Add TLS version to logs with linelog
Hi everyone This is my very first contact with the FreeRadius users mailing list, so please feel free to point me into the right direction about the interaction with this mailing list. Happy to learn how to use it correctly / efficiently. What I am trying to do and why I am trying to do it: I am also very new to FreeRadius per se and I am in the middle of a server lifecycle. Our actual production servers run on version 3.0.12 and the new ones have version 3.0.26 installed. As we are an University with a lot of BYOD clients, we still support TLS 1.0 and TLS 1.1 and want to get rid of TLS 1.0 and TLS 1.1 in the near future. To know about the consequences, I would like to get a rough number of how many clients still using those old TLS versions. I know I can enable / increase the debug level in /etc/freeradius/3.0/radiusd.conf to see the TLS version used for all authentications, BUT this will fill up our logging partition pretty quick. *** What you expect the server to do: I would like to have a way to log the client TLS version used in /var/log/authz.log via the linelog module. At the moment, the linelog configuration (/etc/freeradius/3.0/mods-available/linelog) looks like this: linelog 802.1x_authz_log { filename = ${logdir}/authz.log reference = "sp.%{%{reply:Packet-Type}:-format}" sp { Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS=%{%{TLS-Client-Version}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})" } } The post-auth configuration in /etc/freeradius/3.0/sites-available/default looks like this: post-auth { update { &reply: += &session-state: } if (EAP-Message) { 802.1x_authz_log } Is there a way to print out the TLS version in the AuthZ part and if yes, how? freeradius -X: id-radiustest1:~# freeradius -X FreeRADIUS Version 3.0.26 Copyright (C) 1999-2021 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/control including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel including configuration file /etc/freeradius/3.0/sites-enabled/control-socket main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 postauth_client_lost = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } ... radiusd: #### Loading Clients #### ... Debugger not attached systemd watchdog is disabled # Creating Auth-Type = eap # Creating Auth-Type = mschap radiusd: #### Instantiating modules #### modules { # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_linelog # Loading module "802.1x_authz_log" from file /etc/freeradius/3.0/mods-enabled/linelog linelog 802.1x_authz_log { filename = "/var/log/freeradius/authz.log" escape_filenames = no syslog_severity = "info" permissions = 384 reference = "sp.%{%{reply:Packet-Type}:-format}" } # Loading module "acct_log" from file /etc/freeradius/3.0/mods-enabled/linelog linelog acct_log { filename = "/var/log/freeradius/acct.log" escape_filenames = no syslog_severity = "info" permissions = 384 format = "Something has gone wrong with the acct_log" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "PEAP" timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 8192 } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/etc/freeradius/3.0/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } instantiate { } # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "802.1x_authz_log" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "acct_log" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "proxy-inner-tunnel" soh = no require_client_cert = no } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/server.key" certificate_file = "/etc/freeradius/3.0/certs/server.crt" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT@SECLEVEL=0" reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" tls_max_version = "1.3" tls_min_version = "1.0" cache { enable = no lifetime = 12 name = "EAP module" max_entries = 0 persist_dir = "/var/log/freeradius/tlscache" } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/coa # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} Compiling Auth-Type eap for attr Auth-Type # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading pre-proxy {...} # Loading post-proxy {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server default server proxy-inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel # Loading authenticate {...} Compiling Auth-Type mschap for attr Auth-Type # Loading authorize {...} } # server proxy-inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "control" listen { socket = "/var/run/freeradius/control/freeradius.sock" uid = "freerad" gid = "freerad" mode = "rw" peercred = no } Thanks a lot for any advice and best regards Dominic
On 17/04/2024 09:55, dominic.stalder@unibe.ch wrote:
I am also very new to FreeRadius per se and I am in the middle of a server lifecycle. Our actual production servers run on version 3.0.12 and the new ones have version 3.0.26 installed. As we are an University with a lot of BYOD clients, we still support TLS 1.0 and TLS 1.1 and want to get rid of TLS 1.0 and TLS 1.1 in the near future. To know about the consequences, I would like to get a rough number of how many clients still using those old TLS versions.
That seems like a good idea.
I know I can enable / increase the debug level in /etc/freeradius/3.0/radiusd.conf to see the TLS version used for all authentications, BUT this will fill up our logging partition pretty quick.
And slow down the server. Good choice not doing that.
linelog 802.1x_authz_log { filename = ${logdir}/authz.log reference = "sp.%{%{reply:Packet-Type}:-format}"
sp { Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS=%{%{TLS-Client-Version}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})" } }
The post-auth configuration in /etc/freeradius/3.0/sites-available/default looks like this:
post-auth { update { &reply: += &session-state: }
if (EAP-Message) { 802.1x_authz_log }
Is there a way to print out the TLS version in the AuthZ part and if yes, how?
You've got the right attribute, but the wrong list. (Add `debug_all` in the config to see what attributes are available in the debug output.) It's in the reply list (copied from the session-state list in the update section preceding your linelog call) so rather than `TLS=%{%{TLS-Client-Version}:-NULL}` you need `TLS=%{%{reply:TLS-Client-Version}:-NULL}`. -- Matthew
Hi Matthew Thanks a lot for your very quick reply, appreciate it. I found the following in the freeradius -X output: (10) update { (10) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014 ... (10) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (10) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' When I add those attributes to the linelog configuration, I get the correct values for the version and the ciphers: (10) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format} (10) 802.1x_authz_log: --> sp.Access-Accept (10) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown}) (10) 802.1x_authz_log: --> Wed Apr 17 11:17:43 2024 : AuthZ: (39) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) BUT know the authentication fails, I was not yet able to understand why this happens now. Any idea; I will go on and compare the two debug outputs (BEFORE and AFTER I add the attributes to linelog)? Regards Dominic Am 17.04.24, 11:27 schrieb "Freeradius-Users im Auftrag von Matthew Newton via Freeradius-Users" <freeradius-users-bounces+dominic.stalder=unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org> im Auftrag von freeradius-users@lists.freeradius.org <mailto:freeradius-users@lists.freeradius.org>>: On 17/04/2024 09:55, dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch> wrote:
I am also very new to FreeRadius per se and I am in the middle of a server lifecycle. Our actual production servers run on version 3.0.12 and the new ones have version 3.0.26 installed. As we are an University with a lot of BYOD clients, we still support TLS 1.0 and TLS 1.1 and want to get rid of TLS 1.0 and TLS 1.1 in the near future. To know about the consequences, I would like to get a rough number of how many clients still using those old TLS versions.
That seems like a good idea.
I know I can enable / increase the debug level in /etc/freeradius/3.0/radiusd.conf to see the TLS version used for all authentications, BUT this will fill up our logging partition pretty quick.
And slow down the server. Good choice not doing that.
linelog 802.1x_authz_log { filename = ${logdir}/authz.log reference = "sp.%{%{reply:Packet-Type}:-format}"
sp { Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS=%{%{TLS-Client-Version}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})" } }
The post-auth configuration in /etc/freeradius/3.0/sites-available/default looks like this:
post-auth { update { &reply: += &session-state: }
if (EAP-Message) { 802.1x_authz_log }
Is there a way to print out the TLS version in the AuthZ part and if yes, how?
You've got the right attribute, but the wrong list. (Add `debug_all` in the config to see what attributes are available in the debug output.) It's in the reply list (copied from the session-state list in the update section preceding your linelog call) so rather than `TLS=%{%{TLS-Client-Version}:-NULL}` you need `TLS=%{%{reply:TLS-Client-Version}:-NULL}`. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On 17/04/2024 10:37, dominic.stalder@unibe.ch wrote:
When I add those attributes to the linelog configuration, I get the correct values for the version and the ciphers:
(10) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format} (10) 802.1x_authz_log: --> sp.Access-Accept (10) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown}) (10) 802.1x_authz_log: --> Wed Apr 17 11:17:43 2024 : AuthZ: (39) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)
BUT know the authentication fails, I was not yet able to understand why this happens now. Any idea; I will go on and compare the two debug outputs (BEFORE and AFTER I add the attributes to linelog)?
May be able to help if we could see the full debug output... otherwise we'll spend all week guessing. Altering linelog output shouldn't cause any issues unless something you've done in linelog causes that to fail (which will be in the debug output you've trimmed). -- Matthew
Hi Matthew Sorry about that. I did re-configure the linelog file (/etc/freeradius/3.0/mods-available/linelog) like this: linelog 802.1x_authz_log { filename = ${logdir}/authz.log reference = "sp.%{%{reply:Packet-Type}:-format}" sp { Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})" #Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] SID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})" } } And somehow (I really don't know why), it seems to work know: (11) Received Access-Request Id 55 from 130.92.42.20:56958 to 130.92.10.33:1812 length 443 (11) User-Name = "dominic.stalder@unibe.ch" (11) Service-Type = Framed-User (11) Cisco-AVPair = "service-type=Framed" (11) Framed-MTU = 1485 (11) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368 (11) Message-Authenticator = 0x694ebad2a4029567ecc08fd124414d26 (11) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (11) Cisco-AVPair = "method=dot1x" (11) Cisco-AVPair = "client-iif-id=2500003624" (11) Cisco-AVPair = "vlan-id=1876" (11) NAS-IP-Address = 130.92.42.20 (11) NAS-Port-Id = "capwap_9180059e" (11) NAS-Port-Type = Wireless-802.11 (11) NAS-Port = 4219 (11) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (11) Cisco-AVPair = "wlan-profile-name=eduroamV2" (11) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (11) Calling-Station-Id = "6a-05-bd-e0-f2-80" (11) Airespace-Wlan-Id = 98 (11) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11) authorize { (11) policy rewrite_called_station_id { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 3C-51-0E-72-2A-00 (11) &Called-Station-Id := 3C-51-0E-72-2A-00 (11) } # update request = noop (11) if ("%{8}") { (11) EXPAND %{8} (11) --> eduroam (11) if ("%{8}") -> TRUE (11) if ("%{8}") { (11) update request { (11) EXPAND %{8} (11) --> eduroam (11) &Called-Station-SSID := eduroam (11) } # update request = noop (11) } # if ("%{8}") = noop (11) [updated] = updated (11) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_called_station_id = updated (11) policy rewrite_calling_station_id { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 6A-05-BD-E0-F2-80 (11) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (11) } # update request = noop (11) [updated] = updated (11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_calling_station_id = updated (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = updated (11) } # policy filter_username = updated (11) suffix: Checking for suffix after "@" (11) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (11) suffix: Found realm "UNIBE.CH" (11) suffix: Adding Stripped-User-Name = "dominic.stalder" (11) suffix: Adding Realm = "UNIBE.CH" (11) suffix: Authentication realm is LOCAL (11) [suffix] = ok (11) update request { (11) EXPAND %{toupper:%{Realm}} (11) --> UNIBE.CH (11) Realm := UNIBE.CH (11) } # update request = noop (11) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (11) policy deny_no_realm { (11) if (User-Name && (User-Name !~ /@/)) { (11) if (User-Name && (User-Name !~ /@/)) -> FALSE (11) } # policy deny_no_realm = updated (11) switch &control:Called-Station-SSID { (11) } # switch &control:Called-Station-SSID = updated (11) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (11) eap: Peer sent EAP Response (code 2) ID 1 length 29 (11) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) Auth-Type eap { (11) eap: Peer sent packet with method EAP Identity (1) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: (TLS) Initiating new session (11) eap: Sending EAP Request (code 1) ID 2 length 6 (11) eap: EAP session adding &reply:State = 0x1de92fd31deb361c (11) [eap] = handled (11) if (handled && (Response-Packet-Type == Access-Challenge)) { (11) EXPAND Response-Packet-Type (11) --> Access-Challenge (11) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (11) if (handled && (Response-Packet-Type == Access-Challenge)) { (11) attr_filter.access_challenge: EXPAND %{User-Name} (11) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (11) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (11) [attr_filter.access_challenge.post-auth] = updated (11) [handled] = handled (11) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (11) } # Auth-Type eap = handled (11) Using Post-Auth-Type Challenge (11) Post-Auth-Type sub-section not found. Ignoring. (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) session-state: Saving cached attributes (11) Framed-MTU = 1014 (11) Sent Access-Challenge Id 55 from 130.92.10.33:1812 to 130.92.42.20:56958 length 64 (11) EAP-Message = 0x010200061920 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0x1de92fd31deb361c7d7fc55a3903ba57 (11) Finished request Waking up in 4.9 seconds. (12) Received Access-Request Id 63 from 130.92.42.20:56958 to 130.92.10.33:1812 length 593 (12) User-Name = "dominic.stalder@unibe.ch" (12) Service-Type = Framed-User (12) Cisco-AVPair = "service-type=Framed" (12) Framed-MTU = 1485 (12) EAP-Message = 0x020200a119800000009716030100920100008e0303661faab7c8f9e6c7d0b52b2ff41e68b74cec609bc8e752d9be7ef0bbfdb3d86600002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (12) Message-Authenticator = 0xc7079924fb998ffe2063c4354d944773 (12) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (12) Cisco-AVPair = "method=dot1x" (12) Cisco-AVPair = "client-iif-id=2500003624" (12) Cisco-AVPair = "vlan-id=1876" (12) NAS-IP-Address = 130.92.42.20 (12) NAS-Port-Id = "capwap_9180059e" (12) NAS-Port-Type = Wireless-802.11 (12) NAS-Port = 4219 (12) State = 0x1de92fd31deb361c7d7fc55a3903ba57 (12) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (12) Cisco-AVPair = "wlan-profile-name=eduroamV2" (12) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (12) Calling-Station-Id = "6a-05-bd-e0-f2-80" (12) Airespace-Wlan-Id = 98 (12) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (12) Restoring &session-state (12) &session-state:Framed-MTU = 1014 (12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (12) authorize { (12) policy rewrite_called_station_id { (12) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (12) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (12) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (12) update request { (12) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (12) --> 3C-51-0E-72-2A-00 (12) &Called-Station-Id := 3C-51-0E-72-2A-00 (12) } # update request = noop (12) if ("%{8}") { (12) EXPAND %{8} (12) --> eduroam (12) if ("%{8}") -> TRUE (12) if ("%{8}") { (12) update request { (12) EXPAND %{8} (12) --> eduroam (12) &Called-Station-SSID := eduroam (12) } # update request = noop (12) } # if ("%{8}") = noop (12) [updated] = updated (12) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (12) ... skipping else: Preceding "if" was taken (12) } # policy rewrite_called_station_id = updated (12) policy rewrite_calling_station_id { (12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (12) update request { (12) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (12) --> 6A-05-BD-E0-F2-80 (12) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (12) } # update request = noop (12) [updated] = updated (12) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (12) ... skipping else: Preceding "if" was taken (12) } # policy rewrite_calling_station_id = updated (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = updated (12) } # policy filter_username = updated (12) suffix: Checking for suffix after "@" (12) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (12) suffix: Found realm "UNIBE.CH" (12) suffix: Adding Stripped-User-Name = "dominic.stalder" (12) suffix: Adding Realm = "UNIBE.CH" (12) suffix: Authentication realm is LOCAL (12) [suffix] = ok (12) update request { (12) EXPAND %{toupper:%{Realm}} (12) --> UNIBE.CH (12) Realm := UNIBE.CH (12) } # update request = noop (12) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (12) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (12) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (12) policy deny_no_realm { (12) if (User-Name && (User-Name !~ /@/)) { (12) if (User-Name && (User-Name !~ /@/)) -> FALSE (12) } # policy deny_no_realm = updated (12) switch &control:Called-Station-SSID { (12) } # switch &control:Called-Station-SSID = updated (12) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (12) eap: Peer sent EAP Response (code 2) ID 2 length 161 (12) eap: Continuing tunnel setup (12) [eap] = ok (12) } # authorize = ok (12) Found Auth-Type = eap (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) Auth-Type eap { (12) eap: Expiring EAP session with state 0x1de92fd31deb361c (12) eap: Finished EAP session with state 0x1de92fd31deb361c (12) eap: Previous EAP request found for state 0x1de92fd31deb361c, released from the list (12) eap: Peer sent packet with method EAP PEAP (25) (12) eap: Calling submodule eap_peap to process data (12) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (12) eap_peap: (TLS) EAP Got all data (151 bytes) (12) eap_peap: (TLS) Handshake state - before SSL initialization (12) eap_peap: (TLS) Handshake state - Server before SSL initialization (12) eap_peap: (TLS) Handshake state - Server before SSL initialization (12) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello (12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello (12) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate (12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange (12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone (12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (12) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server done (12) eap_peap: (TLS) In Handshake Phase (12) eap: Sending EAP Request (code 1) ID 3 length 1024 (12) eap: EAP session adding &reply:State = 0x1de92fd31cea361c (12) [eap] = handled (12) if (handled && (Response-Packet-Type == Access-Challenge)) { (12) EXPAND Response-Packet-Type (12) --> Access-Challenge (12) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (12) if (handled && (Response-Packet-Type == Access-Challenge)) { (12) attr_filter.access_challenge: EXPAND %{User-Name} (12) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (12) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (12) [attr_filter.access_challenge.post-auth] = updated (12) [handled] = handled (12) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (12) } # Auth-Type eap = handled (12) Using Post-Auth-Type Challenge (12) Post-Auth-Type sub-section not found. Ignoring. (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) session-state: Saving cached attributes (12) Framed-MTU = 1014 (12) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (12) Sent Access-Challenge Id 63 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1090 (12) EAP-Message = 0x0103040019c000000e28160303003d0200003903039593c2bffb75e41c6f75008fc939ee87ad9af380f3c4f4a2444f574e4752440100c030000011ff01000100000b000403000102001700001603030c860b000c82000c7f0006f0308206ec308205d4a003020102021003b3054211bcb9b12dfd56f8887e7bb5300d06092a864886f70d01010b0500305c310b300906035504061302555331163014060355040a0c0d44696769436572742c20496e633135303306035504030c2c44696769436572742051756f566164697320544c53204943412051756f566164697320526f6f742043412032301e170d3233313130393030303030305a170d3234313130383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0x1de92fd31cea361c7d7fc55a3903ba57 (12) Finished request Waking up in 4.9 seconds. (13) Received Access-Request Id 71 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438 (13) User-Name = "dominic.stalder@unibe.ch" (13) Service-Type = Framed-User (13) Cisco-AVPair = "service-type=Framed" (13) Framed-MTU = 1485 (13) EAP-Message = 0x020300061900 (13) Message-Authenticator = 0x1ad7104e34710165cee7e703a1e285aa (13) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (13) Cisco-AVPair = "method=dot1x" (13) Cisco-AVPair = "client-iif-id=2500003624" (13) Cisco-AVPair = "vlan-id=1876" (13) NAS-IP-Address = 130.92.42.20 (13) NAS-Port-Id = "capwap_9180059e" (13) NAS-Port-Type = Wireless-802.11 (13) NAS-Port = 4219 (13) State = 0x1de92fd31cea361c7d7fc55a3903ba57 (13) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (13) Cisco-AVPair = "wlan-profile-name=eduroamV2" (13) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (13) Calling-Station-Id = "6a-05-bd-e0-f2-80" (13) Airespace-Wlan-Id = 98 (13) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (13) Restoring &session-state (13) &session-state:Framed-MTU = 1014 (13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (13) authorize { (13) policy rewrite_called_station_id { (13) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (13) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (13) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (13) update request { (13) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (13) --> 3C-51-0E-72-2A-00 (13) &Called-Station-Id := 3C-51-0E-72-2A-00 (13) } # update request = noop (13) if ("%{8}") { (13) EXPAND %{8} (13) --> eduroam (13) if ("%{8}") -> TRUE (13) if ("%{8}") { (13) update request { (13) EXPAND %{8} (13) --> eduroam (13) &Called-Station-SSID := eduroam (13) } # update request = noop (13) } # if ("%{8}") = noop (13) [updated] = updated (13) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (13) ... skipping else: Preceding "if" was taken (13) } # policy rewrite_called_station_id = updated (13) policy rewrite_calling_station_id { (13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (13) update request { (13) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (13) --> 6A-05-BD-E0-F2-80 (13) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (13) } # update request = noop (13) [updated] = updated (13) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (13) ... skipping else: Preceding "if" was taken (13) } # policy rewrite_calling_station_id = updated (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = updated (13) } # policy filter_username = updated (13) suffix: Checking for suffix after "@" (13) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (13) suffix: Found realm "UNIBE.CH" (13) suffix: Adding Stripped-User-Name = "dominic.stalder" (13) suffix: Adding Realm = "UNIBE.CH" (13) suffix: Authentication realm is LOCAL (13) [suffix] = ok (13) update request { (13) EXPAND %{toupper:%{Realm}} (13) --> UNIBE.CH (13) Realm := UNIBE.CH (13) } # update request = noop (13) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (13) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (13) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (13) policy deny_no_realm { (13) if (User-Name && (User-Name !~ /@/)) { (13) if (User-Name && (User-Name !~ /@/)) -> FALSE (13) } # policy deny_no_realm = updated (13) switch &control:Called-Station-SSID { (13) } # switch &control:Called-Station-SSID = updated (13) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (13) eap: Peer sent EAP Response (code 2) ID 3 length 6 (13) eap: Continuing tunnel setup (13) [eap] = ok (13) } # authorize = ok (13) Found Auth-Type = eap (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) Auth-Type eap { (13) eap: Expiring EAP session with state 0x1de92fd31cea361c (13) eap: Finished EAP session with state 0x1de92fd31cea361c (13) eap: Previous EAP request found for state 0x1de92fd31cea361c, released from the list (13) eap: Peer sent packet with method EAP PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: (TLS) Peer ACKed our handshake fragment (13) eap: Sending EAP Request (code 1) ID 4 length 1020 (13) eap: EAP session adding &reply:State = 0x1de92fd31fed361c (13) [eap] = handled (13) if (handled && (Response-Packet-Type == Access-Challenge)) { (13) EXPAND Response-Packet-Type (13) --> Access-Challenge (13) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (13) if (handled && (Response-Packet-Type == Access-Challenge)) { (13) attr_filter.access_challenge: EXPAND %{User-Name} (13) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (13) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (13) [attr_filter.access_challenge.post-auth] = updated (13) [handled] = handled (13) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (13) } # Auth-Type eap = handled (13) Using Post-Auth-Type Challenge (13) Post-Auth-Type sub-section not found. Ignoring. (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) session-state: Saving cached attributes (13) Framed-MTU = 1014 (13) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (13) Sent Access-Challenge Id 71 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1086 (13) EAP-Message = 0x010403fc194061646973544c5349434151756f5661646973526f6f744341322e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727451756f5661646973544c5349434151756f5661646973526f6f744341322e637274300c0603551d130101ff040230003082017e060a2b06010401d6790204020482016e0482016a0168007700eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000018bb41da9d8000004030048304602210096f259c2ee2c8db6a8f0ffc4dd56ae730dad06cdd15a9bdad058f1eb74fcebed022100ec4750255a870fbb409ab15ff79aca8e3ca0bb1b214f94dab4ef9687a1e82fb900760048b0e36bdaa647340fe56a02fa9d30eb1c5201cb56dd2c81d9bbbfab39d884730000018bb41d (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0x1de92fd31fed361c7d7fc55a3903ba57 (13) Finished request Waking up in 4.9 seconds. (14) Received Access-Request Id 79 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438 (14) User-Name = "dominic.stalder@unibe.ch" (14) Service-Type = Framed-User (14) Cisco-AVPair = "service-type=Framed" (14) Framed-MTU = 1485 (14) EAP-Message = 0x020400061900 (14) Message-Authenticator = 0xf31f29575e431c5f2f8a42e9fd12c70a (14) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (14) Cisco-AVPair = "method=dot1x" (14) Cisco-AVPair = "client-iif-id=2500003624" (14) Cisco-AVPair = "vlan-id=1876" (14) NAS-IP-Address = 130.92.42.20 (14) NAS-Port-Id = "capwap_9180059e" (14) NAS-Port-Type = Wireless-802.11 (14) NAS-Port = 4219 (14) State = 0x1de92fd31fed361c7d7fc55a3903ba57 (14) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (14) Cisco-AVPair = "wlan-profile-name=eduroamV2" (14) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (14) Calling-Station-Id = "6a-05-bd-e0-f2-80" (14) Airespace-Wlan-Id = 98 (14) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (14) Restoring &session-state (14) &session-state:Framed-MTU = 1014 (14) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (14) authorize { (14) policy rewrite_called_station_id { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> 3C-51-0E-72-2A-00 (14) &Called-Station-Id := 3C-51-0E-72-2A-00 (14) } # update request = noop (14) if ("%{8}") { (14) EXPAND %{8} (14) --> eduroam (14) if ("%{8}") -> TRUE (14) if ("%{8}") { (14) update request { (14) EXPAND %{8} (14) --> eduroam (14) &Called-Station-SSID := eduroam (14) } # update request = noop (14) } # if ("%{8}") = noop (14) [updated] = updated (14) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_called_station_id = updated (14) policy rewrite_calling_station_id { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> 6A-05-BD-E0-F2-80 (14) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (14) } # update request = noop (14) [updated] = updated (14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_calling_station_id = updated (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = updated (14) } # policy filter_username = updated (14) suffix: Checking for suffix after "@" (14) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (14) suffix: Found realm "UNIBE.CH" (14) suffix: Adding Stripped-User-Name = "dominic.stalder" (14) suffix: Adding Realm = "UNIBE.CH" (14) suffix: Authentication realm is LOCAL (14) [suffix] = ok (14) update request { (14) EXPAND %{toupper:%{Realm}} (14) --> UNIBE.CH (14) Realm := UNIBE.CH (14) } # update request = noop (14) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (14) policy deny_no_realm { (14) if (User-Name && (User-Name !~ /@/)) { (14) if (User-Name && (User-Name !~ /@/)) -> FALSE (14) } # policy deny_no_realm = updated (14) switch &control:Called-Station-SSID { (14) } # switch &control:Called-Station-SSID = updated (14) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (14) eap: Peer sent EAP Response (code 2) ID 4 length 6 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) Auth-Type eap { (14) eap: Expiring EAP session with state 0x1de92fd31fed361c (14) eap: Finished EAP session with state 0x1de92fd31fed361c (14) eap: Previous EAP request found for state 0x1de92fd31fed361c, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: (TLS) Peer ACKed our handshake fragment (14) eap: Sending EAP Request (code 1) ID 5 length 1020 (14) eap: EAP session adding &reply:State = 0x1de92fd31eec361c (14) [eap] = handled (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) EXPAND Response-Packet-Type (14) --> Access-Challenge (14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) attr_filter.access_challenge: EXPAND %{User-Name} (14) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (14) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (14) [attr_filter.access_challenge.post-auth] = updated (14) [handled] = handled (14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (14) } # Auth-Type eap = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) session-state: Saving cached attributes (14) Framed-MTU = 1014 (14) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (14) Sent Access-Challenge Id 79 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1086 (14) EAP-Message = 0x010503fc194031163014060355040a0c0d44696769436572742c20496e633135303306035504030c2c44696769436572742051756f566164697320544c53204943412051756f566164697320526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100c0276cfa8594d3ff27e084f9510e22adc882540fd8f499b54cbcc5b972f391772e189d184b507780746820ef2412d8cf26c4fd40b80087714fa2b7372e50b230e6fd4d52159fd7f6a740204fbc6b2b9ef3cfaaca04c0aacff4cc0782710db7d2c3bd4361c67e2bff6d60a99b67ed4d447a1371c375cb8feb080d0f6e136b285ff5eeecd4f4bb743a1c87c6bbb4e3449d3304a8cd0ac8d131252afbdb7942262839da4e8079d268c67c2ecbe68fd34f0bcb8c040f53f7b182deef3e7d4fd6a5c5caa877ee530d3fc5fee7cdd62d6030035d7f46f58d544349a7435d9a7c3352f33be3cec9d7a223c9bb023fbe528fb42146c1685cb8e89996197c9b39f013199902 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x1de92fd31eec361c7d7fc55a3903ba57 (14) Finished request Waking up in 4.9 seconds. (15) Received Access-Request Id 87 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438 (15) User-Name = "dominic.stalder@unibe.ch" (15) Service-Type = Framed-User (15) Cisco-AVPair = "service-type=Framed" (15) Framed-MTU = 1485 (15) EAP-Message = 0x020500061900 (15) Message-Authenticator = 0xf18ed8d8c98adb93b8213140f59a8378 (15) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (15) Cisco-AVPair = "method=dot1x" (15) Cisco-AVPair = "client-iif-id=2500003624" (15) Cisco-AVPair = "vlan-id=1876" (15) NAS-IP-Address = 130.92.42.20 (15) NAS-Port-Id = "capwap_9180059e" (15) NAS-Port-Type = Wireless-802.11 (15) NAS-Port = 4219 (15) State = 0x1de92fd31eec361c7d7fc55a3903ba57 (15) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (15) Cisco-AVPair = "wlan-profile-name=eduroamV2" (15) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (15) Calling-Station-Id = "6a-05-bd-e0-f2-80" (15) Airespace-Wlan-Id = 98 (15) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (15) Restoring &session-state (15) &session-state:Framed-MTU = 1014 (15) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15) authorize { (15) policy rewrite_called_station_id { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> 3C-51-0E-72-2A-00 (15) &Called-Station-Id := 3C-51-0E-72-2A-00 (15) } # update request = noop (15) if ("%{8}") { (15) EXPAND %{8} (15) --> eduroam (15) if ("%{8}") -> TRUE (15) if ("%{8}") { (15) update request { (15) EXPAND %{8} (15) --> eduroam (15) &Called-Station-SSID := eduroam (15) } # update request = noop (15) } # if ("%{8}") = noop (15) [updated] = updated (15) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_called_station_id = updated (15) policy rewrite_calling_station_id { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> 6A-05-BD-E0-F2-80 (15) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (15) } # update request = noop (15) [updated] = updated (15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_calling_station_id = updated (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = updated (15) } # policy filter_username = updated (15) suffix: Checking for suffix after "@" (15) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (15) suffix: Found realm "UNIBE.CH" (15) suffix: Adding Stripped-User-Name = "dominic.stalder" (15) suffix: Adding Realm = "UNIBE.CH" (15) suffix: Authentication realm is LOCAL (15) [suffix] = ok (15) update request { (15) EXPAND %{toupper:%{Realm}} (15) --> UNIBE.CH (15) Realm := UNIBE.CH (15) } # update request = noop (15) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (15) policy deny_no_realm { (15) if (User-Name && (User-Name !~ /@/)) { (15) if (User-Name && (User-Name !~ /@/)) -> FALSE (15) } # policy deny_no_realm = updated (15) switch &control:Called-Station-SSID { (15) } # switch &control:Called-Station-SSID = updated (15) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (15) eap: Peer sent EAP Response (code 2) ID 5 length 6 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # authorize = ok (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) Auth-Type eap { (15) eap: Expiring EAP session with state 0x1de92fd31eec361c (15) eap: Finished EAP session with state 0x1de92fd31eec361c (15) eap: Previous EAP request found for state 0x1de92fd31eec361c, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: (TLS) Peer ACKed our handshake fragment (15) eap: Sending EAP Request (code 1) ID 6 length 588 (15) eap: EAP session adding &reply:State = 0x1de92fd319ef361c (15) [eap] = handled (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) EXPAND Response-Packet-Type (15) --> Access-Challenge (15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) attr_filter.access_challenge: EXPAND %{User-Name} (15) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (15) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (15) [attr_filter.access_challenge.post-auth] = updated (15) [handled] = handled (15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (15) } # Auth-Type eap = handled (15) Using Post-Auth-Type Challenge (15) Post-Auth-Type sub-section not found. Ignoring. (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) session-state: Saving cached attributes (15) Framed-MTU = 1014 (15) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (15) Sent Access-Challenge Id 87 from 130.92.10.33:1812 to 130.92.42.20:56958 length 650 (15) EAP-Message = 0x0106024c190092dd4a3f6f4a476dce8054dcc67a57c7efffd02a530da7129206cf2d59743367135e3238837f3915851242955fc5b8517786f16d34b6872189b4e3e01005c5f9436cb4341721ddd33be24eaa920f8bd7f3f06b48f9c1de57460ad46f66e46a65c749cf786d0afadbc0812eae6da881a6a3e7dbc8aac3d8f3443ae4f1614e4c9f4f80f9c26e35d5d67994f3f07db48ec18f369b282e7b0d9178f3ca6dc74bd4f9d0b11385dbe0add5465a8a07ebdd590a7145f7d9deb1436636202d59496850bfdf3427f97f2b0989a6eec0f8d7444ce5e69cd0b5460ae57efc0e259c16227376bc8774a255010d721f9ec9160303014d0c0001490300174104e24dea9bac02fa89350a2a9907808663b23db0dcffb0c3942c4e3e768589e14a53ad8a938b48a08546b6adcc29bfa64a726170e0b8b2c2b499690ec9d5d59b300401010049a41dd7d2618931e2d16fa22e869397478ff177fc2301eef652e6042defcf82f60897df4af82c6bb00a12f52a239964f55de72b (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x1de92fd319ef361c7d7fc55a3903ba57 (15) Finished request Waking up in 4.9 seconds. (16) Received Access-Request Id 95 from 130.92.42.20:56958 to 130.92.10.33:1812 length 568 (16) User-Name = "dominic.stalder@unibe.ch" (16) Service-Type = Framed-User (16) Cisco-AVPair = "service-type=Framed" (16) Framed-MTU = 1485 (16) EAP-Message = 0x0206008819800000007e16030300461000004241044b18bc5103fb19b4b172d827bebc8fb6e5a89caa86ecd2d2af20d96592e46b5ede6df542983d8a4b7d178b59644148f098333e0333f58ba0bac27972d54d107014030300010116030300280eb44ab0540a84b463a92404ef78c91d26aa51ff96e86301c8d7ddbf9e12724aa933f1a64c868dea (16) Message-Authenticator = 0xdbfc267b0e764874e63c61f643fb722e (16) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (16) Cisco-AVPair = "method=dot1x" (16) Cisco-AVPair = "client-iif-id=2500003624" (16) Cisco-AVPair = "vlan-id=1876" (16) NAS-IP-Address = 130.92.42.20 (16) NAS-Port-Id = "capwap_9180059e" (16) NAS-Port-Type = Wireless-802.11 (16) NAS-Port = 4219 (16) State = 0x1de92fd319ef361c7d7fc55a3903ba57 (16) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (16) Cisco-AVPair = "wlan-profile-name=eduroamV2" (16) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (16) Calling-Station-Id = "6a-05-bd-e0-f2-80" (16) Airespace-Wlan-Id = 98 (16) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (16) Restoring &session-state (16) &session-state:Framed-MTU = 1014 (16) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (16) authorize { (16) policy rewrite_called_station_id { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> 3C-51-0E-72-2A-00 (16) &Called-Station-Id := 3C-51-0E-72-2A-00 (16) } # update request = noop (16) if ("%{8}") { (16) EXPAND %{8} (16) --> eduroam (16) if ("%{8}") -> TRUE (16) if ("%{8}") { (16) update request { (16) EXPAND %{8} (16) --> eduroam (16) &Called-Station-SSID := eduroam (16) } # update request = noop (16) } # if ("%{8}") = noop (16) [updated] = updated (16) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_called_station_id = updated (16) policy rewrite_calling_station_id { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> 6A-05-BD-E0-F2-80 (16) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (16) } # update request = noop (16) [updated] = updated (16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_calling_station_id = updated (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = updated (16) } # policy filter_username = updated (16) suffix: Checking for suffix after "@" (16) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (16) suffix: Found realm "UNIBE.CH" (16) suffix: Adding Stripped-User-Name = "dominic.stalder" (16) suffix: Adding Realm = "UNIBE.CH" (16) suffix: Authentication realm is LOCAL (16) [suffix] = ok (16) update request { (16) EXPAND %{toupper:%{Realm}} (16) --> UNIBE.CH (16) Realm := UNIBE.CH (16) } # update request = noop (16) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (16) policy deny_no_realm { (16) if (User-Name && (User-Name !~ /@/)) { (16) if (User-Name && (User-Name !~ /@/)) -> FALSE (16) } # policy deny_no_realm = updated (16) switch &control:Called-Station-SSID { (16) } # switch &control:Called-Station-SSID = updated (16) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (16) eap: Peer sent EAP Response (code 2) ID 6 length 136 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) Auth-Type eap { (16) eap: Expiring EAP session with state 0x1de92fd319ef361c (16) eap: Finished EAP session with state 0x1de92fd319ef361c (16) eap: Previous EAP request found for state 0x1de92fd319ef361c, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (16) eap_peap: (TLS) EAP Got all data (126 bytes) (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (16) eap_peap: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (16) eap_peap: (TLS) recv TLS 1.2 Handshake, Finished (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read finished (16) eap_peap: (TLS) send TLS 1.2 ChangeCipherSpec (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (16) eap_peap: (TLS) send TLS 1.2 Handshake, Finished (16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished (16) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully (16) eap_peap: (TLS) Connection Established (16) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (16) eap_peap: TLS-Session-Version = "TLS 1.2" (16) eap: Sending EAP Request (code 1) ID 7 length 57 (16) eap: EAP session adding &reply:State = 0x1de92fd318ee361c (16) [eap] = handled (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) EXPAND Response-Packet-Type (16) --> Access-Challenge (16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) attr_filter.access_challenge: EXPAND %{User-Name} (16) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (16) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (16) [attr_filter.access_challenge.post-auth] = updated (16) [handled] = handled (16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (16) } # Auth-Type eap = handled (16) Using Post-Auth-Type Challenge (16) Post-Auth-Type sub-section not found. Ignoring. (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) session-state: Saving cached attributes (16) Framed-MTU = 1014 (16) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (16) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (16) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (16) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (16) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (16) TLS-Session-Version = "TLS 1.2" (16) Sent Access-Challenge Id 95 from 130.92.10.33:1812 to 130.92.42.20:56958 length 115 (16) EAP-Message = 0x0107003919001403030001011603030028ee81289b38b966971e6a8bb4192ebcb8c0668f81a560a0e83c8f2f358c5048da4e4502dad8f52a42 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x1de92fd318ee361c7d7fc55a3903ba57 (16) Finished request Waking up in 4.8 seconds. (17) Received Access-Request Id 103 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438 (17) User-Name = "dominic.stalder@unibe.ch" (17) Service-Type = Framed-User (17) Cisco-AVPair = "service-type=Framed" (17) Framed-MTU = 1485 (17) EAP-Message = 0x020700061900 (17) Message-Authenticator = 0x93382dc058a6fc411428994f06077c45 (17) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (17) Cisco-AVPair = "method=dot1x" (17) Cisco-AVPair = "client-iif-id=2500003624" (17) Cisco-AVPair = "vlan-id=1876" (17) NAS-IP-Address = 130.92.42.20 (17) NAS-Port-Id = "capwap_9180059e" (17) NAS-Port-Type = Wireless-802.11 (17) NAS-Port = 4219 (17) State = 0x1de92fd318ee361c7d7fc55a3903ba57 (17) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (17) Cisco-AVPair = "wlan-profile-name=eduroamV2" (17) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (17) Calling-Station-Id = "6a-05-bd-e0-f2-80" (17) Airespace-Wlan-Id = 98 (17) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (17) Restoring &session-state (17) &session-state:Framed-MTU = 1014 (17) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (17) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (17) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (17) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (17) &session-state:TLS-Session-Version = "TLS 1.2" (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (17) authorize { (17) policy rewrite_called_station_id { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> 3C-51-0E-72-2A-00 (17) &Called-Station-Id := 3C-51-0E-72-2A-00 (17) } # update request = noop (17) if ("%{8}") { (17) EXPAND %{8} (17) --> eduroam (17) if ("%{8}") -> TRUE (17) if ("%{8}") { (17) update request { (17) EXPAND %{8} (17) --> eduroam (17) &Called-Station-SSID := eduroam (17) } # update request = noop (17) } # if ("%{8}") = noop (17) [updated] = updated (17) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_called_station_id = updated (17) policy rewrite_calling_station_id { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> 6A-05-BD-E0-F2-80 (17) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (17) } # update request = noop (17) [updated] = updated (17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_calling_station_id = updated (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = updated (17) } # policy filter_username = updated (17) suffix: Checking for suffix after "@" (17) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (17) suffix: Found realm "UNIBE.CH" (17) suffix: Adding Stripped-User-Name = "dominic.stalder" (17) suffix: Adding Realm = "UNIBE.CH" (17) suffix: Authentication realm is LOCAL (17) [suffix] = ok (17) update request { (17) EXPAND %{toupper:%{Realm}} (17) --> UNIBE.CH (17) Realm := UNIBE.CH (17) } # update request = noop (17) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (17) policy deny_no_realm { (17) if (User-Name && (User-Name !~ /@/)) { (17) if (User-Name && (User-Name !~ /@/)) -> FALSE (17) } # policy deny_no_realm = updated (17) switch &control:Called-Station-SSID { (17) } # switch &control:Called-Station-SSID = updated (17) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (17) eap: Peer sent EAP Response (code 2) ID 7 length 6 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) Auth-Type eap { (17) eap: Expiring EAP session with state 0x1de92fd318ee361c (17) eap: Finished EAP session with state 0x1de92fd318ee361c (17) eap: Previous EAP request found for state 0x1de92fd318ee361c, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (17) eap_peap: Session established. Decoding tunneled attributes (17) eap_peap: PEAP state TUNNEL ESTABLISHED (17) eap: Sending EAP Request (code 1) ID 8 length 40 (17) eap: EAP session adding &reply:State = 0x1de92fd31be1361c (17) [eap] = handled (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) EXPAND Response-Packet-Type (17) --> Access-Challenge (17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) attr_filter.access_challenge: EXPAND %{User-Name} (17) attr_filter.access_challenge: --> dominic.stalder@unibe.ch (17) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (17) [attr_filter.access_challenge.post-auth] = updated (17) [handled] = handled (17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (17) } # Auth-Type eap = handled (17) Using Post-Auth-Type Challenge (17) Post-Auth-Type sub-section not found. Ignoring. (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) session-state: Saving cached attributes (17) Framed-MTU = 1014 (17) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (17) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (17) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (17) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (17) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (17) TLS-Session-Version = "TLS 1.2" (17) Sent Access-Challenge Id 103 from 130.92.10.33:1812 to 130.92.42.20:56958 length 98 (17) EAP-Message = 0x010800281900170303001dee81289b38b966986346a9c5260f98ec8918724d9885a5054c41aac2f6 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x1de92fd31be1361c7d7fc55a3903ba57 (17) Finished request Waking up in 4.8 seconds. (18) Received Access-Request Id 111 from 130.92.42.20:56958 to 130.92.10.33:1812 length 492 (18) User-Name = "dominic.stalder@unibe.ch" (18) Service-Type = Framed-User (18) Cisco-AVPair = "service-type=Framed" (18) Framed-MTU = 1485 (18) EAP-Message = 0x0208003c190017030300310eb44ab0540a84b5ba10d71cb3cafd821018d4f9504190b41636a547d19a561c7362bf3cc1b8af6ff924ab0511352a4b3b (18) Message-Authenticator = 0x852d8279186eef24f4927cf9cbb3522b (18) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (18) Cisco-AVPair = "method=dot1x" (18) Cisco-AVPair = "client-iif-id=2500003624" (18) Cisco-AVPair = "vlan-id=1876" (18) NAS-IP-Address = 130.92.42.20 (18) NAS-Port-Id = "capwap_9180059e" (18) NAS-Port-Type = Wireless-802.11 (18) NAS-Port = 4219 (18) State = 0x1de92fd31be1361c7d7fc55a3903ba57 (18) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (18) Cisco-AVPair = "wlan-profile-name=eduroamV2" (18) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (18) Calling-Station-Id = "6a-05-bd-e0-f2-80" (18) Airespace-Wlan-Id = 98 (18) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (18) Restoring &session-state (18) &session-state:Framed-MTU = 1014 (18) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (18) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (18) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (18) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (18) &session-state:TLS-Session-Version = "TLS 1.2" (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (18) authorize { (18) policy rewrite_called_station_id { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) update request { (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> 3C-51-0E-72-2A-00 (18) &Called-Station-Id := 3C-51-0E-72-2A-00 (18) } # update request = noop (18) if ("%{8}") { (18) EXPAND %{8} (18) --> eduroam (18) if ("%{8}") -> TRUE (18) if ("%{8}") { (18) update request { (18) EXPAND %{8} (18) --> eduroam (18) &Called-Station-SSID := eduroam (18) } # update request = noop (18) } # if ("%{8}") = noop (18) [updated] = updated (18) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_called_station_id = updated (18) policy rewrite_calling_station_id { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) update request { (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> 6A-05-BD-E0-F2-80 (18) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (18) } # update request = noop (18) [updated] = updated (18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_calling_station_id = updated (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = updated (18) } # policy filter_username = updated (18) suffix: Checking for suffix after "@" (18) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (18) suffix: Found realm "UNIBE.CH" (18) suffix: Adding Stripped-User-Name = "dominic.stalder" (18) suffix: Adding Realm = "UNIBE.CH" (18) suffix: Authentication realm is LOCAL (18) [suffix] = ok (18) update request { (18) EXPAND %{toupper:%{Realm}} (18) --> UNIBE.CH (18) Realm := UNIBE.CH (18) } # update request = noop (18) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (18) policy deny_no_realm { (18) if (User-Name && (User-Name !~ /@/)) { (18) if (User-Name && (User-Name !~ /@/)) -> FALSE (18) } # policy deny_no_realm = updated (18) switch &control:Called-Station-SSID { (18) } # switch &control:Called-Station-SSID = updated (18) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (18) eap: Peer sent EAP Response (code 2) ID 8 length 60 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) Auth-Type eap { (18) eap: Expiring EAP session with state 0x1de92fd31be1361c (18) eap: Finished EAP session with state 0x1de92fd31be1361c (18) eap: Previous EAP request found for state 0x1de92fd31be1361c, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: (TLS) EAP Done initial handshake (18) eap_peap: Session established. Decoding tunneled attributes (18) eap_peap: PEAP state WAITING FOR INNER IDENTITY (18) eap_peap: Identity - dominic.stalder@unibe.ch (18) eap_peap: Got inner identity 'dominic.stalder@unibe.ch' (18) eap_peap: Setting default EAP type for tunneled EAP session (18) eap_peap: Got tunneled request (18) eap_peap: EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368 (18) eap_peap: Setting User-Name to dominic.stalder@unibe.ch (18) eap_peap: Sending tunneled request to proxy-inner-tunnel (18) eap_peap: EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368 (18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (18) eap_peap: User-Name = "dominic.stalder@unibe.ch" (18) eap_peap: Service-Type = Framed-User (18) eap_peap: Cisco-AVPair = "service-type=Framed" (18) eap_peap: Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (18) eap_peap: Cisco-AVPair = "method=dot1x" (18) eap_peap: Cisco-AVPair = "client-iif-id=2500003624" (18) eap_peap: Cisco-AVPair = "vlan-id=1876" (18) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (18) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroamV2" (18) eap_peap: Framed-MTU = 1485 (18) eap_peap: NAS-IP-Address = 130.92.42.20 (18) eap_peap: NAS-Port-Id = "capwap_9180059e" (18) eap_peap: NAS-Port-Type = Wireless-802.11 (18) eap_peap: NAS-Port = 4219 (18) eap_peap: Called-Station-Id := "3C-51-0E-72-2A-00" (18) eap_peap: Calling-Station-Id := "6A-05-BD-E0-F2-80" (18) eap_peap: Airespace-Wlan-Id = 98 (18) eap_peap: NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (18) Virtual server proxy-inner-tunnel received request (18) EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368 (18) FreeRADIUS-Proxied-To = 127.0.0.1 (18) User-Name = "dominic.stalder@unibe.ch" (18) Service-Type = Framed-User (18) Cisco-AVPair = "service-type=Framed" (18) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (18) Cisco-AVPair = "method=dot1x" (18) Cisco-AVPair = "client-iif-id=2500003624" (18) Cisco-AVPair = "vlan-id=1876" (18) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (18) Cisco-AVPair = "wlan-profile-name=eduroamV2" (18) Framed-MTU = 1485 (18) NAS-IP-Address = 130.92.42.20 (18) NAS-Port-Id = "capwap_9180059e" (18) NAS-Port-Type = Wireless-802.11 (18) NAS-Port = 4219 (18) Called-Station-Id := "3C-51-0E-72-2A-00" (18) Calling-Station-Id := "6A-05-BD-E0-F2-80" (18) Airespace-Wlan-Id = 98 (18) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (18) WARNING: Outer and inner identities are the same. User privacy is compromised. (18) server proxy-inner-tunnel { (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel (18) authorize { (18) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){ (18) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (18) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){ (18) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE (18) if (!NAS-Port-Type){ (18) if (!NAS-Port-Type) -> FALSE (18) update control { (18) &Proxy-To-Realm := NPS-DEV (18) } # update control = noop (18) } # authorize = noop (18) } # server proxy-inner-tunnel (18) Virtual server sending reply (18) eap_peap: Got tunneled reply code 0 (18) eap_peap: Tunnelled authentication will be proxied to NPS-DEV (18) eap: WARNING: Tunneled session will be proxied. Not doing EAP (18) [eap] = handled (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) EXPAND Response-Packet-Type (18) --> (18) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (18) } # Auth-Type eap = handled (18) Starting proxy to home server 130.92.14.27 port 1812 (18) server default { (18) # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default (18) pre-proxy { (18) attr_filter.pre-proxy: EXPAND %{Realm} (18) attr_filter.pre-proxy: --> UNIBE.CH (18) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (18) [attr_filter.pre-proxy] = updated (18) } # pre-proxy = updated (18) } (18) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (18) Sent Access-Request Id 3 from 0.0.0.0:41351 to 130.92.14.27:1812 length 188 (18) Operator-Name := "1unibe.ch" (18) EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368 (18) User-Name = "dominic.stalder@unibe.ch" (18) NAS-IP-Address = 130.92.42.20 (18) NAS-Port-Type = Wireless-802.11 (18) Called-Station-Id := "3C-51-0E-72-2A-00" (18) Calling-Station-Id := "6A-05-BD-E0-F2-80" (18) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (18) Message-Authenticator = 0x (18) Proxy-State = 0x313131 Waking up in 0.3 seconds. (18) Clearing existing &reply: attributes (18) Received Access-Challenge Id 3 from 130.92.14.27:1812 to 130.92.10.33:41351 length 128 (18) Proxy-State = 0x313131 (18) Session-Timeout = 60 (18) EAP-Message = 0x010900271a010900221025092d03febd7f1db20ee0eb3a6f3f604141492d4e50532d4544555632 (18) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (18) Message-Authenticator = 0x6010087d40d157005d3540778ed46280 (18) server default { (18) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (18) post-proxy { (18) attr_filter.post-proxy: EXPAND %{Realm} (18) attr_filter.post-proxy: --> UNIBE.CH (18) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121 (18) [attr_filter.post-proxy] = updated (18) eap: Doing post-proxy callback (18) eap: Passing reply from proxy back into the tunnel (18) eap: Got tunneled reply RADIUS code 11 (18) eap: Tunnel-Type := VLAN (18) eap: Tunnel-Medium-Type := IEEE-802 (18) eap: Proxy-State = 0x313131 (18) eap: EAP-Message = 0x010900271a010900221025092d03febd7f1db20ee0eb3a6f3f604141492d4e50532d4544555632 (18) eap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (18) eap: Message-Authenticator = 0x6010087d40d157005d3540778ed46280 (18) eap: Got tunneled Access-Challenge (18) eap: Reply was handled (18) eap: Sending EAP Request (code 1) ID 9 length 70 (18) eap: EAP session adding &reply:State = 0x1de92fd31ae0361c (18) [eap] = ok (18) } # post-proxy = updated (18) } (18) session-state: Saving cached attributes (18) Framed-MTU = 1014 (18) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (18) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (18) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (18) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (18) TLS-Session-Version = "TLS 1.2" (18) Using Post-Auth-Type Challenge (18) Post-Auth-Type sub-section not found. Ignoring. (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) Sent Access-Challenge Id 111 from 130.92.10.33:1812 to 130.92.42.20:56958 length 128 (18) EAP-Message = 0x010900461900170303003bee81289b38b96699838bacf9ab8471d9a0c0522c8f7b32d458a0fded96c04c4a3ee53c690abbbdd4ab41013b7988b57e521af8dc7bcd467b297af9 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x1de92fd31ae0361c7d7fc55a3903ba57 (18) Finished request Waking up in 4.8 seconds. (19) Received Access-Request Id 119 from 130.92.42.20:56958 to 130.92.10.33:1812 length 546 (19) User-Name = "dominic.stalder@unibe.ch" (19) Service-Type = Framed-User (19) Cisco-AVPair = "service-type=Framed" (19) Framed-MTU = 1485 (19) EAP-Message = 0x02090072190017030300670eb44ab0540a84b6c847c1e4cd47b9f36e37fc528705aed180287420c6730fc360d9458c0c4df8b8eccc6529f567f80b13cffefbfcaa6155a88b3ceb96c7958abf1e8b86ec337c25d154d8ab4915b9daebdcf7b1ac0fa7c2ffbfee5c6b880cbc458625358dfc7c (19) Message-Authenticator = 0xb41636b5706cfcd2a98e05828ea1a1e0 (19) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (19) Cisco-AVPair = "method=dot1x" (19) Cisco-AVPair = "client-iif-id=2500003624" (19) Cisco-AVPair = "vlan-id=1876" (19) NAS-IP-Address = 130.92.42.20 (19) NAS-Port-Id = "capwap_9180059e" (19) NAS-Port-Type = Wireless-802.11 (19) NAS-Port = 4219 (19) State = 0x1de92fd31ae0361c7d7fc55a3903ba57 (19) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (19) Cisco-AVPair = "wlan-profile-name=eduroamV2" (19) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (19) Calling-Station-Id = "6a-05-bd-e0-f2-80" (19) Airespace-Wlan-Id = 98 (19) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (19) Restoring &session-state (19) &session-state:Framed-MTU = 1014 (19) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (19) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (19) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (19) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (19) &session-state:TLS-Session-Version = "TLS 1.2" (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (19) authorize { (19) policy rewrite_called_station_id { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> 3C-51-0E-72-2A-00 (19) &Called-Station-Id := 3C-51-0E-72-2A-00 (19) } # update request = noop (19) if ("%{8}") { (19) EXPAND %{8} (19) --> eduroam (19) if ("%{8}") -> TRUE (19) if ("%{8}") { (19) update request { (19) EXPAND %{8} (19) --> eduroam (19) &Called-Station-SSID := eduroam (19) } # update request = noop (19) } # if ("%{8}") = noop (19) [updated] = updated (19) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_called_station_id = updated (19) policy rewrite_calling_station_id { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> 6A-05-BD-E0-F2-80 (19) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (19) } # update request = noop (19) [updated] = updated (19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_calling_station_id = updated (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = updated (19) } # policy filter_username = updated (19) suffix: Checking for suffix after "@" (19) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (19) suffix: Found realm "UNIBE.CH" (19) suffix: Adding Stripped-User-Name = "dominic.stalder" (19) suffix: Adding Realm = "UNIBE.CH" (19) suffix: Authentication realm is LOCAL (19) [suffix] = ok (19) update request { (19) EXPAND %{toupper:%{Realm}} (19) --> UNIBE.CH (19) Realm := UNIBE.CH (19) } # update request = noop (19) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (19) policy deny_no_realm { (19) if (User-Name && (User-Name !~ /@/)) { (19) if (User-Name && (User-Name !~ /@/)) -> FALSE (19) } # policy deny_no_realm = updated (19) switch &control:Called-Station-SSID { (19) } # switch &control:Called-Station-SSID = updated (19) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (19) eap: Peer sent EAP Response (code 2) ID 9 length 114 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) Auth-Type eap { (19) eap: Expiring EAP session with state 0x1de92fd31ae0361c (19) eap: Finished EAP session with state 0x1de92fd31ae0361c (19) eap: Previous EAP request found for state 0x1de92fd31ae0361c, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: (TLS) EAP Done initial handshake (19) eap_peap: Session established. Decoding tunneled attributes (19) eap_peap: PEAP state phase2 (19) eap_peap: EAP method MSCHAPv2 (26) (19) eap_peap: Got tunneled request (19) eap_peap: EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368 (19) eap_peap: Setting User-Name to dominic.stalder@unibe.ch (19) eap_peap: Sending tunneled request to proxy-inner-tunnel (19) eap_peap: EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368 (19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (19) eap_peap: User-Name = "dominic.stalder@unibe.ch" (19) eap_peap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) eap_peap: Service-Type = Framed-User (19) eap_peap: Cisco-AVPair = "service-type=Framed" (19) eap_peap: Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (19) eap_peap: Cisco-AVPair = "method=dot1x" (19) eap_peap: Cisco-AVPair = "client-iif-id=2500003624" (19) eap_peap: Cisco-AVPair = "vlan-id=1876" (19) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (19) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroamV2" (19) eap_peap: Framed-MTU = 1485 (19) eap_peap: NAS-IP-Address = 130.92.42.20 (19) eap_peap: NAS-Port-Id = "capwap_9180059e" (19) eap_peap: NAS-Port-Type = Wireless-802.11 (19) eap_peap: NAS-Port = 4219 (19) eap_peap: Called-Station-Id := "3C-51-0E-72-2A-00" (19) eap_peap: Calling-Station-Id := "6A-05-BD-E0-F2-80" (19) eap_peap: Airespace-Wlan-Id = 98 (19) eap_peap: NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (19) Virtual server proxy-inner-tunnel received request (19) EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368 (19) FreeRADIUS-Proxied-To = 127.0.0.1 (19) User-Name = "dominic.stalder@unibe.ch" (19) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) Service-Type = Framed-User (19) Cisco-AVPair = "service-type=Framed" (19) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (19) Cisco-AVPair = "method=dot1x" (19) Cisco-AVPair = "client-iif-id=2500003624" (19) Cisco-AVPair = "vlan-id=1876" (19) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (19) Cisco-AVPair = "wlan-profile-name=eduroamV2" (19) Framed-MTU = 1485 (19) NAS-IP-Address = 130.92.42.20 (19) NAS-Port-Id = "capwap_9180059e" (19) NAS-Port-Type = Wireless-802.11 (19) NAS-Port = 4219 (19) Called-Station-Id := "3C-51-0E-72-2A-00" (19) Calling-Station-Id := "6A-05-BD-E0-F2-80" (19) Airespace-Wlan-Id = 98 (19) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (19) WARNING: Outer and inner identities are the same. User privacy is compromised. (19) server proxy-inner-tunnel { (19) session-state: No cached attributes (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel (19) authorize { (19) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){ (19) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (19) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){ (19) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE (19) if (!NAS-Port-Type){ (19) if (!NAS-Port-Type) -> FALSE (19) update control { (19) &Proxy-To-Realm := NPS-DEV (19) } # update control = noop (19) } # authorize = noop (19) } # server proxy-inner-tunnel (19) Virtual server sending reply (19) eap_peap: Got tunneled reply code 0 (19) eap_peap: Tunnelled authentication will be proxied to NPS-DEV (19) eap: WARNING: Tunneled session will be proxied. Not doing EAP (19) [eap] = handled (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) EXPAND Response-Packet-Type (19) --> (19) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (19) } # Auth-Type eap = handled (19) Starting proxy to home server 130.92.14.27 port 1812 (19) server default { (19) # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default (19) pre-proxy { (19) attr_filter.pre-proxy: EXPAND %{Realm} (19) attr_filter.pre-proxy: --> UNIBE.CH (19) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (19) [attr_filter.pre-proxy] = updated (19) } # pre-proxy = updated (19) } (19) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (19) Sent Access-Request Id 80 from 0.0.0.0:41351 to 130.92.14.27:1812 length 280 (19) Operator-Name := "1unibe.ch" (19) EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368 (19) User-Name = "dominic.stalder@unibe.ch" (19) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) NAS-IP-Address = 130.92.42.20 (19) NAS-Port-Type = Wireless-802.11 (19) Called-Station-Id := "3C-51-0E-72-2A-00" (19) Calling-Station-Id := "6A-05-BD-E0-F2-80" (19) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (19) Message-Authenticator = 0x (19) Proxy-State = 0x313139 Waking up in 0.3 seconds. (19) Clearing existing &reply: attributes (19) Received Access-Challenge Id 80 from 130.92.14.27:1812 to 130.92.10.33:41351 length 140 (19) Proxy-State = 0x313139 (19) Session-Timeout = 60 (19) EAP-Message = 0x010a00331a0309002e533d31304136344538394431443745423543444337394130373934343732333343414144393842353734 (19) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) Message-Authenticator = 0x8fe2c05842f247418bddf150ece42063 (19) server default { (19) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (19) post-proxy { (19) attr_filter.post-proxy: EXPAND %{Realm} (19) attr_filter.post-proxy: --> UNIBE.CH (19) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121 (19) [attr_filter.post-proxy] = updated (19) eap: Doing post-proxy callback (19) eap: Passing reply from proxy back into the tunnel (19) eap: Got tunneled reply RADIUS code 11 (19) eap: Tunnel-Type := VLAN (19) eap: Tunnel-Medium-Type := IEEE-802 (19) eap: Proxy-State = 0x313139 (19) eap: EAP-Message = 0x010a00331a0309002e533d31304136344538394431443745423543444337394130373934343732333343414144393842353734 (19) eap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (19) eap: Message-Authenticator = 0x8fe2c05842f247418bddf150ece42063 (19) eap: Got tunneled Access-Challenge (19) eap: Reply was handled (19) eap: Sending EAP Request (code 1) ID 10 length 82 (19) eap: EAP session adding &reply:State = 0x1de92fd315e3361c (19) [eap] = ok (19) } # post-proxy = updated (19) } (19) session-state: Saving cached attributes (19) Framed-MTU = 1014 (19) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (19) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (19) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (19) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (19) TLS-Session-Version = "TLS 1.2" (19) Using Post-Auth-Type Challenge (19) Post-Auth-Type sub-section not found. Ignoring. (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) Sent Access-Challenge Id 119 from 130.92.10.33:1812 to 130.92.42.20:56958 length 140 (19) EAP-Message = 0x010a005219001703030047ee81289b38b9669adba1fab65405736dbbfcb27f2717a52264a47659030722d29939aea776b86fec481bda6d4c07a1e792afe6d888bca68031b6b939f2c2be7faeef6adc05a6e3 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0x1de92fd315e3361c7d7fc55a3903ba57 (19) Finished request Waking up in 4.8 seconds. (20) Received Access-Request Id 127 from 130.92.42.20:56958 to 130.92.10.33:1812 length 469 (20) User-Name = "dominic.stalder@unibe.ch" (20) Service-Type = Framed-User (20) Cisco-AVPair = "service-type=Framed" (20) Framed-MTU = 1485 (20) EAP-Message = 0x020a00251900170303001a0eb44ab0540a84b7c31a7ba33522878ffe2eeebc82ccb08cf952 (20) Message-Authenticator = 0xbad5ba1b57de86e7ebe12ecfcafd37ea (20) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (20) Cisco-AVPair = "method=dot1x" (20) Cisco-AVPair = "client-iif-id=2500003624" (20) Cisco-AVPair = "vlan-id=1876" (20) NAS-IP-Address = 130.92.42.20 (20) NAS-Port-Id = "capwap_9180059e" (20) NAS-Port-Type = Wireless-802.11 (20) NAS-Port = 4219 (20) State = 0x1de92fd315e3361c7d7fc55a3903ba57 (20) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (20) Cisco-AVPair = "wlan-profile-name=eduroamV2" (20) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (20) Calling-Station-Id = "6a-05-bd-e0-f2-80" (20) Airespace-Wlan-Id = 98 (20) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (20) Restoring &session-state (20) &session-state:Framed-MTU = 1014 (20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (20) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) &session-state:TLS-Session-Version = "TLS 1.2" (20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (20) authorize { (20) policy rewrite_called_station_id { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> 3C-51-0E-72-2A-00 (20) &Called-Station-Id := 3C-51-0E-72-2A-00 (20) } # update request = noop (20) if ("%{8}") { (20) EXPAND %{8} (20) --> eduroam (20) if ("%{8}") -> TRUE (20) if ("%{8}") { (20) update request { (20) EXPAND %{8} (20) --> eduroam (20) &Called-Station-SSID := eduroam (20) } # update request = noop (20) } # if ("%{8}") = noop (20) [updated] = updated (20) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_called_station_id = updated (20) policy rewrite_calling_station_id { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> 6A-05-BD-E0-F2-80 (20) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (20) } # update request = noop (20) [updated] = updated (20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_calling_station_id = updated (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = updated (20) } # policy filter_username = updated (20) suffix: Checking for suffix after "@" (20) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (20) suffix: Found realm "UNIBE.CH" (20) suffix: Adding Stripped-User-Name = "dominic.stalder" (20) suffix: Adding Realm = "UNIBE.CH" (20) suffix: Authentication realm is LOCAL (20) [suffix] = ok (20) update request { (20) EXPAND %{toupper:%{Realm}} (20) --> UNIBE.CH (20) Realm := UNIBE.CH (20) } # update request = noop (20) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (20) policy deny_no_realm { (20) if (User-Name && (User-Name !~ /@/)) { (20) if (User-Name && (User-Name !~ /@/)) -> FALSE (20) } # policy deny_no_realm = updated (20) switch &control:Called-Station-SSID { (20) } # switch &control:Called-Station-SSID = updated (20) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (20) eap: Peer sent EAP Response (code 2) ID 10 length 37 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # authorize = ok (20) Found Auth-Type = eap (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) Auth-Type eap { (20) eap: Expiring EAP session with state 0x1de92fd315e3361c (20) eap: Finished EAP session with state 0x1de92fd315e3361c (20) eap: Previous EAP request found for state 0x1de92fd315e3361c, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: (TLS) EAP Done initial handshake (20) eap_peap: Session established. Decoding tunneled attributes (20) eap_peap: PEAP state phase2 (20) eap_peap: EAP method MSCHAPv2 (26) (20) eap_peap: Got tunneled request (20) eap_peap: EAP-Message = 0x020a00061a03 (20) eap_peap: Setting User-Name to dominic.stalder@unibe.ch (20) eap_peap: Sending tunneled request to proxy-inner-tunnel (20) eap_peap: EAP-Message = 0x020a00061a03 (20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (20) eap_peap: User-Name = "dominic.stalder@unibe.ch" (20) eap_peap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (20) eap_peap: Service-Type = Framed-User (20) eap_peap: Cisco-AVPair = "service-type=Framed" (20) eap_peap: Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (20) eap_peap: Cisco-AVPair = "method=dot1x" (20) eap_peap: Cisco-AVPair = "client-iif-id=2500003624" (20) eap_peap: Cisco-AVPair = "vlan-id=1876" (20) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (20) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroamV2" (20) eap_peap: Framed-MTU = 1485 (20) eap_peap: NAS-IP-Address = 130.92.42.20 (20) eap_peap: NAS-Port-Id = "capwap_9180059e" (20) eap_peap: NAS-Port-Type = Wireless-802.11 (20) eap_peap: NAS-Port = 4219 (20) eap_peap: Called-Station-Id := "3C-51-0E-72-2A-00" (20) eap_peap: Calling-Station-Id := "6A-05-BD-E0-F2-80" (20) eap_peap: Airespace-Wlan-Id = 98 (20) eap_peap: NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (20) Virtual server proxy-inner-tunnel received request (20) EAP-Message = 0x020a00061a03 (20) FreeRADIUS-Proxied-To = 127.0.0.1 (20) User-Name = "dominic.stalder@unibe.ch" (20) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (20) Service-Type = Framed-User (20) Cisco-AVPair = "service-type=Framed" (20) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (20) Cisco-AVPair = "method=dot1x" (20) Cisco-AVPair = "client-iif-id=2500003624" (20) Cisco-AVPair = "vlan-id=1876" (20) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (20) Cisco-AVPair = "wlan-profile-name=eduroamV2" (20) Framed-MTU = 1485 (20) NAS-IP-Address = 130.92.42.20 (20) NAS-Port-Id = "capwap_9180059e" (20) NAS-Port-Type = Wireless-802.11 (20) NAS-Port = 4219 (20) Called-Station-Id := "3C-51-0E-72-2A-00" (20) Calling-Station-Id := "6A-05-BD-E0-F2-80" (20) Airespace-Wlan-Id = 98 (20) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (20) WARNING: Outer and inner identities are the same. User privacy is compromised. (20) server proxy-inner-tunnel { (20) session-state: No cached attributes (20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel (20) authorize { (20) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){ (20) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (20) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){ (20) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE (20) if (!NAS-Port-Type){ (20) if (!NAS-Port-Type) -> FALSE (20) update control { (20) &Proxy-To-Realm := NPS-DEV (20) } # update control = noop (20) } # authorize = noop (20) } # server proxy-inner-tunnel (20) Virtual server sending reply (20) eap_peap: Got tunneled reply code 0 (20) eap_peap: Tunnelled authentication will be proxied to NPS-DEV (20) eap: WARNING: Tunneled session will be proxied. Not doing EAP (20) [eap] = handled (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) EXPAND Response-Packet-Type (20) --> (20) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (20) } # Auth-Type eap = handled (20) Starting proxy to home server 130.92.14.27 port 1812 (20) server default { (20) # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default (20) pre-proxy { (20) attr_filter.pre-proxy: EXPAND %{Realm} (20) attr_filter.pre-proxy: --> UNIBE.CH (20) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (20) [attr_filter.pre-proxy] = updated (20) } # pre-proxy = updated (20) } (20) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (20) Sent Access-Request Id 107 from 0.0.0.0:41351 to 130.92.14.27:1812 length 203 (20) Operator-Name := "1unibe.ch" (20) EAP-Message = 0x020a00061a03 (20) User-Name = "dominic.stalder@unibe.ch" (20) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139 (20) NAS-IP-Address = 130.92.42.20 (20) NAS-Port-Type = Wireless-802.11 (20) Called-Station-Id := "3C-51-0E-72-2A-00" (20) Calling-Station-Id := "6A-05-BD-E0-F2-80" (20) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (20) Message-Authenticator = 0x (20) Proxy-State = 0x313237 Waking up in 0.3 seconds. (20) Clearing existing &reply: attributes (20) Received Access-Accept Id 107 from 130.92.14.27:1812 to 130.92.10.33:41351 length 289 (20) Proxy-State = 0x313237 (20) Class = "staff" (20) Filter-Id = "staff" (20) Framed-Protocol = PPP (20) Service-Type = Framed-User (20) Tunnel-Medium-Type:0 = IEEE-802 (20) Tunnel-Private-Group-Id:0 = "1874" (20) Tunnel-Type:0 = VLAN (20) EAP-Message = 0x030a0004 (20) Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374" (20) MS-CHAP-Domain = "\001CAMPUS" (20) MS-MPPE-Send-Key = 0x4da623cf76bcf255c5d52f7ba82488a0 (20) MS-MPPE-Recv-Key = 0xa8148861904eab68c776ff971b7a06ae (20) MS-CHAP2-Success = 0x01533d31304136344538394431443745423543444337394130373934343732333343414144393842353734 (20) Message-Authenticator = 0x62374c9831706e64b8f2a66d9de2e4af (20) server default { (20) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (20) post-proxy { (20) attr_filter.post-proxy: EXPAND %{Realm} (20) attr_filter.post-proxy: --> UNIBE.CH (20) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121 (20) [attr_filter.post-proxy] = updated (20) eap: Doing post-proxy callback (20) eap: Passing reply from proxy back into the tunnel (20) eap: Got tunneled reply RADIUS code 2 (20) eap: Tunnel-Type := VLAN (20) eap: Tunnel-Medium-Type := IEEE-802 (20) eap: Proxy-State = 0x313237 (20) eap: Class = "staff" (20) eap: Filter-Id = "staff" (20) eap: Tunnel-Private-Group-Id:0 = "1874" (20) eap: EAP-Message = 0x030a0004 (20) eap: Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374" (20) eap: MS-MPPE-Send-Key = 0x4da623cf76bcf255c5d52f7ba82488a0 (20) eap: MS-MPPE-Recv-Key = 0xa8148861904eab68c776ff971b7a06ae (20) eap: Message-Authenticator = 0x62374c9831706e64b8f2a66d9de2e4af (20) eap: Tunneled authentication was successful (20) eap: SUCCESS (20) eap: Saving tunneled attributes for later (20) eap: Reply was handled (20) eap: Sending EAP Request (code 1) ID 11 length 46 (20) eap: EAP session adding &reply:State = 0x1de92fd314e2361c (20) [eap] = ok (20) } # post-proxy = updated (20) } (20) session-state: Saving cached attributes (20) Framed-MTU = 1014 (20) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (20) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (20) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (20) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) TLS-Session-Version = "TLS 1.2" (20) Using Post-Auth-Type Challenge (20) Post-Auth-Type sub-section not found. Ignoring. (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) Sent Access-Challenge Id 127 from 130.92.10.33:1812 to 130.92.42.20:56958 length 104 (20) EAP-Message = 0x010b002e19001703030023ee81289b38b9669bfa1166346ea479e73ee4d39cc73b0e97a63d2f4face2bc55c99f2f (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0x1de92fd314e2361c7d7fc55a3903ba57 (20) Finished request Waking up in 4.8 seconds. (21) Received Access-Request Id 135 from 130.92.42.20:56958 to 130.92.10.33:1812 length 478 (21) User-Name = "dominic.stalder@unibe.ch" (21) Service-Type = Framed-User (21) Cisco-AVPair = "service-type=Framed" (21) Framed-MTU = 1485 (21) EAP-Message = 0x020b002e190017030300230eb44ab0540a84b8149c5ba395783899c1e875d9932d9debabc348893b31b12bd0f358 (21) Message-Authenticator = 0x3f983eae845159512b2c2a6dcc8a6e62 (21) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0" (21) Cisco-AVPair = "method=dot1x" (21) Cisco-AVPair = "client-iif-id=2500003624" (21) Cisco-AVPair = "vlan-id=1876" (21) NAS-IP-Address = 130.92.42.20 (21) NAS-Port-Id = "capwap_9180059e" (21) NAS-Port-Type = Wireless-802.11 (21) NAS-Port = 4219 (21) State = 0x1de92fd314e2361c7d7fc55a3903ba57 (21) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (21) Cisco-AVPair = "wlan-profile-name=eduroamV2" (21) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam" (21) Calling-Station-Id = "6a-05-bd-e0-f2-80" (21) Airespace-Wlan-Id = 98 (21) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam" (21) Restoring &session-state (21) &session-state:Framed-MTU = 1014 (21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) &session-state:TLS-Session-Version = "TLS 1.2" (21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (21) authorize { (21) policy rewrite_called_station_id { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> 3C-51-0E-72-2A-00 (21) &Called-Station-Id := 3C-51-0E-72-2A-00 (21) } # update request = noop (21) if ("%{8}") { (21) EXPAND %{8} (21) --> eduroam (21) if ("%{8}") -> TRUE (21) if ("%{8}") { (21) update request { (21) EXPAND %{8} (21) --> eduroam (21) &Called-Station-SSID := eduroam (21) } # update request = noop (21) } # if ("%{8}") = noop (21) [updated] = updated (21) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_called_station_id = updated (21) policy rewrite_calling_station_id { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> 6A-05-BD-E0-F2-80 (21) &Calling-Station-Id := 6A-05-BD-E0-F2-80 (21) } # update request = noop (21) [updated] = updated (21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_calling_station_id = updated (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = updated (21) } # policy filter_username = updated (21) suffix: Checking for suffix after "@" (21) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder@unibe.ch" (21) suffix: Found realm "UNIBE.CH" (21) suffix: Adding Stripped-User-Name = "dominic.stalder" (21) suffix: Adding Realm = "UNIBE.CH" (21) suffix: Authentication realm is LOCAL (21) [suffix] = ok (21) update request { (21) EXPAND %{toupper:%{Realm}} (21) --> UNIBE.CH (21) Realm := UNIBE.CH (21) } # update request = noop (21) if (NAS-Port-Type =~ /Wireless-802\.11/i){ (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (21) policy deny_no_realm { (21) if (User-Name && (User-Name !~ /@/)) { (21) if (User-Name && (User-Name !~ /@/)) -> FALSE (21) } # policy deny_no_realm = updated (21) switch &control:Called-Station-SSID { (21) } # switch &control:Called-Station-SSID = updated (21) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated (21) eap: Peer sent EAP Response (code 2) ID 11 length 46 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # authorize = ok (21) Found Auth-Type = eap (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) Auth-Type eap { (21) eap: Expiring EAP session with state 0x1de92fd314e2361c (21) eap: Finished EAP session with state 0x1de92fd314e2361c (21) eap: Previous EAP request found for state 0x1de92fd314e2361c, released from the list (21) eap: Peer sent packet with method EAP PEAP (25) (21) eap: Calling submodule eap_peap to process data (21) eap_peap: (TLS) EAP Done initial handshake (21) eap_peap: Session established. Decoding tunneled attributes (21) eap_peap: PEAP state send tlv success (21) eap_peap: Received EAP-TLV response (21) eap_peap: Success (21) eap_peap: Using saved attributes from the original Access-Accept (21) eap_peap: Tunnel-Type := VLAN (21) eap_peap: Tunnel-Medium-Type := IEEE-802 (21) eap_peap: Class = "staff" (21) eap_peap: Filter-Id = "staff" (21) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (21) eap_peap: Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374" (21) eap: Sending EAP Success (code 3) ID 11 length 4 (21) eap: Freeing handler (21) [eap] = ok (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (21) } # Auth-Type eap = ok (21) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (21) post-auth { (21) update { (21) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014 (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' (21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (21) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (21) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (21) } # update = noop (21) if (EAP-Message) { (21) if (EAP-Message) -> TRUE (21) if (EAP-Message) { (21) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format} (21) 802.1x_authz_log: --> sp.Access-Accept (21) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown}) (21) 802.1x_authz_log: --> Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) (21) 802.1x_authz_log: EXPAND /var/log/freeradius/authz.log (21) 802.1x_authz_log: --> /var/log/freeradius/authz.log (21) [802.1x_authz_log] = ok (21) } # if (EAP-Message) = ok (21) policy remove_reply_message_if_eap { (21) if (&reply:EAP-Message && &reply:Reply-Message) { (21) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (21) else { (21) [noop] = noop (21) } # else = noop (21) } # policy remove_reply_message_if_eap = noop (21) } # post-auth = ok (21) Login OK: [dominic.stalder@unibe.ch] (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) (21) Sent Access-Accept Id 135 from 130.92.10.33:1812 to 130.92.42.20:56958 length 270 (21) Tunnel-Type := VLAN (21) Tunnel-Medium-Type := IEEE-802 (21) Class = "staff" (21) Filter-Id = "staff" (21) Tunnel-Private-Group-Id:0 = "1874" (21) Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374" (21) MS-MPPE-Recv-Key = 0x683a26deb424ef81dda94ff52b54b2a7025ac4e6e5b331f264948cdcd9c529a3 (21) MS-MPPE-Send-Key = 0x5e2a7f4ec95429b176dd4235ea7c5ab7beecd50d27ed463169c0cd1fc751e3f6 (21) EAP-Message = 0x030b0004 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) User-Name = "dominic.stalder@unibe.ch" (21) Framed-MTU += 1014 (21) Finished request Waking up in 4.8 seconds. (11) Cleaning up request packet ID 55 with timestamp +32 due to cleanup_delay was reached (12) Cleaning up request packet ID 63 with timestamp +32 due to cleanup_delay was reached (13) Cleaning up request packet ID 71 with timestamp +32 due to cleanup_delay was reached (14) Cleaning up request packet ID 79 with timestamp +32 due to cleanup_delay was reached (15) Cleaning up request packet ID 87 with timestamp +32 due to cleanup_delay was reached (16) Cleaning up request packet ID 95 with timestamp +32 due to cleanup_delay was reached (17) Cleaning up request packet ID 103 with timestamp +32 due to cleanup_delay was reached (18) Cleaning up request packet ID 111 with timestamp +32 due to cleanup_delay was reached (19) Cleaning up request packet ID 119 with timestamp +32 due to cleanup_delay was reached (20) Cleaning up request packet ID 127 with timestamp +32 due to cleanup_delay was reached (21) Cleaning up request packet ID 135 with timestamp +32 due to cleanup_delay was reached Ready to process requests Output in /var/log/freeradius/authz.log: Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) As written above, I am sorry "that it works", more so that I don't know why it is working now, because in my opinion I did not really change any thing than before lunch time... But do we somehow need to close this "discussion" an mark it as resovled or how does this work? __ Anyhow, thank you so much for helping out! Best reards Dominic
On 17/04/2024 12:06, dominic.stalder@unibe.ch wrote:
sp { Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"
Looks OK at a quite glance.
And somehow (I really don't know why), it seems to work know:
OK
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (21) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (21) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (21) } # update = noop (21) if (EAP-Message) { (21) if (EAP-Message) -> TRUE (21) if (EAP-Message) { (21) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format} (21) 802.1x_authz_log: --> sp.Access-Accept (21) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown}) (21) 802.1x_authz_log: --> Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) (21) 802.1x_authz_log: EXPAND /var/log/freeradius/authz.log (21) 802.1x_authz_log: --> /var/log/freeradius/authz.log (21) [802.1x_authz_log] = ok (21) } # if (EAP-Message) = ok
...
Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)
Looks good.
As written above, I am sorry "that it works", more so that I don't know why it is working now, because in my opinion I did not really change any thing than before lunch time...
Won't really know without seeing the failure. Could be anything from client state issues to wifi timers to an attribute missing that's there this time.
But do we somehow need to close this "discussion" an mark it as resovled or how does this work? __
This is a mailing list... it's working so all's good! -- Matthew
participants (2)
-
dominic.stalder@unibe.ch -
Matthew Newton