Hi, I'm trying to connect from a Windows 7 client with PEAP and TLV checking enabled. This is the full log: FreeRADIUS Version 3.0.14 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/sql including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/expr including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/abfab-tr including configuration file /etc/raddb/policy.d/moonshot-targeted-ids including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/cui including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { user = "radius" group = "radius" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var/lib" logdir = "/var/log/radius" run_dir = "/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var/lib" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/run/radiusd" libdir = "/usr/lib64" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.215.147.65 { ipv4addr = 10.215.147.65 require_message_authenticator = no secret = <<< secret >>> shortname = "D1300" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.215.145.219 { ipv4addr = 10.215.145.219 require_message_authenticator = no secret = <<< secret >>> shortname = "D1533" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.215.144.7 { ipv4addr = 10.215.144.7 require_message_authenticator = no secret = <<< secret >>> shortname = "bl07" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.215.144.92 { ipv4addr = 10.215.144.92 require_message_authenticator = no secret = <<< secret >>> shortname = "testsys" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.215.147.140 { ipaddr = 10.215.147.140 require_message_authenticator = no secret = <<< secret >>> shortname = "D894" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = mschap radiusd: #### Instantiating modules #### modules { # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_detail # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_exec # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_sql # Loading module "sql" from file /etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_unixodbc" server = "sqlserver" port = 0 login = "sqluser" password = <<< secret >>> radius_db = "HMANdb" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "" default_user_profile = "" client_query = "SELECT id,nasname,shortname,type,secret FROM nas" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = ".query" type { accounting-on { } accounting-off { } start { } interim-update { } stop { } } } post-auth { reference = ".query" } } rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --require-membership-of=DOMAIN\\Domain\ Users --domain=%{%{Stripped-User-Domain}:-00}" ntlm_auth_timeout = 3 passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_dhcp # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loading module "authorized_macs" from file /etc/raddb/mods-enabled/files files authorized_macs { usersfile = "/SAMBA/radius/authorized_macs" key = "%{Calling-Station-ID}" } # Loading module "authorized_hosts" from file /etc/raddb/mods-enabled/files files authorized_hosts { usersfile = "/SAMBA/radius/authorized_hosts" key = "%{1}" } # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } instantiate { # Instantiating module "sql" from file /etc/raddb/mods-enabled/sql rlm_sql (sql): Attempting to connect to database "HMANdb" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used } # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): authenticating by calling 'ntlm_auth' # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "authorized_macs" from file /etc/raddb/mods-enabled/files reading pairlist file /SAMBA/radius/authorized_macs # Instantiating module "authorized_hosts" from file /etc/raddb/mods-enabled/files reading pairlist file /SAMBA/radius/authorized_hosts } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:336 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 42089 Listening on proxy address :: port 50831 Ready to process requests (0) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 98 (0) NAS-IP-Address = 10.215.147.140 (0) NAS-Port-Type = Ethernet (0) NAS-Port = 43 (0) User-Name = "DOMAIN\\" (0) Calling-Station-Id = "DC-4A-3E-06-11-46" (0) EAP-Message = 0x0201000c01444f4d41494e5c (0) Message-Authenticator = 0x1c097508abeab4ad4975707327c9a93a (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) policy custom_filter_default { (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> DC-4A-3E-06-11-46 (0) &Calling-Station-Id := DC-4A-3E-06-11-46 (0) } # update request = noop (0) [updated] = updated (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_calling_station_id = updated (0) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (0) (0) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used (0) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (0) --> 1 (0) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (0) else { (0) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (0) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (0) else { (0) eap: Peer sent EAP Response (code 2) ID 1 length 12 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # else = ok (0) } # else = ok (0) } # policy custom_filter_default = updated (0) [chap] = noop (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) ntdomain: Checking for prefix before "\" (0) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (0) ntdomain: No such realm "DOMAIN" (0) [ntdomain] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 12 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) Found Auth-Type = eap (0) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 2 length 6 (0) eap: EAP session adding &reply:State = 0x34bf2a3234bd33c7 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 0 (0) EAP-Message = 0x010200061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x34bf2a3234bd33c79ddc0c2553452e2c (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +13 (1) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 213 (1) NAS-IP-Address = 10.215.147.140 (1) NAS-Port-Type = Ethernet (1) NAS-Port = 43 (1) User-Name = "DOMAIN\\" (1) State = 0x34bf2a3234bd33c79ddc0c2553452e2c (1) Calling-Station-Id = "DC-4A-3E-06-11-46" (1) EAP-Message = 0x0202006d198000000063160301005e0100005a03015a3120ebb4e29460307281ca82738da1b85831224c576838030c39101a1f498f000018c014c0130035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100 (1) Message-Authenticator = 0xe999fa51f37ec5cde5aa3d0d4a62c197 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) policy custom_filter_default { (1) policy rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> DC-4A-3E-06-11-46 (1) &Calling-Station-Id := DC-4A-3E-06-11-46 (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_calling_station_id = updated (1) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (1) (1) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (1) (1) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (1) --> 1 (1) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (1) else { (1) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (1) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (1) else { (1) eap: Peer sent EAP Response (code 2) ID 2 length 109 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # else = ok (1) } # else = ok (1) } # policy custom_filter_default = updated (1) [chap] = noop (1) [mschap] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) ntdomain: Checking for prefix before "\" (1) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (1) ntdomain: No such realm "DOMAIN" (1) [ntdomain] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 109 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) Found Auth-Type = eap (1) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x34bf2a3234bd33c7 (1) eap: Finished EAP session with state 0x34bf2a3234bd33c7 (1) eap: Previous EAP request found for state 0x34bf2a3234bd33c7, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 99 bytes (1) eap_peap: Got complete TLS record (99 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005e], ClientHello (1) eap_peap: TLS_accept: SSLv3 read client hello A (1) eap_peap: >>> send TLS 1.0 Handshake [length 0039], ServerHello (1) eap_peap: TLS_accept: SSLv3 write server hello A (1) eap_peap: >>> send TLS 1.0 Handshake [length 079e], Certificate (1) eap_peap: TLS_accept: SSLv3 write certificate A (1) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_peap: TLS_accept: SSLv3 write key exchange A (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: SSLv3 write server done A (1) eap_peap: TLS_accept: SSLv3 flush data (1) eap_peap: TLS_accept: SSLv3 read client certificate A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 3 length 1004 (1) eap: EAP session adding &reply:State = 0x34bf2a3235bc33c7 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 0 (1) EAP-Message = 0x010303ec19c00000093a160301003902000035030152514568a87b7684337c532a0bd055133486c73f7eea56bb02dc3ad6acdd409700c01400000dff01000100000b000403000102160301079e0b00079a0007970003713082036d308202d6a003020102020101300d06092a864886f70d01010b050030 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x34bf2a3235bc33c79ddc0c2553452e2c (1) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 0 with timestamp +13 (2) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 110 (2) NAS-IP-Address = 10.215.147.140 (2) NAS-Port-Type = Ethernet (2) NAS-Port = 43 (2) User-Name = "DOMAIN\\" (2) State = 0x34bf2a3235bc33c79ddc0c2553452e2c (2) Calling-Station-Id = "DC-4A-3E-06-11-46" (2) EAP-Message = 0x020300061900 (2) Message-Authenticator = 0x5d8fa8b7bb7581cd3a019bd206184e37 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) policy custom_filter_default { (2) policy rewrite_calling_station_id { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> DC-4A-3E-06-11-46 (2) &Calling-Station-Id := DC-4A-3E-06-11-46 (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_calling_station_id = updated (2) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (2) (2) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (2) (2) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (2) --> 1 (2) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (2) else { (2) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (2) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (2) else { (2) eap: Peer sent EAP Response (code 2) ID 3 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # else = ok (2) } # else = ok (2) } # policy custom_filter_default = updated (2) [chap] = noop (2) [mschap] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) ntdomain: Checking for prefix before "\" (2) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (2) ntdomain: No such realm "DOMAIN" (2) [ntdomain] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) Found Auth-Type = eap (2) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x34bf2a3235bc33c7 (2) eap: Finished EAP session with state 0x34bf2a3235bc33c7 (2) eap: Previous EAP request found for state 0x34bf2a3235bc33c7, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 1000 (2) eap: EAP session adding &reply:State = 0x34bf2a3236bb33c7 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 0 (2) EAP-Message = 0x010403e819408c310b30090603550406130245533111300f0603550408130842616c6561726573310d300b060355040a1304484d414e3110300e060355040b1307484d414e2049543120301e06035504031317484d414e31205369676e696e6720417574686f726974793127302506092a864886f70d01 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x34bf2a3236bb33c79ddc0c2553452e2c (2) Finished request Waking up in 4.9 seconds. (2) Cleaning up request packet ID 0 with timestamp +13 (3) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 110 (3) NAS-IP-Address = 10.215.147.140 (3) NAS-Port-Type = Ethernet (3) NAS-Port = 43 (3) User-Name = "DOMAIN\\" (3) State = 0x34bf2a3236bb33c79ddc0c2553452e2c (3) Calling-Station-Id = "DC-4A-3E-06-11-46" (3) EAP-Message = 0x020400061900 (3) Message-Authenticator = 0x8e1e3b6a27415590c3d97729037505c9 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) policy custom_filter_default { (3) policy rewrite_calling_station_id { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> DC-4A-3E-06-11-46 (3) &Calling-Station-Id := DC-4A-3E-06-11-46 (3) } # update request = noop (3) [updated] = updated (3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_calling_station_id = updated (3) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (3) (3) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (3) (3) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (3) --> 1 (3) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (3) else { (3) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (3) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (3) else { (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # else = ok (3) } # else = ok (3) } # policy custom_filter_default = updated (3) [chap] = noop (3) [mschap] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) ntdomain: Checking for prefix before "\" (3) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (3) ntdomain: No such realm "DOMAIN" (3) [ntdomain] = noop (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) Found Auth-Type = eap (3) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x34bf2a3236bb33c7 (3) eap: Finished EAP session with state 0x34bf2a3236bb33c7 (3) eap: Previous EAP request found for state 0x34bf2a3236bb33c7, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 5 length 380 (3) eap: EAP session adding &reply:State = 0x34bf2a3237ba33c7 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 0 (3) EAP-Message = 0x0105017c19005a46745a093ed65b25a7e51c8c12948bafea8d2c15b96b9be8af989508160301014b0c00014703001741044f35c498d1bdc0cdf29952d0b00d2e37e16a8f328f21b62c4200265a268e085fd7b6fdc266d5c5c63a378380bc6a615ff7edc9eaf89732cd65a135a4e9862cb1010006b5c5e5 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x34bf2a3237ba33c79ddc0c2553452e2c (3) Finished request Waking up in 4.9 seconds. (3) Cleaning up request packet ID 0 with timestamp +13 (4) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 248 (4) NAS-IP-Address = 10.215.147.140 (4) NAS-Port-Type = Ethernet (4) NAS-Port = 43 (4) User-Name = "DOMAIN\\" (4) State = 0x34bf2a3237ba33c79ddc0c2553452e2c (4) Calling-Station-Id = "DC-4A-3E-06-11-46" (4) EAP-Message = 0x020500901980000000861603010046100000424104f4844e1053eac180c7e2e1a424835f71ffd98e4ccdec7ddabe0105ac0e95e6211391fb1a64f62624c15fcd8dec6c388b045a6ec587d3b0807b18deeec72ea9c614030100010116030100304908d3cd50706fa4ecbad90205fc75c564b4770c010934 (4) Message-Authenticator = 0xdcbb90b0c261561d3d361fc0263352e3 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) policy custom_filter_default { (4) policy rewrite_calling_station_id { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> DC-4A-3E-06-11-46 (4) &Calling-Station-Id := DC-4A-3E-06-11-46 (4) } # update request = noop (4) [updated] = updated (4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_calling_station_id = updated (4) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (4) (4) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (4) (4) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (4) --> 1 (4) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (4) else { (4) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (4) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (4) else { (4) eap: Peer sent EAP Response (code 2) ID 5 length 144 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # else = ok (4) } # else = ok (4) } # policy custom_filter_default = updated (4) [chap] = noop (4) [mschap] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) ntdomain: Checking for prefix before "\" (4) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (4) ntdomain: No such realm "DOMAIN" (4) [ntdomain] = noop (4) eap: Peer sent EAP Response (code 2) ID 5 length 144 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) Found Auth-Type = eap (4) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x34bf2a3237ba33c7 (4) eap: Finished EAP session with state 0x34bf2a3237ba33c7 (4) eap: Previous EAP request found for state 0x34bf2a3237ba33c7, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 134 bytes (4) eap_peap: Got complete TLS record (134 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (4) eap_peap: TLS_accept: SSLv3 read client key exchange A (4) eap_peap: TLS_accept: SSLv3 read certificate verify A (4) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 read finished A (4) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A (4) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 write finished A (4) eap_peap: TLS_accept: SSLv3 flush data (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 6 length 65 (4) eap: EAP session adding &reply:State = 0x34bf2a3230b933c7 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 0 (4) EAP-Message = 0x010600411900140301000101160301003015920e5ed41d52ceecc678c202f7a105444c65db18faf1224df5c2e3d7904e5bd963239c7e156c6c7c533f71ed8d6288 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x34bf2a3230b933c79ddc0c2553452e2c (4) Finished request Waking up in 4.9 seconds. (4) Cleaning up request packet ID 0 with timestamp +13 (5) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 110 (5) NAS-IP-Address = 10.215.147.140 (5) NAS-Port-Type = Ethernet (5) NAS-Port = 43 (5) User-Name = "DOMAIN\\" (5) State = 0x34bf2a3230b933c79ddc0c2553452e2c (5) Calling-Station-Id = "DC-4A-3E-06-11-46" (5) EAP-Message = 0x020600061900 (5) Message-Authenticator = 0x161eb7412ee31398916dc226726ede3c (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) policy custom_filter_default { (5) policy rewrite_calling_station_id { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> DC-4A-3E-06-11-46 (5) &Calling-Station-Id := DC-4A-3E-06-11-46 (5) } # update request = noop (5) [updated] = updated (5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_calling_station_id = updated (5) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (0) (5) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (0) (5) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (5) --> 1 (5) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (5) else { (5) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (5) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (5) else { (5) eap: Peer sent EAP Response (code 2) ID 6 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # else = ok (5) } # else = ok (5) } # policy custom_filter_default = updated (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) ntdomain: Checking for prefix before "\" (5) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (5) ntdomain: No such realm "DOMAIN" (5) [ntdomain] = noop (5) eap: Peer sent EAP Response (code 2) ID 6 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) Found Auth-Type = eap (5) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x34bf2a3230b933c7 (5) eap: Finished EAP session with state 0x34bf2a3230b933c7 (5) eap: Previous EAP request found for state 0x34bf2a3230b933c7, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 7 length 43 (5) eap: EAP session adding &reply:State = 0x34bf2a3231b833c7 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 0 (5) EAP-Message = 0x0107002b1900170301002059a55c260d70bc1835c9081e680673c6ca1b5d2cda524657132a0f83eefb55bb (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x34bf2a3231b833c79ddc0c2553452e2c (5) Finished request Waking up in 4.9 seconds. (5) Cleaning up request packet ID 0 with timestamp +13 (6) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 163 (6) NAS-IP-Address = 10.215.147.140 (6) NAS-Port-Type = Ethernet (6) NAS-Port = 43 (6) User-Name = "DOMAIN\\" (6) State = 0x34bf2a3231b833c79ddc0c2553452e2c (6) Calling-Station-Id = "DC-4A-3E-06-11-46" (6) EAP-Message = 0x0207003b1900170301003055eff99a3cafdbeb267ae2fc80335af5a2698d23abb147b1d45ebb764effe538e9ffa61d3fbf60942f7392067dff83ee (6) Message-Authenticator = 0xbdf2783b5eafd296981c47f86b4d9b88 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) policy custom_filter_default { (6) policy rewrite_calling_station_id { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> DC-4A-3E-06-11-46 (6) &Calling-Station-Id := DC-4A-3E-06-11-46 (6) } # update request = noop (6) [updated] = updated (6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_calling_station_id = updated (6) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (5) (6) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (5) (6) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (6) --> 1 (6) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (6) else { (6) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (6) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (6) else { (6) eap: Peer sent EAP Response (code 2) ID 7 length 59 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # else = ok (6) } # else = ok (6) } # policy custom_filter_default = updated (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) ntdomain: Checking for prefix before "\" (6) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (6) ntdomain: No such realm "DOMAIN" (6) [ntdomain] = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 59 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) Found Auth-Type = eap (6) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x34bf2a3231b833c7 (6) eap: Finished EAP session with state 0x34bf2a3231b833c7 (6) eap: Previous EAP request found for state 0x34bf2a3231b833c7, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - DOMAIN\adminpc (6) eap_peap: Got inner identity 'DOMAIN\adminpc' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0207001301444f4d41494e5c61646d696e7063 (6) eap_peap: Setting User-Name to DOMAIN\adminpc (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0207001301444f4d41494e5c61646d696e7063 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "DOMAIN\\adminpc" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0207001301444f4d41494e5c61646d696e7063 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "DOMAIN\\adminpc" (6) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) policy custom_split_username_nai { (6) if (&User-Name && (&User-Name =~ /^(\w+)@(.*)$/)) { (6) if (&User-Name && (&User-Name =~ /^(\w+)@(.*)$/)) -> FALSE (6) else { (6) if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) { (6) if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) -> TRUE (6) if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) { (6) update request { (6) EXPAND %{2} (6) --> adminpc (6) &Stripped-User-Name := adminpc (6) EXPAND %{1} (6) --> DOMAIN (6) &Stripped-User-Domain = DOMAIN (6) } # update request = noop (6) [updated] = updated (6) } # if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # else = updated (6) } # policy custom_split_username_nai = updated (6) policy custom_filter_inner_tunnel { (6) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (6) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (6) } # policy custom_filter_inner_tunnel = updated (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "adminpc", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 19 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 43 (6) eap: EAP session adding &reply:State = 0x241fa4362417be94 (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0108002b1a0108002610ec6db14d824cbbcbc671d6ab625f9dc4667265657261646975732d332e302e3134 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x241fa4362417be94c32591fd0ea88635 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0108002b1a0108002610ec6db14d824cbbcbc671d6ab625f9dc4667265657261646975732d332e302e3134 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x241fa4362417be94c32591fd0ea88635 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0108002b1a0108002610ec6db14d824cbbcbc671d6ab625f9dc4667265657261646975732d332e302e3134 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x241fa4362417be94c32591fd0ea88635 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 75 (6) eap: EAP session adding &reply:State = 0x34bf2a3232b733c7 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 0 (6) EAP-Message = 0x0108004b1900170301004085c5b15480186de43b25f0e778a9f1a201119b7566e3fadbf1af4aa8ef8b74293c1b5122e3d00fbbc1ad2003cc016eec085a58d1f68c84c1e61a8495e8efbd75 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x34bf2a3232b733c79ddc0c2553452e2c (6) Finished request Waking up in 4.9 seconds. (6) Cleaning up request packet ID 0 with timestamp +13 (7) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 211 (7) NAS-IP-Address = 10.215.147.140 (7) NAS-Port-Type = Ethernet (7) NAS-Port = 43 (7) User-Name = "DOMAIN\\" (7) State = 0x34bf2a3232b733c79ddc0c2553452e2c (7) Calling-Station-Id = "DC-4A-3E-06-11-46" (7) EAP-Message = 0x0208006b19001703010060bc0709e3fc83742dec9ac2f6edc98a4512d180119da6f27ea1f003659f19c8a51cea9c0a82ee4ba0cbab055d52d9219876bec23a63c13ba6cc135a48e080925bf8ad5722796cd8e4a711a2edc8a18f4fe5a8bcc2db7c0371418c08b511b6f3d5 (7) Message-Authenticator = 0x7d98dc75bb7a704974e3eb633ec05150 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) policy custom_filter_default { (7) policy rewrite_calling_station_id { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> DC-4A-3E-06-11-46 (7) &Calling-Station-Id := DC-4A-3E-06-11-46 (7) } # update request = noop (7) [updated] = updated (7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_calling_station_id = updated (7) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (1) (7) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (1) (7) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (7) --> 1 (7) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (7) else { (7) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (7) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (7) else { (7) eap: Peer sent EAP Response (code 2) ID 8 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # else = ok (7) } # else = ok (7) } # policy custom_filter_default = updated (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) ntdomain: Checking for prefix before "\" (7) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (7) ntdomain: No such realm "DOMAIN" (7) [ntdomain] = noop (7) eap: Peer sent EAP Response (code 2) ID 8 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) Found Auth-Type = eap (7) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x241fa4362417be94 (7) eap: Finished EAP session with state 0x34bf2a3232b733c7 (7) eap: Previous EAP request found for state 0x34bf2a3232b733c7, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x020800491a0208004431811f1a12259a2da16ac45c2c080c627c0000000000000000ddb521a032f883a215197e2689b89f92fe405a3a0392f92900444f4d41494e5c61646d696e7063 (7) eap_peap: Setting User-Name to DOMAIN\adminpc (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x020800491a0208004431811f1a12259a2da16ac45c2c080c627c0000000000000000ddb521a032f883a215197e2689b89f92fe405a3a0392f92900444f4d41494e5c61646d696e7063 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "DOMAIN\\adminpc" (7) eap_peap: State = 0x241fa4362417be94c32591fd0ea88635 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x020800491a0208004431811f1a12259a2da16ac45c2c080c627c0000000000000000ddb521a032f883a215197e2689b89f92fe405a3a0392f92900444f4d41494e5c61646d696e7063 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "DOMAIN\\adminpc" (7) State = 0x241fa4362417be94c32591fd0ea88635 (7) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) policy custom_split_username_nai { (7) if (&User-Name && (&User-Name =~ /^(\w+)@(.*)$/)) { (7) if (&User-Name && (&User-Name =~ /^(\w+)@(.*)$/)) -> FALSE (7) else { (7) if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) { (7) if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) -> TRUE (7) if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) { (7) update request { (7) EXPAND %{2} (7) --> adminpc (7) &Stripped-User-Name := adminpc (7) EXPAND %{1} (7) --> DOMAIN (7) &Stripped-User-Domain = DOMAIN (7) } # update request = noop (7) [updated] = updated (7) } # if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # else = updated (7) } # policy custom_split_username_nai = updated (7) policy custom_filter_inner_tunnel { (7) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (7) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (7) } # policy custom_filter_inner_tunnel = updated (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "adminpc", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 8 length 73 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x241fa4362417be94 (7) eap: Finished EAP session with state 0x241fa4362417be94 (7) eap: Previous EAP request found for state 0x241fa4362417be94, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Creating challenge hash with username: adminpc (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --require-membership-of=DOMAIN\\Domain\ Users --domain=%{%{Stripped-User-Domain}:-00}: (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=adminpc (7) mschap: Creating challenge hash with username: adminpc (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=cd3c779718087aaf (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=ddb521a032f883a215197e2689b89f92fe405a3a0392f929 (7) mschap: EXPAND --domain=%{%{Stripped-User-Domain}:-00} (7) mschap: --> --domain=DOMAIN (7) mschap: Program returned code (0) and output 'NT_KEY: 2714ABAFC5F47D614AFCA53A01966C1F' (7) mschap: Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # authenticate = ok (7) MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 9 length 51 (7) eap: EAP session adding &reply:State = 0x241fa4362516be94 (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x010900331a0308002e533d45353333314236373746323233324537363845313044413746453146374445354233304332344143 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x241fa4362516be94c32591fd0ea88635 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x010900331a0308002e533d45353333314236373746323233324537363845313044413746453146374445354233304332344143 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x241fa4362516be94c32591fd0ea88635 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x010900331a0308002e533d45353333314236373746323233324537363845313044413746453146374445354233304332344143 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x241fa4362516be94c32591fd0ea88635 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 9 length 91 (7) eap: EAP session adding &reply:State = 0x34bf2a3233b633c7 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 0 (7) EAP-Message = 0x0109005b190017030100506bfde6428381b3ee1e2a3db2c7ed598b50c698dc78776bf784e399e957889cdfd9d436685ab18dd93466dba26393fba93395f96e5bb6786949ee2b892826f8ba67d1fbbb83b80ebf13134c4ef22a962b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x34bf2a3233b633c79ddc0c2553452e2c (7) Finished request Waking up in 4.9 seconds. (7) Cleaning up request packet ID 0 with timestamp +13 (8) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 147 (8) NAS-IP-Address = 10.215.147.140 (8) NAS-Port-Type = Ethernet (8) NAS-Port = 43 (8) User-Name = "DOMAIN\\" (8) State = 0x34bf2a3233b633c79ddc0c2553452e2c (8) Calling-Station-Id = "DC-4A-3E-06-11-46" (8) EAP-Message = 0x0209002b19001703010020d27748b18135e0f064e88cd497108df6b00ef5a6d5a546bd6afc3dc0a58a1503 (8) Message-Authenticator = 0xff9a4172f880589f940cf8455b4f5bb6 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) policy custom_filter_default { (8) policy rewrite_calling_station_id { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> DC-4A-3E-06-11-46 (8) &Calling-Station-Id := DC-4A-3E-06-11-46 (8) } # update request = noop (8) [updated] = updated (8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_calling_station_id = updated (8) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (2) (8) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (2) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used (8) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (8) --> 1 (8) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (8) else { (8) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (8) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (8) else { (8) eap: Peer sent EAP Response (code 2) ID 9 length 43 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # else = ok (8) } # else = ok (8) } # policy custom_filter_default = updated (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) ntdomain: Checking for prefix before "\" (8) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (8) ntdomain: No such realm "DOMAIN" (8) [ntdomain] = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 43 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) Found Auth-Type = eap (8) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x241fa4362516be94 (8) eap: Finished EAP session with state 0x34bf2a3233b633c7 (8) eap: Previous EAP request found for state 0x34bf2a3233b633c7, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: Setting User-Name to DOMAIN\adminpc (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "DOMAIN\\adminpc" (8) eap_peap: State = 0x241fa4362516be94c32591fd0ea88635 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020900061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "DOMAIN\\adminpc" (8) State = 0x241fa4362516be94c32591fd0ea88635 (8) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) policy custom_split_username_nai { (8) if (&User-Name && (&User-Name =~ /^(\w+)@(.*)$/)) { (8) if (&User-Name && (&User-Name =~ /^(\w+)@(.*)$/)) -> FALSE (8) else { (8) if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) { (8) if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) -> TRUE (8) if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) { (8) update request { (8) EXPAND %{2} (8) --> adminpc (8) &Stripped-User-Name := adminpc (8) EXPAND %{1} (8) --> DOMAIN (8) &Stripped-User-Domain = DOMAIN (8) } # update request = noop (8) [updated] = updated (8) } # if (&User-Name && (&User-Name =~ /^(.*)\\(\w+)$/)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # else = updated (8) } # policy custom_split_username_nai = updated (8) policy custom_filter_inner_tunnel { (8) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (8) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (8) } # policy custom_filter_inner_tunnel = updated (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "adminpc", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x241fa4362516be94 (8) eap: Finished EAP session with state 0x241fa4362516be94 (8) eap: Previous EAP request found for state 0x241fa4362516be94, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 9 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) if (0) { (8) if (0) -> FALSE (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-MPPE-Encryption-Policy = Encryption-Required (8) MS-MPPE-Encryption-Types = 4 (8) MS-MPPE-Send-Key = 0x8227912082b737081d5f5086d5276917 (8) MS-MPPE-Recv-Key = 0xbd60f4424280d034ac88ecdd6ab436a2 (8) EAP-Message = 0x03090004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) Stripped-User-Name := "adminpc" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required (8) eap_peap: MS-MPPE-Encryption-Types = 4 (8) eap_peap: MS-MPPE-Send-Key = 0x8227912082b737081d5f5086d5276917 (8) eap_peap: MS-MPPE-Recv-Key = 0xbd60f4424280d034ac88ecdd6ab436a2 (8) eap_peap: EAP-Message = 0x03090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Stripped-User-Name := "adminpc" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required (8) eap_peap: MS-MPPE-Encryption-Types = 4 (8) eap_peap: MS-MPPE-Send-Key = 0x8227912082b737081d5f5086d5276917 (8) eap_peap: MS-MPPE-Recv-Key = 0xbd60f4424280d034ac88ecdd6ab436a2 (8) eap_peap: EAP-Message = 0x03090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Stripped-User-Name := "adminpc" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 10 length 43 (8) eap: EAP session adding &reply:State = 0x34bf2a323cb533c7 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 0 (8) EAP-Message = 0x010a002b19001703010020a19ef0fe3f0c9b584992457fab0fda7b39dae61950ac4300f52f48604b1a17d9 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x34bf2a323cb533c79ddc0c2553452e2c (8) Finished request Waking up in 4.9 seconds. (8) Cleaning up request packet ID 0 with timestamp +13 (9) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 147 (9) NAS-IP-Address = 10.215.147.140 (9) NAS-Port-Type = Ethernet (9) NAS-Port = 43 (9) User-Name = "DOMAIN\\" (9) State = 0x34bf2a323cb533c79ddc0c2553452e2c (9) Calling-Station-Id = "DC-4A-3E-06-11-46" (9) EAP-Message = 0x020a002b190017030100205d49a7d9fa42ecc07762bda0ce1da33ec437ed7d057f69369055acbb566f2bcc (9) Message-Authenticator = 0x7dcba2a6df10bc84f68031932b88f1e2 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) policy custom_filter_default { (9) policy rewrite_calling_station_id { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> DC-4A-3E-06-11-46 (9) &Calling-Station-Id := DC-4A-3E-06-11-46 (9) } # update request = noop (9) [updated] = updated (9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_calling_station_id = updated (9) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) { rlm_sql (sql): Reserved connection (3) (9) Executing select query: SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = 'DC-4A-3E-06-11-46' OR inf_pcs.Mac = 'DC-4A-3E-06-11-46;' OR inf_pcs.Mac LIKE '%;DC-4A-3E-06-11-46%' ) ) rlm_sql (sql): Released connection (3) (9) EXPAND %{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )} (9) --> 1 (9) if ( ("%{sql:SELECT count(inf_pcs.Mac) FROM inf_pcs INNER JOIN inf_devices ON inf_pcs.DevName = inf_devices.E_Name WHERE ( inf_devices.Unused = 0 AND inf_devices.Removed = 0 AND ( inf_pcs.Mac = '%{Calling-Station-ID}' OR inf_pcs.Mac = '%{Calling-Station-ID};' OR inf_pcs.Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) && ("%{sql:SELECT count(Mac) FROM inf_devices WHERE ( Unused = 0 AND Removed = 0 AND ( Mac = '%{Calling-Station-ID}' OR Mac = '%{Calling-Station-ID};' OR Mac LIKE '%%;%{Calling-Station-ID}%%' ) )}" <= 0) ) || (!EAP-Message) -> FALSE (9) else { (9) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) { (9) if ( (User-Name) && (&User-Name =~ /^host\/(\w+)(\.\w+)*$/) ) -> FALSE (9) else { (9) eap: Peer sent EAP Response (code 2) ID 10 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # else = ok (9) } # else = ok (9) } # policy custom_filter_default = updated (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) ntdomain: Checking for prefix before "\" (9) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (9) ntdomain: No such realm "DOMAIN" (9) [ntdomain] = noop (9) eap: Peer sent EAP Response (code 2) ID 10 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) Found Auth-Type = eap (9) ERROR: Warning: Found 2 auth-types on request for user 'DOMAIN\' (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x34bf2a323cb533c7 (9) eap: Finished EAP session with state 0x34bf2a323cb533c7 (9) eap: Previous EAP request found for state 0x34bf2a323cb533c7, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Client rejected our response. The password is probably incorrect (9) eap_peap: ERROR: We sent a success, but the client did not agree (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 10 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> DOMAIN\\ (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 0 from 10.215.144.91:1812 to 10.215.147.140:49154 length 44 (9) EAP-Message = 0x040a0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (9) Cleaning up request packet ID 0 with timestamp +14 Ready to process requests Any ideas why the client is rejecting? Thanks, Vieri
On Dec 13, 2017, at 8:04 AM, Vieri via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm trying to connect from a Windows 7 client with PEAP and TLV checking enabled. This is the full log:
And the relevant portion:
(9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Client rejected our response. The password is probably incorrect (9) eap_peap: ERROR: We sent a success, but the client did not agree ... Any ideas why the client is rejecting?
See the debug output. And as always, I don't understand why people look at the FreeRADIUS logs, and try to figure out what the client is doing. FreeRADIUS doesn't know. Only the client knows. Alan DeKok.
something not quite okay in your config (0) Found Auth-Type = eap (0) Found Auth-Type = eap 2 auth-types of eap? no thanks alan
________________________________ From: Alan Buxey <alan.buxey@gmail.com>
something not quite okay in your config
(0) Found Auth-Type = eap (0) Found Auth-Type = eap
2 auth-types of eap? no thanks
Thanks for pointing that out. I'll have to review the config. I'm also wondering why I'm getting this, and if it could be related to your finding: WARNING: Outer User-Name is not anonymized. User privacy is compromised. Thanks, Vieri
On Dec 13, 2017, at 11:41 AM, Vieri via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Thanks for pointing that out. I'll have to review the config.
I'm also wondering why I'm getting this,
You changed the configuration. The default config only sets Auth-Type = EAP once: in the EAP module. You've added something that manually sets it. Don't do that.
and if it could be related to your finding:
WARNING: Outer User-Name is not anonymized. User privacy is compromised.
It's unrelated. Alan DeKok.
________________________________ From: Alan DeKok <aland@deployingradius.com>
See the debug output.
And as always, I don't understand why people look at the FreeRADIUS logs, and try to figure out what the client is doing.
FreeRADIUS doesn't know. Only the client knows.
So when you say "See the debug output" you mean "see the client's debug output"? If that's the case then I'll have to find out how to do that on a Windows machine with the native Radius implementation. Vieri
________________________________ From: Alan DeKok <aland@deployingradius.com>
See the debug output.
I checked the logs on the client (Microsoft-Windows-Wired-AutoConfig), and here's all I can get: Identity: DOMAIN\ User: adminpc Domain: DOMAIN ReasonCode: 0x50005 ReasonText: Explicit EAP error received. ErrorCode: 0x0 If I configure the client to only do TLV checking, but disable hiding the identity, etc. then the only item that changes in the log above is the identity: Identity: DOMAIN\adminpc The error is still the same. Doesn't ReasonText imply that the Radius server is actually sending back an EAP error? If I go back to the FreeRadius server log (after fixing the unrelated eap issue where 2 accepts were found) I cannot see FreeRadius rejecting anything. This part of the log was taken when the identity was anonymized: (9) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 147 (9) NAS-IP-Address = 10.215.147.140 (9) NAS-Port-Type = Ethernet (9) NAS-Port = 43 (9) User-Name = "DOMAIN\\" (9) State = 0xb9970e47b1841752fc0ab043de592bf3 (9) Calling-Station-Id = "DC-4A-3E-06-11-46" [...] (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) ntdomain: Checking for prefix before "\" (9) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\" (9) ntdomain: No such realm "DOMAIN" (9) [ntdomain] = noop (9) [expiration] = noop (9) [logintime] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xb9970e47b1841752 (9) eap: Finished EAP session with state 0xb9970e47b1841752 (9) eap: Previous EAP request found for state 0xb9970e47b1841752, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Client rejected our response. The password is probably incorrect (9) eap_peap: ERROR: We sent a success, but the client did not agree (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 19 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user This part of another log was taken when the identity was not anonymized: (9) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 154 (9) NAS-IP-Address = 10.215.147.140 (9) NAS-Port-Type = Ethernet (9) NAS-Port = 43 (9) User-Name = "DOMAIN\\adminpc" (9) State = 0x943e2c5d9c3435d7647a443b67c2cb70 (9) Calling-Station-Id = "DC-4A-3E-06-11-46" [...] (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "DOMAIN\adminpc", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) ntdomain: Checking for prefix before "\" (9) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\adminpc" (9) ntdomain: No such realm "DOMAIN" (9) [ntdomain] = noop (9) [expiration] = noop (9) [logintime] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x943e2c5d9c3435d7 (9) eap: Finished EAP session with state 0x943e2c5d9c3435d7 (9) eap: Previous EAP request found for state 0x943e2c5d9c3435d7, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Client rejected our response. The password is probably incorrect (9) eap_peap: ERROR: We sent a success, but the client did not agree (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 10 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user Correct me if I'm wrong, but it seems to me that both the client and the server are blaming each other. Vieri
On Dec 14, 2017, at 2:53 AM, Vieri via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I checked the logs on the client (Microsoft-Windows-Wired-AutoConfig), and here's all I can get:
That's Microsoft for you.
Doesn't ReasonText imply that the Radius server is actually sending back an EAP error?
Sure. It's lying. If FreeRADIUS sends an error, you would see the error in the debug output. FreeRADIUS doesn't lie to you.
Correct me if I'm wrong, but it seems to me that both the client and the server are blaming each other.
You have all of the source code to FreeRADIUS, and can double-check it's operation. All of the EAP standards are publicly available, and you can check out EAP works. As the main FreeRADIUS developer, I'm telling you what's going on. In contrast, Microsoft gives you no source, no debug, and no access to developers. Don't say that both client and server are blaming each other. That implies that *I'm* lying to you when I tell you what's going on. It implies that FreeRADIUS is lying to you, too. You're making these statements here because you can't make them to Microsoft. Well, that's not my problem. Go ask Microsoft how their crappy software works, and how to fix it. I'm trying to help you, and you don't believe me. You're free to go elsewhere. Alan DeKok.
Not had a problem myself with TLV set... So let's look at what that does and examine your data path. Is your NAS terminating the EAP and then proxying it to your FR? If there another system in the way? You have something quirky in your config, double auth-type being set, so send me your virtual server configs. There will be some obvious thing there. alan On 14 Dec 2017 1:39 pm, "Alan DeKok" <aland@deployingradius.com> wrote:
On Dec 14, 2017, at 2:53 AM, Vieri via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
I checked the logs on the client (Microsoft-Windows-Wired-AutoConfig),
and here's all I can get:
That's Microsoft for you.
Doesn't ReasonText imply that the Radius server is actually sending back an EAP error?
Sure. It's lying.
If FreeRADIUS sends an error, you would see the error in the debug output. FreeRADIUS doesn't lie to you.
Correct me if I'm wrong, but it seems to me that both the client and the server are blaming each other.
You have all of the source code to FreeRADIUS, and can double-check it's operation. All of the EAP standards are publicly available, and you can check out EAP works. As the main FreeRADIUS developer, I'm telling you what's going on.
In contrast, Microsoft gives you no source, no debug, and no access to developers.
Don't say that both client and server are blaming each other. That implies that *I'm* lying to you when I tell you what's going on. It implies that FreeRADIUS is lying to you, too.
You're making these statements here because you can't make them to Microsoft. Well, that's not my problem. Go ask Microsoft how their crappy software works, and how to fix it.
I'm trying to help you, and you don't believe me. You're free to go elsewhere.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hi, > Not had a problem myself with TLV set... So let's look at what that does > and examine your data path. Is your NAS terminating the EAP and then > proxying it to your FR? If there another system in the way? You have > something quirky in your config, double auth-type being set, so send me > your virtual server configs. There will be some obvious thing there. It's certainly worth looking at that bit. The TLV checks are AFAIR Microsoft's way of saying "enable channel binding" (if only they'd write that so bluntly). So, if EAP stops working when channel binding is enforced, then something would appear to be wrong with the outer EAP vs inner MSCHAPv2 binding. When I looked at your debug output before, I dismissed this possibility because FreeRADIUS clearly gets an entire PEAP session, outer TLS and inner MSCHAPv2. But there is of course the possibility that the NAS terminates EAP and then re-encapsulates it in a whole new PEAP session. Or a proxy doing the same. You would be able to verify this by inspecting the server certificate you get on the client: is this the exact same certificate, issued by the same CA, that your FreeRADIUS server serves? Greetings, Stefan Winter > > alan > > On 14 Dec 2017 1:39 pm, "Alan DeKok" <aland@deployingradius.com> wrote: > >> On Dec 14, 2017, at 2:53 AM, Vieri via Freeradius-Users < >> freeradius-users@lists.freeradius.org> wrote: >>> >>> I checked the logs on the client (Microsoft-Windows-Wired-AutoConfig), >> and here's all I can get: >> >> That's Microsoft for you. >> >>> Doesn't ReasonText imply that the Radius server is actually sending back >> an EAP error? >> >> Sure. It's lying. >> >> If FreeRADIUS sends an error, you would see the error in the debug >> output. FreeRADIUS doesn't lie to you. >> >>> Correct me if I'm wrong, but it seems to me that both the client and the >> server are blaming each other. >> >> You have all of the source code to FreeRADIUS, and can double-check it's >> operation. All of the EAP standards are publicly available, and you can >> check out EAP works. As the main FreeRADIUS developer, I'm telling you >> what's going on. >> >> In contrast, Microsoft gives you no source, no debug, and no access to >> developers. >> >> Don't say that both client and server are blaming each other. That >> implies that *I'm* lying to you when I tell you what's going on. It >> implies that FreeRADIUS is lying to you, too. >> >> You're making these statements here because you can't make them to >> Microsoft. Well, that's not my problem. Go ask Microsoft how their crappy >> software works, and how to fix it. >> >> I'm trying to help you, and you don't believe me. You're free to go >> elsewhere. >> >> Alan DeKok. >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >> list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
________________________________ From: Stefan Winter <stefan.winter@restena.lu>
But there is of course the possibility that the NAS terminates EAP and then re-encapsulates it in a whole new PEAP session. Or a proxy doing the same.
You would be able to verify this by inspecting the server certificate you get on the client: is this the exact same certificate, issued by the same CA, that your FreeRADIUS server serves?
I don't know yet if my switch could be the issue. There is no proxy on this network. I'll have to find out how to inspect the server certificate I get on the Windows client. Thanks, Vieri
Hi Alan, ________________________________ From: Alan Buxey <alan.buxey@gmail.com>
Not had a problem myself with TLV set... So let's look at what that does and examine your data path. Is your NAS terminating the EAP and then proxying it to your FR?
I don't know how to answer that. See below.
If there another system in the way?
No. Client machine --- D-Link SWITCH with 802.1x enabled --- FR on a firewalled system with open ports tcp,udp 1812,1813,1814,433 Nothing else.
You have something quirky in your config, double auth-type being set,
That was before. I mistakenly called "eap" twice in a badly built if/else clause. I fixed that, but I'm still getting this issue.
so send me your virtual server
configs. There will be some obvious thing there.
I'll do that asap. Thanks! Vieri
________________________________ From: Alan Buxey <alan.buxey@gmail.com>
send me your virtual server configs. There will be some obvious thing there.
I'm supposing you mean my virtual_server defined in the eap module? It refers to inner-tunnel, and it's content follows: server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { filter_username custom_split_username_nai chap mschap suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } files -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap eap } session { radutmp } post-auth { if (0) { update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } update { &outer.session-state: += &reply: } } Post-Auth-Type REJECT { attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap } } policy.d/canonicalization contains: custom_nai_regexp1 = '^(\w+)@(.*)$' custom_nai_regexp = '^(.*)\\(\w+)$' custom_split_username_nai { if (&User-Name && (&User-Name =~ /${policy.custom_nai_regexp1}/)) { update request { &Stripped-User-Name := "%{1}" &Stripped-User-Domain = "%{2}" } updated } else { if (&User-Name && (&User-Name =~ /${policy.custom_nai_regexp}/)) { update request { &Stripped-User-Name := "%{2}" &Stripped-User-Domain = "%{1}" } updated } else { noop } } }
________________________________ From: Alan DeKok <aland@deployingradius.com>
In contrast, Microsoft gives you no source, no debug, and no access to developers.
Don't say that both client and server are blaming each other. That implies that *I'm* lying to you
when I tell you what's going on. It implies that FreeRADIUS is lying to you, too.>
You're making these statements here because you can't make them to Microsoft. Well, that's not my
problem. Go ask Microsoft how their crappy software works, and how to fix it.> I'm trying to help you, and you don't believe me. You're free to go elsewhere.
Alan, believe me if I tell you I greatly appreciate your work, as well as all the devs behind OSS. I've been an OSS user for decades now, and I already used FreeRadius several years ago in another project. Recently, I've taken up another project, and I didn't hesitate one single second when choosing FR for a Radius implementation. The fact that I'm tackling with Microsft Windows clients is neither my fault nor my requirement. I'm not responsible for choosing the clients. If I were, I'd go for totaly different systems. Just so you know, I've always confronted people who wanted to implement say, a Microsoft Radius server implementation, so that they would finally accept using FreeRadius. And that's just one example... Anyway, I'm used to your comments so I won't take it personally :-). This goes way back. I've always known you like this. A tad obnoxious, but a formidable developer, a great help on the ML, and absolutely never ever a liar. I hope you don't mind if I stick around for a few more decades (or as much as I can last). Vieri
What is obnoxious is giving yourself Godly rights of judging and condemning people. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Vieri via Freeradius-Users Sent: Friday, December 15, 2017 10:19 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: EAP-TLV ________________________________ From: Alan DeKok <aland@deployingradius.com>
In contrast, Microsoft gives you no source, no debug, and no access to developers.
Don't say that both client and server are blaming each other. That implies that *I'm* lying to you
when I tell you what's going on. It implies that FreeRADIUS is lying to you, too.>
You're making these statements here because you can't make them to Microsoft. Well, that's not my
problem. Go ask Microsoft how their crappy software works, and how to fix it.> I'm trying to help you, and you don't believe me. You're free to go elsewhere.
Alan, believe me if I tell you I greatly appreciate your work, as well as all the devs behind OSS. I've been an OSS user for decades now, and I already used FreeRadius several years ago in another project. Recently, I've taken up another project, and I didn't hesitate one single second when choosing FR for a Radius implementation. The fact that I'm tackling with Microsft Windows clients is neither my fault nor my requirement. I'm not responsible for choosing the clients. If I were, I'd go for totaly different systems. Just so you know, I've always confronted people who wanted to implement say, a Microsoft Radius server implementation, so that they would finally accept using FreeRadius. And that's just one example... Anyway, I'm used to your comments so I won't take it personally :-). This goes way back. I've always known you like this. A tad obnoxious, but a formidable developer, a great help on the ML, and absolutely never ever a liar. I hope you don't mind if I stick around for a few more decades (or as much as I can last). Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________ From: Vacheslav <m_zouhairy@skno.by>
What is obnoxious is giving yourself Godly rights of judging and condemning people.
All right now. I don't want to participate in this sterile conversation anymore. Alan, all I want to add to my previous e-mail is that: 1) I never accused you or anyone of lying to me. 2) I'm trying to be constructive like anyone else on this list. 3) I was just pointing out that "the client was saying something that was opposite to what the server was saying". In fact, you will notice that I also remarked that "I couldn't find anything in the Radius log that showed that it was rejecting the client's request". 4) I strive to be as impartial as possible. I'm just stating what I see. I would never imply anything, let alone that you are lying to me. One last thing. Just to make things clear and to clarify my previous e-mail, "a tad obnoxious" was on a friendly note... Please put it in the correct context which is not always easy when writing/reading. I won't be bringing this issue up anymore anyway. Hope all's well. Thanks, Vieri
On Dec 15, 2017, at 2:18 AM, Vieri via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
The fact that I'm tackling with Microsft Windows clients is neither my fault nor my requirement. I'm not responsible for choosing the clients. If I were, I'd go for totaly different systems. Just so you know, I've always confronted people who wanted to implement say, a Microsoft Radius server implementation, so that they would finally accept using FreeRadius. And that's just one example...
That's all good..
Anyway, I'm used to your comments so I won't take it personally :-). This goes way back. I've always known you like this. A tad obnoxious, but a formidable developer, a great help on the ML, and absolutely never ever a liar.
The problem is when you say things like "both MS and FR are blaming each other". That comes across like you don't know which one to believe, and you don't know what's actually going on. i.e. a one-line message from MS saying "EAP error" holds the same weight as thousands of lines of debug output from FR, and the personal input of the developer. That's... unfriendly. Yet people get upset when I point this out, and label me "obnoxious". TBH, you'd get the same response from a car mechanic. When you bring your car in with a problem, and he tells you what's wrong, would the response be "Well, it's not really clear what's going on, I think we're just going to have to put it down to unknown issues". ?? I don't think so. And if that was the response the car mechanic got, he would inform you that you're free to go elsewhere. Because disrespecting someone's experience is not polite.
I hope you don't mind if I stick around for a few more decades (or as much as I can last).
I'm always happy to have people stick around. Alan DeKok.
________________________________ From: Alan DeKok <aland@deployingradius.com>
The problem is when you say things like "both MS and FR are blaming each other".
That comes across like you don't know which one to believe, and you don't know what's actually going
on.
I don't see such a big issue here, but if you do then please accept my apologies. The only thing I was saying is that, as an inexperienced user, I found it hard to understand why a server and a client would yield apparently different results. I wasn't judging anyone (MS or FR), just trying to understand what was going on, and if anyone here with more experience in the Windows arena would actually say something like "hey, you can get more info in the Windows client by looking or doing something else on that machine". For instance, trying to see if the Windows client gets the exact same server certificate as the one I configured on the Radius server (in case there's some kind of mangling in the middle). I still don't know how to do that, but that's something I can work on.
i.e. a one-line message from MS saying "EAP error" holds the same weight as thousands of lines of
debug output from FR, and the personal input of the developer.
I never said that.
TBH, you'd get the same response from a car mechanic. When you bring your car in with a problem, and
he tells you what's wrong
You told me that I had to look at the client's log because the client was sending the reject message. I searched for it, and found that the client was saying that the server had rejected the transaction. I then wrote the unfortunate "blame" word that offended you. I'm sorry I ever did, but my only intention was to show what I found. It's as if the car mechanic tells me that the engine doesn't start because of a failing circuit in the main panel, but the electronic panel indicates that there's an issue with the engine. I'm not being disrespectful with the mechanic's profession or experience. I'm just pointing out something that is logically illogical. It might be a bad MS implementation as you state, but *maybe* it could very well be a bad FR configuration on *my behalf*... That's all I wanted to say by that.
I'm always happy to have people stick around.
Great. Will do. Vieri
On Dec 15, 2017, at 7:40 AM, Vieri via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I don't see such a big issue here, but if you do then please accept my apologies.
Don't apologize, I'm cranky lots of times...
The only thing I was saying is that, as an inexperienced user, I found it hard to understand why a server and a client would yield apparently different results. I wasn't judging anyone (MS or FR), just trying to understand what was going on, and if anyone here with more experience in the Windows arena would actually say something like "hey, you can get more info in the Windows client by looking or doing something else on that machine".
It's Windows. There are no good debug logs.
It's as if the car mechanic tells me that the engine doesn't start because of a failing circuit in the main panel, but the electronic panel indicates that there's an issue with the engine. I'm not being disrespectful with the mechanic's profession or experience. I'm just pointing out something that is logically illogical. It might be a bad MS implementation as you state, but *maybe* it could very well be a bad FR configuration on *my behalf*...
There's not much you can do to FreeRADIUS to make it *silently* do weird things. If FR does something, it says what it does, and why. The overall point is one of trust. I suggest people should trust FR, which is open and honest. And me, who's open and a little more cranky. I suggest people don't trust MS. It's an opaque product with opaque logs and opaque corporate tech support. Alan DeKok.
participants (5)
-
Alan Buxey -
Alan DeKok -
Stefan Winter -
Vacheslav -
Vieri