth2_perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '70:66:55:fc:a6:f1' (6) oauth2_perl: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1100' (6) oauth2_perl: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> '172.16.20.101' (6) oauth2_perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> ' MTP19003@tanuvas.edu.in' (6) oauth2_perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User' (6) oauth2_perl: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'TTLS' (6) oauth2_perl: &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> 'b8:3a:5a:c7:10:08' (6) oauth2_perl: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'} -> ' MTP19003@tanuvas.edu.in' (6) oauth2_perl: &request:PacketFence-Outer-User = $RAD_REQUEST{'PacketFence-Outer-User'} -> '@tanuvas.edu.in' (6) oauth2_perl: &request:Aruba-Device-Type = $RAD_REQUEST{'Aruba-Device-Type'} -> 'NOFP' (6) oauth2_perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Wireless-802.11' (6) oauth2_perl: &request:FreeRADIUS-Proxied-To = $RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1' (6) oauth2_perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Mar 16 2022 22:24:44 IST' (6) oauth2_perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0' (6) oauth2_perl: &request:PacketFence-Radius-Ip = $RAD_REQUEST{'PacketFence-Radius-Ip'} -> '172.16.11.10' (6) oauth2_perl: &request:PacketFence-KeyBalanced = $RAD_REQUEST{'PacketFence-KeyBalanced'} -> '676ae0f0be13d41f008250df0c25be53' (6) oauth2_perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '172.16.20.210' (6) oauth2_perl: &request:Aruba-Location-Id = $RAD_REQUEST{'Aruba-Location-Id'} -> 'CECONDS' (6) oauth2_perl: &request:Aruba-AP-Group = $RAD_REQUEST{'Aruba-AP-Group'} -> 'MVC_AcademicAP_VC' (6) oauth2_perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'Tanuvas@2020' (6) oauth2_perl: &request:Realm = $RAD_REQUEST{'Realm'} -> 'tanuvas.edu.in' (6) oauth2_perl: &request:Aruba-Essid-Name = $RAD_REQUEST{'Aruba-Essid-Name'} -> 'TANUVAS' (6) oauth2_perl: &control:PacketFence-Tenant-Id = $RAD_CHECK{'PacketFence-Tenant-Id'} -> '1' (6) oauth2_perl: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} -> 'LOCAL' (6) [oauth2_perl] = notfound (6) if (updated && "%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) { (6) if (updated && "%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) -> FALSE (6) } # if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") = notfound (6) ... skipping else: Preceding "if" was taken (6) } # policy oauth2.authorize = notfound (6) } # if (Realm =~ /^tanuvas.edu.in$/) = notfound (6) policy rewrite_called_station_id { (6) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (6) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE (6) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (6) update request { (6) &Called-Station-Id !* ANY (6) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6) --> b8:3a:5a:c7:10:08 (6) &Called-Station-Id := b8:3a:5a:c7:10:08 (6) } # update request = noop (6) if ("%{8}") { (6) EXPAND %{8} (6) --> (6) if ("%{8}") -> FALSE (6) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) { (6) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE (6) elsif (Aruba-Essid-Name) { (6) elsif (Aruba-Essid-Name) -> TRUE (6) elsif (Aruba-Essid-Name) { (6) update request { (6) EXPAND %{Aruba-Essid-Name} (6) --> TANUVAS (6) &Called-Station-SSID := TANUVAS (6) } # update request = noop (6) } # elsif (Aruba-Essid-Name) = noop (6) ... skipping elsif: Preceding "if" was taken (6) [updated] = updated (6) } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) [pap] = noop (6) } # authorize = updated (6) WARNING: You set Proxy-To-Realm = local, but it is a LOCAL realm! Cancelling proxy request. (6) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence-tunnel (6) Post-Auth-Type REJECT { (6) policy packetfence-set-tenant-id { (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (6) --> 1 (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> FALSE (6) if ( &control:PacketFence-Tenant-Id == 0 ) { (6) if ( &control:PacketFence-Tenant-Id == 0 ) -> FALSE (6) } # policy packetfence-set-tenant-id = noop (6) update { (6) &request:User-Password := "******" (6) } # update = noop (6) policy packetfence-audit-log-reject { (6) if (&User-Name && (&User-Name == "dummy")) { (6) if (&User-Name && (&User-Name == "dummy")) -> FALSE (6) else { (6) policy request-timing { (6) if ("%{%{control:PacketFence-Request-Time}:-0}" != 0) { (6) EXPAND %{%{control:PacketFence-Request-Time}:-0} (6) --> 0 (6) if ("%{%{control:PacketFence-Request-Time}:-0}" != 0) -> FALSE (6) } # policy request-timing = noop (6) sql_reject: EXPAND type.reject.query (6) sql_reject: --> type.reject.query (6) sql_reject: Using query template 'query' rlm_sql (sql): Reserved connection (1) (6) sql_reject: EXPAND %{User-Name} (6) sql_reject: --> MTP19003@tanuvas.edu.in (6) sql_reject: SQL-User-Name set to 'MTP19003@tanuvas.edu.in' (6) sql_reject: EXPAND INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time, tenant_id, radius_ip) VALUES ( '%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}', '%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}', '%{request:Stripped-User-Name}', '%{request:Realm}', 'Radius-Access-Request', '%{%{control:PacketFence-Switch-Id}:-N/A}', '%{%{control:PacketFence-Switch-Mac}:-N/A}', '%{%{control:PacketFence-Switch-Ip-Address}:-N/A}', '%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}', '%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}', '%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}', '%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}', '%{%{control:PacketFence-Connection-Type}:-N/A}', '%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 'Reject', '%{request:Module-Failure-Message}', '%{control:Auth-Type}', '%{request:EAP-Type}', '%{%{control:PacketFence-Role}:-N/A}', '%{%{control:PacketFence-Status}:-N/A}', '%{%{control:PacketFence-Profile}:-N/A}', '%{%{control:PacketFence-Source}:-N/A}', '%{%{control:PacketFence-AutoReg}:-0}', '%{%{control:PacketFence-IsPhone}:-0}', '%{request:PacketFence-Domain}', '', '%{pairs:&request:[*]}','%{pairs:&reply:[*]}', '%{%{control:PacketFence-Request-Time}:-0}', '%{control:PacketFence-Tenant-Id}', '%{request:PacketFence-Radius-Ip}') rlm_perl: oauth2 worker (tanuvas.edu.in): syncing in 27 seconds (6) sql_reject: --> INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time, tenant_id, radius_ip) VALUES ( '70:66:55:fc:a6:f1', '', 'N/A', 'MTP19003@tanuvas.edu.in', 'MTP19003', 'tanuvas.edu.in', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', '172.16.20.210', 'b8:3a:5a:c7:10:08', '70:66:55:fc:a6:f1', 'Wireless-802.11', 'TANUVAS', '', 'N/A', '0', 'N/A', '172.16.20.210', '172.16.20.101', 'Reject', 'No Auth-Type found: rejecting the user via Post-Auth-Type =3D Reject', '', 'TTLS', 'N/A', 'N/A', 'N/A', 'N/A', '0', '0', '', '', 'Stripped-User-Name =3D =22MTP19003=22, Calling-Station-Id =3D =2270:66:55:fc:a6:f1=22, Framed-MTU =3D 1100, NAS-Identifier =3D =22172.16.20.101=22, User-Name =3D =22MTP19003@tanuvas.edu.in=22, Service-Type =3D Framed-User, EAP-Type =3D TTLS, PacketFence-Outer-User =3D =22@tanuvas.edu.in=22, Aruba-Device-Type =3D =22NOFP=22, NAS-Port-Type =3D Wireless-802.11, FreeRADIUS-Proxied-To =3D 127.0.0.1, Event-Timestamp =3D =22Mar 16 2022 22:24:44 IST=22, NAS-Port =3D 0, PacketFence-Radius-Ip =3D =22172.16.11.10=22, PacketFence-KeyBalanced =3D =22676ae0f0be13d41f008250df0c25be53=22, NAS-IP-Address =3D 172.16.20.210, Aruba-Location-Id =3D =22CECONDS=22, Aruba-AP-Group =3D =22MVC_AcademicAP_VC=22, User-Password =3D =22=2A=2A=2A=2A=2A=2A=22, Realm =3D =22tanuvas.edu.in=22, Aruba-Essid-Name =3D =22TANUVAS=22, Called-Station-Id =3D =22b8:3a:5a:c7:10:08=22, Called-Station-SSID =3D =22TANUVAS=22, Module-Failure-Message =3D =22No Auth-Type found: rejecting the user via Post-Auth-Type =3D Reject=22, SQL-User-Name =3D = 22MTP19003@tanuvas.edu.in=22','', '0', '1', '172.16.11.10') (6) sql_reject: Executing query: INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time, tenant_id, radius_ip) VALUES ( '70:66:55:fc:a6:f1', '', 'N/A', 'MTP19003@tanuvas.edu.in', 'MTP19003', 'tanuvas.edu.in', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', '172.16.20.210', 'b8:3a:5a:c7:10:08', '70:66:55:fc:a6:f1', 'Wireless-802.11', 'TANUVAS', '', 'N/A', '0', 'N/A', '172.16.20.210', '172.16.20.101', 'Reject', 'No Auth-Type found: rejecting the user via Post-Auth-Type =3D Reject', '', 'TTLS', 'N/A', 'N/A', 'N/A', 'N/A', '0', '0', '', '', 'Stripped-User-Name =3D =22MTP19003=22, Calling-Station-Id =3D =2270:66:55:fc:a6:f1=22, Framed-MTU =3D 1100, NAS-Identifier =3D =22172.16.20.101=22, User-Name =3D = 22MTP19003@tanuvas.edu.in=22, Service-Type =3D Framed-User, EAP-Type =3D TTLS, PacketFence-Outer-User =3D =22@tanuvas.edu.in=22, Aruba-Device-Type =3D =22NOFP=22, NAS-Port-Type =3D Wireless-802.11, FreeRADIUS-Proxied-To =3D 127.0.0.1, Event-Timestamp =3D =22Mar 16 2022 22:24:44 IST=22, NAS-Port =3D 0, PacketFence-Radius-Ip =3D =22172.16.11.10=22, PacketFence-KeyBalanced =3D =22676ae0f0be13d41f008250df0c25be53=22, NAS-IP-Address =3D 172.16.20.210, Aruba-Location-Id =3D =22CECONDS=22, Aruba-AP-Group =3D =22MVC_AcademicAP_VC=22, User-Password =3D =22=2A=2A=2A=2A=2A=2A=22, Realm =3D =22tanuvas.edu.in=22, Aruba-Essid-Name =3D =22TANUVAS=22, Called-Station-Id =3D =22b8:3a:5a:c7:10:08=22, Called-Station-SSID =3D =22TANUVAS=22, Module-Failure-Message =3D =22No Auth-Type found: rejecting the user via Post-Auth-Type =3D Reject=22, SQL-User-Name =3D =22MTP19003@tanuvas.edu.in=22','', '0', '1', '172.16.11.10') (6) sql_reject: SQL query returned: success (6) sql_reject: 1 record(s) updated rlm_sql (sql): Released connection (1) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (4), 1 of 60 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket, server version 10.5.15-MariaDB-1:10.5.15+maria~bullseye, protocol version 10 (6) [sql_reject] = ok (6) } # else = ok (6) } # policy packetfence-audit-log-reject = ok (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> MTP19003@tanuvas.edu.in (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) *&Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject'* (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) *Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [MTP19003@tanuvas.edu.in <MTP19003@tanuvas.edu.in>] (from client 172.16.20.210/32 <http://172.16.20.210/32> port 0 cli 70:66:55:fc:a6:f1 via TLS tunnel)* (6) } # server packetfence-tunnel (6) Virtual server sending reply (6) eap_ttls: Got tunneled Access-Reject (6) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (6) eap: Sending EAP Failure (code 4) ID 8 length 4 (6) eap: Failed in EAP select (6) [eap] = invalid (6) } # authenticate = invalid (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (6) Post-Auth-Type REJECT { (6) policy packetfence-set-tenant-id { (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (6) --> 1 (6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> FALSE (6) if ( &control:PacketFence-Tenant-Id == 0 ) { (6) if ( &control:PacketFence-Tenant-Id == 0 ) -> FALSE (6) } # policy packetfence-set-tenant-id = noop (6) update { (6) &request:User-Password := "******" (6) } # update = noop (6) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) { (6) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> FALSE (6) if ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") { (6) EXPAND %{%{control:PacketFence-Proxied-From}:-False} (6) --> False (6) if ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") -> FALSE (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> @tanuvas.edu.in (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) attr_filter.packetfence_post_auth: EXPAND %{User-Name} (6) attr_filter.packetfence_post_auth: --> @tanuvas.edu.in (6) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10 (6) [attr_filter.packetfence_post_auth] = updated (6) [eap] = noop (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (6) linelog: --> messages.Access-Reject (6) linelog: EXPAND [mac:%{Calling-Station-Id}] Rejected user: %{User-Name} (6) linelog: --> [mac:70:66:55:fc:a6:f1] Rejected user: @tanuvas.edu.in (6) [linelog] = ok (6) } # Post-Auth-Type REJECT = updated (6) *Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [@tanuvas.edu.in <http://tanuvas.edu.in>] (from client 172.16.20.210/32 <http://172.16.20.210/32> port 0 cli 70:66:55:fc:a6:f1)* (6) Delaying response for 1.000000 seconds Thread 1 waiting to be assigned a request (0) Cleaning up request packet ID 61 with timestamp +42 (1) Cleaning up request packet ID 62 with timestamp +42 (2) Cleaning up request packet ID 63 with timestamp +42 (3) Cleaning up request packet ID 64 with timestamp +42 (4) Cleaning up request packet ID 65 with timestamp +42 (5) Cleaning up request packet ID 66 with timestamp +42 Waking up in 0.5 seconds. (6) Sending delayed response (6) Sent Access-Reject Id 67 from 172.16.11.10:1812 to 172.16.20.210:57049 length 44 (6) EAP-Message = 0x04080004 (6) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (6) Cleaning up request packet ID 67 with timestamp +44 Ready to process requests The user could not connect with his Azure AD credentials Can anyone help me to resovle the issue? Regards, Thirunavukkarasu
participants (1)
-
P.Thirunavukkarasu