PEAP-MSCHAPv2: Cannot recover attributes from TLS Session Cache
I have been working on this for a couple of weeks, scouring the doc and mail list. I have experimented with so many different configurations I feel like I¹m now chasing my tail. I clearly lack the understanding of how these attributes are shuttled between the inner and outer tunnels as well as from TLS session cache to session-state cache. First thing to know, I have PEAP-MSCHAPv2 working just fine, for a couple of years now. I have upgraded to v3.0.11, rebuilt the configs and got everything working just great again. But now I am trying to add TLS Session Cache, which looks like an under-appreciated and very cool capability. In my inner-tunnel post-auth I successfully do this: # Submit attributes to TLS Session Cache from inner post-auth update reply { &User-Name := "%{reply:User-Name}" &Cached-Session-Policy += "%{reply:Service-Type}" &Cached-Session-Policy += "%{reply:Tunnel-Medium-Type}" &Cached-Session-Policy += "%{reply:Tunnel-Type}" &Cached-Session-Policy += "%{reply:My-Local-employeeStatus}" &Cached-Session-Policy += "%{reply:Tunnel-Private-Group-ID}" } In the following packet exchange I see this: (9) eap_peap: caching User-Name := "dw10j" (9) eap_peap: caching Stripped-User-Name = "dw10j" (9) eap_peap: caching Cached-Session-Policy += "Framed-User" (9) eap_peap: caching Cached-Session-Policy += "IEEE-802" (9) eap_peap: caching Cached-Session-Policy += "VLAN" (9) eap_peap: caching Cached-Session-Policy += "Active" (9) eap_peap: caching Cached-Session-Policy += "employee3a" and an Access-Accept is sent in reply (9). If I now roam to a nearby access point, the TLS Session is resumed and we see this: (12) eap_peap: Adding cached attributes from session d312f4c83df5f5b153ebd94b01549795be582dcbfe421e961aa038b062699143 (12) eap_peap: reply:User-Name := "dw10j" (12) eap_peap: reply:Stripped-User-Name = "dw10j" (12) eap_peap: reply:Cached-Session-Policy += "Framed-User" (12) eap_peap: reply:Cached-Session-Policy += "IEEE-802" (12) eap_peap: reply:Cached-Session-Policy += "VLAN" (12) eap_peap: reply:Cached-Session-Policy += "Active" (12) eap_peap: reply:Cached-Session-Policy += "employee3a" (12) eap_peap: [eaptls process] = success (12) eap_peap: Session established. Decoding tunneled attributes (12) eap_peap: PEAP state TUNNEL ESTABLISHED (12) eap_peap: Skipping Phase2 because of session resumption (12) eap_peap: SUCCESS But post-auth does not get called at this point so I am unclear on how to restore these to session-state (if that¹s what I¹m supposed to do). And in the following packet exchange, where I receive an Access-Accept but with empty attributes, we see this: (13) session-state: No cached attributes An abridged log follows and I would be happy to provide full debug log if that is desired. But hopefully I am overlooking one of those obvious things that will make me feel foolish. Alternatively, if you are using TLS Session Cache and have a full and detailed example, I would appreciate it if you could share that with me. Doug Wussler 850.645.4201 Application Developer/Designer Core Network Team Information Technology Services RK Shaw Building 644 W. Call Street Tallahassee, FL 32304 Server was built with: accounting : yes authentication : yes ascend-binary-attributes : yes coa : yes control-socket : yes detail : yes dhcp : yes dynamic-clients : yes osfc2 : no proxy : yes regex-pcre : yes regex-posix : no regex-posix-extended : no session-management : yes stats : yes tcp : yes threads : yes tls : yes unlang : yes vmps : yes developer : no Server core libs: freeradius-server : 3.0.11 talloc : 2.0.* ssl : 1.0.2h release pcre : 8.32 2012-11-30 Endianness: little Compilation flags: cppflags : -isystem /usr/local/include/openssl/ cflags : -I/downloads/freeradius-server-3.0.11 -I/downloads/freeradius-server-3.0.11/src -include /downloads/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h -include /downloads/freeradius-server-3.0.11/src/freeradius-devel/build.h -include /downloads/freeradius-server-3.0.11/src/freeradius-devel/features.h -include /downloads/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h -fno-strict-aliasing -Werror -g -O2 -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1 ldflags : -L/usr/local/lib64 -Wl,-rpath,/usr/local/lib64 libs : -lcrypto -lssl -ltalloc -lpcre -lcap -lnsl -lresolv -ldl -lpthread -lreadline ..... Copyright (C) 1999-2016 The FreeRADIUS server project and contributors Debugger not attached # Creating Auth-Type = LDAP # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = FSU-PAP # Creating Auth-Type = EAP # Creating Autz-Type = Status-Server # Loaded module rlm_eap # Loading module "fsu-eap" from file /usr/local/etc/raddb/mods-enabled/fsu-eap eap fsu-eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } # Instantiating module "fsu-eap" from file /usr/local/etc/raddb/mods-enabled/fsu-eap # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" ca_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/usr/local/etc/raddb/certs/dh_2048.pem" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "HIGH +SHA !aNULL !eNULL !LOW !3DES !SSLv2 !MD5 !EXP !DSS !PSK !SRP !CAMELLIA" ecdh_curve = "prime256v1" disable_tlsv1_2 = no cache { enable = yes lifetime = 4 max_entries = 8000 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "fsu-peap-inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no identity = "Auth0_eap_mschapv2" } ... radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server fsu-peap-1814 { # from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 # Loading authenticate {...} # Loading authorize {...} # Loading post-auth {...} } # server fsu-peap-1814 server fsu-peap-inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading post-auth {...} } # server fsu-peap-inner-tunnel listen { type = "auth" ipv4addr = * port = 1814 } listen { type = "acct" ipv4addr = * port = 1815 } Listening on auth address * port 1814 bound to server fsu-peap-1814 Listening on acct address * port 1815 bound to server fsu-peap-1814 ... Ready to process requests (0) Received Access-Request Id 34 from 128.186.255.238:42749 to 128.186.255.220:1814 length 217 (0) User-Name = "dw10j" (0) NAS-IP-Address = 128.186.255.200 (0) NAS-Port = 0 (0) NAS-Identifier = "128.186.255.238" (0) NAS-Port-Type = Wireless-802.11 (0) Calling-Station-Id = "B8E856A8659B" (0) Called-Station-Id = "001A1E0083D8" (0) Service-Type = Framed-User (0) Framed-MTU = 1100 (0) EAP-Message = 0x0201000a01647731306a (0) Aruba-Essid-Name = "FSUCorex" (0) Aruba-Location-Id = "wg-a105-132-rm.rsb.wireless.fsu.edu" (0) Aruba-AP-Group = "Shaw" (0) Aruba-Device-Type = "iPhone" (0) Message-Authenticator = 0x30af9933cb00e5d441604b11b36b0f0a (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (0) authorize { (0) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) { (0) EXPAND %{request:User-Name} (0) --> dw10j (0) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE (0) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) { (0) EXPAND %{request:User-Name} (0) --> dw10j (0) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) -> FALSE (0) ntdomain: Checking for prefix before "\" (0) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config. (0) [ntdomain] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "dw10j", looking up realm NULL (0) suffix: Found realm "NULL" (0) suffix: Adding Stripped-User-Name = "dw10j" (0) suffix: Adding Realm = "NULL" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 10 (0) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [fsu-eap] = ok (0) } # authorize = ok (0) Found Auth-Type = fsu-eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (0) Auth-Type fsu-eap { (0) fsu-eap: Peer sent packet with method EAP Identity (1) (0) fsu-eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: Flushing SSL sessions (of #0) (0) eap_peap: [eaptls start] = request (0) fsu-eap: Sending EAP Request (code 1) ID 2 length 6 (0) fsu-eap: EAP session adding &reply:State = 0x860fee2e860df726 (0) [fsu-eap] = handled (0) } # Auth-Type fsu-eap = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (0) Sent Access-Challenge Id 34 from 128.186.255.220:1814 to 128.186.255.238:42749 length 0 (0) EAP-Message = 0x010200061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x860fee2e860df726c6e8c1b1cbfeb884 (0) Finished request Waking up in 1.9 seconds. ... Waking up in 1.8 seconds. (8) Received Access-Request Id 42 from 128.186.255.238:42749 to 128.186.255.220:1814 length 268 (8) Found Auth-Type = fsu-eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel (8) Auth-Type fsu-eap { (8) fsu-eap: Expiring EAP session with state 0x84bad54285b3cfdb (8) fsu-eap: Finished EAP session with state 0x84bad54285b3cfdb (8) fsu-eap: Previous EAP request found for state 0x84bad54285b3cfdb, released from the list (8) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) fsu-eap: Calling submodule eap_mschapv2 to process data (8) fsu-eap: Sending EAP Success (code 3) ID 9 length 4 (8) fsu-eap: Freeing handler (8) [fsu-eap] = ok (8) } # Auth-Type fsu-eap = ok (8) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel (8) post-auth { (8) update { (8) &outer.session-state:User-Name += &reply:User-Name[*] -> 'dw10j' (8) &outer.session-state:Service-Type += &reply:Service-Type[*] -> Framed-User (8) &outer.session-state:Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802 (8) &outer.session-state:Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN (8) &outer.session-state:My-Local-employeeStatus += &reply:My-Local-employeeStatus[*] -> 'Active' (8) &outer.session-state:Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> 'employee3a' (8) &outer.session-state:My-Local-ntPassword += &reply:My-Local-ntPassword[*] -> 'ACC1E2ED4455527965628BF7A008B062' (8) &outer.session-state:MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Allowed (8) &outer.session-state:MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types[*] -> RC4-40or128-bit-Allowed (8) &outer.session-state:MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key[*] -> 0xf2f40d2c99a86338ec77abd87f6bc004 (8) &outer.session-state:MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key[*] -> 0xd0c82e1f94537f44e3290ed225405e8c (8) &outer.session-state:EAP-Message += &reply:EAP-Message[*] -> 0x03090004 (8) &outer.session-state:Message-Authenticator += &reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000 (8) } # update = noop (8) update outer.session-state { (8) MS-MPPE-Encryption-Policy !* ANY (8) MS-MPPE-Encryption-Types !* ANY (8) MS-MPPE-Send-Key !* ANY (8) MS-MPPE-Recv-Key !* ANY (8) Message-Authenticator !* ANY (8) EAP-Message !* ANY (8) Proxy-State !* ANY (8) } # update outer.session-state = noop (8) update reply { (8) EXPAND %{reply:User-Name} (8) --> dw10j (8) &User-Name := dw10j (8) EXPAND %{reply:Service-Type} (8) --> Framed-User (8) &Cached-Session-Policy += Framed-User (8) EXPAND %{reply:Tunnel-Medium-Type} (8) --> IEEE-802 (8) &Cached-Session-Policy += IEEE-802 (8) EXPAND %{reply:Tunnel-Type} (8) --> VLAN (8) &Cached-Session-Policy += VLAN (8) EXPAND %{reply:My-Local-employeeStatus} (8) --> Active (8) &Cached-Session-Policy += Active (8) EXPAND %{reply:Tunnel-Private-Group-ID} (8) --> employee3a (8) &Cached-Session-Policy += employee3a (8) } # update reply = noop (8) if ( reply:My-Local-fsuEduWINStatus ) { (8) if ( reply:My-Local-fsuEduWINStatus ) -> FALSE (8) } # post-auth = noop (8) EXPAND %{Aruba-Essid-Name} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type} %{reply:My-Local-fsuEduWINStatus} (8) --> (8) Login OK: [dw10j] (from client CamL8 port 0 via TLS tunnel) (8) } # server fsu-peap-inner-tunnel (8) Virtual server sending reply (8) User-Name := "dw10j" (8) Service-Type = Framed-User (8) Tunnel-Medium-Type = IEEE-802 (8) Tunnel-Type = VLAN (8) My-Local-employeeStatus = "Active" (8) Tunnel-Private-Group-Id = "employee3a" (8) My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062" (8) MS-MPPE-Encryption-Policy = Encryption-Allowed (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) MS-MPPE-Send-Key = 0xf2f40d2c99a86338ec77abd87f6bc004 (8) MS-MPPE-Recv-Key = 0xd0c82e1f94537f44e3290ed225405e8c (8) EAP-Message = 0x03090004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) Cached-Session-Policy += "Framed-User" (8) Cached-Session-Policy += "IEEE-802" (8) Cached-Session-Policy += "VLAN" (8) Cached-Session-Policy += "Active" (8) Cached-Session-Policy += "employee3a" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: User-Name := "dw10j" (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Tunnel-Medium-Type = IEEE-802 (8) eap_peap: Tunnel-Type = VLAN (8) eap_peap: My-Local-employeeStatus = "Active" (8) eap_peap: Tunnel-Private-Group-Id = "employee3a" (8) eap_peap: My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062" (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0xf2f40d2c99a86338ec77abd87f6bc004 (8) eap_peap: MS-MPPE-Recv-Key = 0xd0c82e1f94537f44e3290ed225405e8c (8) eap_peap: EAP-Message = 0x03090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Cached-Session-Policy += "Framed-User" (8) eap_peap: Cached-Session-Policy += "IEEE-802" (8) eap_peap: Cached-Session-Policy += "VLAN" (8) eap_peap: Cached-Session-Policy += "Active" (8) eap_peap: Cached-Session-Policy += "employee3a" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: User-Name := "dw10j" (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Tunnel-Medium-Type = IEEE-802 (8) eap_peap: Tunnel-Type = VLAN (8) eap_peap: My-Local-employeeStatus = "Active" (8) eap_peap: Tunnel-Private-Group-Id = "employee3a" (8) eap_peap: My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062" (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0xf2f40d2c99a86338ec77abd87f6bc004 (8) eap_peap: MS-MPPE-Recv-Key = 0xd0c82e1f94537f44e3290ed225405e8c (8) eap_peap: EAP-Message = 0x03090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Cached-Session-Policy += "Framed-User" (8) eap_peap: Cached-Session-Policy += "IEEE-802" (8) eap_peap: Cached-Session-Policy += "VLAN" (8) eap_peap: Cached-Session-Policy += "Active" (8) eap_peap: Cached-Session-Policy += "employee3a" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap_peap: Saving tunneled attributes for later (8) fsu-eap: Sending EAP Request (code 1) ID 10 length 43 (8) fsu-eap: EAP session adding &reply:State = 0x860fee2e8e05f726 (8) [fsu-eap] = handled (8) } # Auth-Type fsu-eap = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (8) session-state: Saving cached attributes (8) User-Name += "dw10j" (8) Service-Type += Framed-User (8) Tunnel-Medium-Type += IEEE-802 (8) Tunnel-Type += VLAN (8) My-Local-employeeStatus += "Active" (8) Tunnel-Private-Group-Id += "employee3a" (8) My-Local-ntPassword += "ACC1E2ED4455527965628BF7A008B062" (8) Sent Access-Challenge Id 42 from 128.186.255.220:1814 to 128.186.255.238:42749 length 0 (8) EAP-Message = 0x010a002b19001703010020fcb7e3cf0b673c79ef41a11a56c8da40ab1ca7cfc3a07914a18 31032d774a6dd (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x860fee2e8e05f726c6e8c1b1cbfeb884 (8) Finished request Waking up in 1.8 seconds. (9) Received Access-Request Id 43 from 128.186.255.238:42749 to 128.186.255.220:1814 length 268 (9) User-Name = "dw10j" (9) NAS-IP-Address = 128.186.255.200 (9) NAS-Port = 0 (9) NAS-Identifier = "128.186.255.238" (9) NAS-Port-Type = Wireless-802.11 (9) Calling-Station-Id = "B8E856A8659B" (9) Called-Station-Id = "001A1E0083D8" (9) Service-Type = Framed-User (9) Framed-MTU = 1100 (9) EAP-Message = 0x020a002b1900170301002086df2a56026c1d4d64621307316b04234d9a15d5fdab11424c3 edfb9f41f5e7c (9) State = 0x860fee2e8e05f726c6e8c1b1cbfeb884 (9) Aruba-Essid-Name = "FSUCorex" (9) Aruba-Location-Id = "wg-a105-132-rm.rsb.wireless.fsu.edu" (9) Aruba-AP-Group = "Shaw" (9) Aruba-Device-Type = "iPhone" (9) Message-Authenticator = 0x6329c315d037919dc588d0b2ead70f15 (9) Restoring &session-state (9) &session-state:User-Name += "dw10j" (9) &session-state:Service-Type += Framed-User (9) &session-state:Tunnel-Medium-Type += IEEE-802 (9) &session-state:Tunnel-Type += VLAN (9) &session-state:My-Local-employeeStatus += "Active" (9) &session-state:Tunnel-Private-Group-Id += "employee3a" (9) &session-state:My-Local-ntPassword += "ACC1E2ED4455527965628BF7A008B062" (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (9) authorize { (9) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) { (9) EXPAND %{request:User-Name} (9) --> dw10j (9) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE (9) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) { (9) EXPAND %{request:User-Name} (9) --> dw10j (9) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) -> FALSE (9) ntdomain: Checking for prefix before "\" (9) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config. (9) [ntdomain] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "dw10j", looking up realm NULL (9) suffix: Found realm "NULL" (9) suffix: Adding Stripped-User-Name = "dw10j" (9) suffix: Adding Realm = "NULL" (9) suffix: Authentication realm is LOCAL (9) [suffix] = ok (9) fsu-eap: Peer sent EAP Response (code 2) ID 10 length 43 (9) fsu-eap: Continuing tunnel setup (9) [fsu-eap] = ok (9) } # authorize = ok (9) Found Auth-Type = fsu-eap (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (9) Auth-Type fsu-eap { (9) fsu-eap: Expiring EAP session with state 0x860fee2e8e05f726 (9) fsu-eap: Finished EAP session with state 0x860fee2e8e05f726 (9) fsu-eap: Previous EAP request found for state 0x860fee2e8e05f726, released from the list (9) fsu-eap: Peer sent packet with method EAP PEAP (25) (9) fsu-eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap_peap: Using saved attributes from the original Access-Accept (9) eap_peap: User-Name := "dw10j" (9) eap_peap: Service-Type = Framed-User (9) eap_peap: Tunnel-Medium-Type = IEEE-802 (9) eap_peap: Tunnel-Type = VLAN (9) eap_peap: My-Local-employeeStatus = "Active" (9) eap_peap: Tunnel-Private-Group-Id = "employee3a" (9) eap_peap: My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062" (9) eap_peap: Cached-Session-Policy += "Framed-User" (9) eap_peap: Cached-Session-Policy += "IEEE-802" (9) eap_peap: Cached-Session-Policy += "VLAN" (9) eap_peap: Cached-Session-Policy += "Active" (9) eap_peap: Cached-Session-Policy += "employee3a" (9) eap_peap: caching User-Name := "dw10j" (9) eap_peap: caching Stripped-User-Name = "dw10j" (9) eap_peap: caching Cached-Session-Policy += "Framed-User" (9) eap_peap: caching Cached-Session-Policy += "IEEE-802" (9) eap_peap: caching Cached-Session-Policy += "VLAN" (9) eap_peap: caching Cached-Session-Policy += "Active" (9) eap_peap: caching Cached-Session-Policy += "employee3a" (9) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk. (9) fsu-eap: Sending EAP Success (code 3) ID 10 length 4 (9) fsu-eap: Freeing handler (9) [fsu-eap] = ok (9) } # Auth-Type fsu-eap = ok (9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (9) post-auth { (9) if ( session-state: ) { (9) if ( session-state: ) -> TRUE (9) if ( session-state: ) { (9) update { (9) &reply::User-Name += &session-state:User-Name[*] -> 'dw10j' (9) &reply::Service-Type += &session-state:Service-Type[*] -> Framed-User (9) &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> IEEE-802 (9) &reply::Tunnel-Type += &session-state:Tunnel-Type[*] -> VLAN (9) &reply::My-Local-employeeStatus += &session-state:My-Local-employeeStatus[*] -> 'Active' (9) &reply::Tunnel-Private-Group-Id += &session-state:Tunnel-Private-Group-Id[*] -> 'employee3a' (9) &reply::My-Local-ntPassword += &session-state:My-Local-ntPassword[*] -> 'ACC1E2ED4455527965628BF7A008B062' (9) } # update = noop (9) } # if ( session-state: ) = noop (9) ... skipping else for request 9: Preceding "if" was taken (9) } # post-auth = noop (9) EXPAND %{Aruba-Essid-Name} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type} %{reply:My-Local-fsuEduWINStatus} (9) --> FSUCorex wg-a105-132-rm.rsb.wireless.fsu.edu Shaw iPhone (9) Login OK: [dw10j] (from client CamL8 port 0 cli B8E856A8659B) FSUCorex wg-a105-132-rm.rsb.wireless.fsu.edu Shaw iPhone (9) Sent Access-Accept Id 43 from 128.186.255.220:1814 to 128.186.255.238:42749 length 0 (9) User-Name := "dw10j" (9) Service-Type = Framed-User (9) Tunnel-Medium-Type = IEEE-802 (9) Tunnel-Type = VLAN (9) Tunnel-Private-Group-Id = "employee3a" (9) MS-MPPE-Recv-Key = 0xa5f4fcb1629a45eac5bd6b0f3679985c288a81021062c7a903807ebfb65d2d9f (9) MS-MPPE-Send-Key = 0xee4e988ac836c3cd0df97edf5aa006c77b98328e12e93f325f36c1ef3957f500 (9) EAP-Message = 0x030a0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name += "dw10j" (9) Service-Type += Framed-User (9) Tunnel-Medium-Type += IEEE-802 (9) Tunnel-Type += VLAN (9) Tunnel-Private-Group-Id += "employee3a" (9) Finished request Waking up in 1.8 seconds. (0) Cleaning up request packet ID 34 with timestamp +18 (1) Cleaning up request packet ID 35 with timestamp +18 (2) Cleaning up request packet ID 36 with timestamp +18 (3) Cleaning up request packet ID 37 with timestamp +19 (4) Cleaning up request packet ID 38 with timestamp +19 (5) Cleaning up request packet ID 39 with timestamp +19 (6) Cleaning up request packet ID 40 with timestamp +19 (7) Cleaning up request packet ID 41 with timestamp +19 (8) Cleaning up request packet ID 42 with timestamp +19 (9) Cleaning up request packet ID 43 with timestamp +19 Ready to process requests (10) Received Access-Request Id 44 from 128.186.255.238:42749 to 128.186.255.220:1814 length 218 (10) User-Name = "dw10j" (10) NAS-IP-Address = 128.186.255.200 (10) NAS-Port = 0 (10) NAS-Identifier = "128.186.255.238" (10) NAS-Port-Type = Wireless-802.11 (10) Calling-Station-Id = "B8E856A8659B" (10) Called-Station-Id = "001A1E0083D8" (10) Service-Type = Framed-User (10) Framed-MTU = 1100 (10) EAP-Message = 0x0201000a01647731306a (10) Aruba-Essid-Name = "FSUCorex" (10) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu" (10) Aruba-AP-Group = "Shaw" (10) Aruba-Device-Type = "iPhone" (10) Message-Authenticator = 0xf08aac88e0af79de1be8bebee816ab7f (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (10) authorize { (10) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) { (10) EXPAND %{request:User-Name} (10) --> dw10j (10) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE (10) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) { (10) EXPAND %{request:User-Name} (10) --> dw10j (10) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) -> FALSE (10) ntdomain: Checking for prefix before "\" (10) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config. (10) [ntdomain] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "dw10j", looking up realm NULL (10) suffix: Found realm "NULL" (10) suffix: Adding Stripped-User-Name = "dw10j" (10) suffix: Adding Realm = "NULL" (10) suffix: Authentication realm is LOCAL (10) [suffix] = ok (10) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 10 (10) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (10) [fsu-eap] = ok (10) } # authorize = ok (10) Found Auth-Type = fsu-eap (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (10) Auth-Type fsu-eap { (10) fsu-eap: Peer sent packet with method EAP Identity (1) (10) fsu-eap: Calling submodule eap_peap to process data (10) eap_peap: Initiating new EAP-TLS session (10) eap_peap: [eaptls start] = request (10) fsu-eap: Sending EAP Request (code 1) ID 2 length 6 (10) fsu-eap: EAP session adding &reply:State = 0xc30d1631c30f0f80 (10) [fsu-eap] = handled (10) } # Auth-Type fsu-eap = handled (10) Using Post-Auth-Type Challenge (10) Post-Auth-Type sub-section not found. Ignoring. (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (10) Sent Access-Challenge Id 44 from 128.186.255.220:1814 to 128.186.255.238:42749 length 0 (10) EAP-Message = 0x010200061920 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xc30d1631c30f0f80b3424d0b1e3d666b (10) Finished request Waking up in 1.9 seconds. (11) Received Access-Request Id 45 from 128.186.255.238:42749 to 128.186.255.220:1814 length 389 (11) User-Name = "dw10j" (11) NAS-IP-Address = 128.186.255.200 (11) NAS-Port = 0 (11) NAS-Identifier = "128.186.255.238" (11) NAS-Port-Type = Wireless-802.11 (11) Calling-Station-Id = "B8E856A8659B" (11) Called-Station-Id = "001A1E0083D8" (11) Service-Type = Framed-User (11) Framed-MTU = 1100 (11) EAP-Message = 0x020200a3198000000099160301009401000090030157a39502c59a38ab42d28fa5c8b5861 fdcbe1af0ccc1e17f9675b4a1ef41e00020d312f4c83df5f5b153ebd94b01549795be582dcb fe421e961aa038b062699143002800ffc024c023c00ac009c008c028c027c014c013c012003 d003c0035002f00 (11) State = 0xc30d1631c30f0f80b3424d0b1e3d666b (11) Aruba-Essid-Name = "FSUCorex" (11) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu" (11) Aruba-AP-Group = "Shaw" (11) Aruba-Device-Type = "iPhone" (11) Message-Authenticator = 0x4d3755f8101bb6b8f55764f42c817b4f (11) session-state: No cached attributes (11) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (11) authorize { (11) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) { (11) EXPAND %{request:User-Name} (11) --> dw10j (11) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE (11) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) { (11) EXPAND %{request:User-Name} (11) --> dw10j (11) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) -> FALSE (11) ntdomain: Checking for prefix before "\" (11) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config. (11) [ntdomain] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "dw10j", looking up realm NULL (11) suffix: Found realm "NULL" (11) suffix: Adding Stripped-User-Name = "dw10j" (11) suffix: Adding Realm = "NULL" (11) suffix: Authentication realm is LOCAL (11) [suffix] = ok (11) fsu-eap: Peer sent EAP Response (code 2) ID 2 length 163 (11) fsu-eap: Continuing tunnel setup (11) [fsu-eap] = ok (11) } # authorize = ok (11) Found Auth-Type = fsu-eap (11) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (11) Auth-Type fsu-eap { (11) fsu-eap: Expiring EAP session with state 0xc30d1631c30f0f80 (11) fsu-eap: Finished EAP session with state 0xc30d1631c30f0f80 (11) fsu-eap: Previous EAP request found for state 0xc30d1631c30f0f80, released from the list (11) fsu-eap: Peer sent packet with method EAP PEAP (25) (11) fsu-eap: Calling submodule eap_peap to process data (11) eap_peap: Continuing EAP-TLS (11) eap_peap: Peer indicated complete TLS record size will be 153 bytes (11) eap_peap: Got complete TLS record (153 bytes) (11) eap_peap: [eaptls verify] = length included (11) eap_peap: (other): before/accept initialization (11) eap_peap: TLS_accept: before/accept initialization (11) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello (11) eap_peap: TLS_accept: SSLv3 read client hello A (11) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello (11) eap_peap: TLS_accept: SSLv3 write server hello A (11) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (11) eap_peap: TLS_accept: SSLv3 write change cipher spec A (11) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (11) eap_peap: TLS_accept: SSLv3 write finished A (11) eap_peap: TLS_accept: SSLv3 flush data (11) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A (11) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A (11) eap_peap: In SSL Handshake Phase (11) eap_peap: In SSL Accept mode (11) eap_peap: [eaptls process] = handled (11) fsu-eap: Sending EAP Request (code 1) ID 3 length 159 (11) fsu-eap: EAP session adding &reply:State = 0xc30d1631c20e0f80 (11) [fsu-eap] = handled (11) } # Auth-Type fsu-eap = handled (11) Using Post-Auth-Type Challenge (11) Post-Auth-Type sub-section not found. Ignoring. (11) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (11) Sent Access-Challenge Id 45 from 128.186.255.220:1814 to 128.186.255.238:42749 length 0 (11) EAP-Message = 0x0103009f1900160301005902000055030129bbd8008ef3e12c96959f1bcddc130398122f5 f2b02f6b72aaaff3583113a4820d312f4c83df5f5b153ebd94b01549795be582dcbfe421e96 1aa038b062699143c01400000dff01000100000b00040300010214030100010116030100307 238d01320b761c4 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0xc30d1631c20e0f80b3424d0b1e3d666b (11) Finished request Waking up in 1.9 seconds. (12) Received Access-Request Id 46 from 128.186.255.238:42749 to 128.186.255.220:1814 length 295 (12) User-Name = "dw10j" (12) NAS-IP-Address = 128.186.255.200 (12) NAS-Port = 0 (12) NAS-Identifier = "128.186.255.238" (12) NAS-Port-Type = Wireless-802.11 (12) Calling-Station-Id = "B8E856A8659B" (12) Called-Station-Id = "001A1E0083D8" (12) Service-Type = Framed-User (12) Framed-MTU = 1100 (12) EAP-Message = 0x0203004519800000003b140301000101160301003078e68035b28baddc37a4ae1ad3fcbac 78d41648d3e1b500df0e77a08857d914def1313c303457658d9ddfbe32b37eca9 (12) State = 0xc30d1631c20e0f80b3424d0b1e3d666b (12) Aruba-Essid-Name = "FSUCorex" (12) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu" (12) Aruba-AP-Group = "Shaw" (12) Aruba-Device-Type = "iPhone" (12) Message-Authenticator = 0xd9f5fa6fcd2d1e9ca612adc0a40aafae (12) session-state: No cached attributes (12) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (12) authorize { (12) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) { (12) EXPAND %{request:User-Name} (12) --> dw10j (12) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE (12) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) { (12) EXPAND %{request:User-Name} (12) --> dw10j (12) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) -> FALSE (12) ntdomain: Checking for prefix before "\" (12) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config. (12) [ntdomain] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "dw10j", looking up realm NULL (12) suffix: Found realm "NULL" (12) suffix: Adding Stripped-User-Name = "dw10j" (12) suffix: Adding Realm = "NULL" (12) suffix: Authentication realm is LOCAL (12) [suffix] = ok (12) fsu-eap: Peer sent EAP Response (code 2) ID 3 length 69 (12) fsu-eap: Continuing tunnel setup (12) [fsu-eap] = ok (12) } # authorize = ok (12) Found Auth-Type = fsu-eap (12) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (12) Auth-Type fsu-eap { (12) fsu-eap: Expiring EAP session with state 0xc30d1631c20e0f80 (12) fsu-eap: Finished EAP session with state 0xc30d1631c20e0f80 (12) fsu-eap: Previous EAP request found for state 0xc30d1631c20e0f80, released from the list (12) fsu-eap: Peer sent packet with method EAP PEAP (25) (12) fsu-eap: Calling submodule eap_peap to process data (12) eap_peap: Continuing EAP-TLS (12) eap_peap: Peer indicated complete TLS record size will be 59 bytes (12) eap_peap: Got complete TLS record (59 bytes) (12) eap_peap: [eaptls verify] = length included (12) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (12) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (12) eap_peap: TLS_accept: SSLv3 read finished A (12) eap_peap: (other): SSL negotiation finished successfully (12) eap_peap: SSL Connection Established (12) eap_peap: SSL Application Data (12) eap_peap: Adding cached attributes from session d312f4c83df5f5b153ebd94b01549795be582dcbfe421e961aa038b062699143 (12) eap_peap: reply:User-Name := "dw10j" (12) eap_peap: reply:Stripped-User-Name = "dw10j" (12) eap_peap: reply:Cached-Session-Policy += "Framed-User" (12) eap_peap: reply:Cached-Session-Policy += "IEEE-802" (12) eap_peap: reply:Cached-Session-Policy += "VLAN" (12) eap_peap: reply:Cached-Session-Policy += "Active" (12) eap_peap: reply:Cached-Session-Policy += "employee3a" (12) eap_peap: [eaptls process] = success (12) eap_peap: Session established. Decoding tunneled attributes (12) eap_peap: PEAP state TUNNEL ESTABLISHED (12) eap_peap: Skipping Phase2 because of session resumption (12) eap_peap: SUCCESS (12) fsu-eap: Sending EAP Request (code 1) ID 4 length 43 (12) fsu-eap: EAP session adding &reply:State = 0xc30d1631c1090f80 (12) [fsu-eap] = handled (12) } # Auth-Type fsu-eap = handled (12) Using Post-Auth-Type Challenge (12) Post-Auth-Type sub-section not found. Ignoring. (12) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (12) Sent Access-Challenge Id 46 from 128.186.255.220:1814 to 128.186.255.238:42749 length 0 (12) User-Name := "dw10j" (12) EAP-Message = 0x0104002b19001703010020cbea953c76c41ac5cfe03c22a45b0f054910572036b7e27adae 89ef58f4ae2fc (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0xc30d1631c1090f80b3424d0b1e3d666b (12) Finished request Waking up in 1.9 seconds. (13) Received Access-Request Id 47 from 128.186.255.238:42749 to 128.186.255.220:1814 length 269 (13) User-Name = "dw10j" (13) NAS-IP-Address = 128.186.255.200 (13) NAS-Port = 0 (13) NAS-Identifier = "128.186.255.238" (13) NAS-Port-Type = Wireless-802.11 (13) Calling-Station-Id = "B8E856A8659B" (13) Called-Station-Id = "001A1E0083D8" (13) Service-Type = Framed-User (13) Framed-MTU = 1100 (13) EAP-Message = 0x0204002b19001703010020a351cf90095e7f532aa2a78ecca7a5846b67b9da57246ba6392 7838b473545ed (13) State = 0xc30d1631c1090f80b3424d0b1e3d666b (13) Aruba-Essid-Name = "FSUCorex" (13) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu" (13) Aruba-AP-Group = "Shaw" (13) Aruba-Device-Type = "iPhone" (13) Message-Authenticator = 0x26247fed677e752473789854799c9ac0 (13) session-state: No cached attributes (13) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (13) authorize { (13) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) { (13) EXPAND %{request:User-Name} (13) --> dw10j (13) if (( "%{request:User-Name}" =~ /^host\//i ) && ( "%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE (13) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) { (13) EXPAND %{request:User-Name} (13) --> dw10j (13) if (( "%{request:User-Name}" =~ /^.*\\/ ) && ( "%{request:User-Name}" !~ /^med\\/i )) -> FALSE (13) ntdomain: Checking for prefix before "\" (13) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config. (13) [ntdomain] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "dw10j", looking up realm NULL (13) suffix: Found realm "NULL" (13) suffix: Adding Stripped-User-Name = "dw10j" (13) suffix: Adding Realm = "NULL" (13) suffix: Authentication realm is LOCAL (13) [suffix] = ok (13) fsu-eap: Peer sent EAP Response (code 2) ID 4 length 43 (13) fsu-eap: Continuing tunnel setup (13) [fsu-eap] = ok (13) } # authorize = ok (13) Found Auth-Type = fsu-eap (13) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (13) Auth-Type fsu-eap { (13) fsu-eap: Expiring EAP session with state 0xc30d1631c1090f80 (13) fsu-eap: Finished EAP session with state 0xc30d1631c1090f80 (13) fsu-eap: Previous EAP request found for state 0xc30d1631c1090f80, released from the list (13) fsu-eap: Peer sent packet with method EAP PEAP (25) (13) fsu-eap: Calling submodule eap_peap to process data (13) eap_peap: Continuing EAP-TLS (13) eap_peap: [eaptls verify] = ok (13) eap_peap: Done initial handshake (13) eap_peap: [eaptls process] = ok (13) eap_peap: Session established. Decoding tunneled attributes (13) eap_peap: PEAP state send tlv success (13) eap_peap: Received EAP-TLV response (13) eap_peap: Success (13) eap_peap: No saved attributes in the original Access-Accept (13) fsu-eap: Sending EAP Success (code 3) ID 4 length 4 (13) fsu-eap: Freeing handler (13) [fsu-eap] = ok (13) } # Auth-Type fsu-eap = ok (13) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1814 (13) post-auth { (13) if ( session-state: ) { (13) if ( session-state: ) -> FALSE (13) else { (13) update reply { (13) EXPAND %{reply:User-Name} (13) --> (13) &User-Name := (13) &Reply-Message += "This is from outer-post-auth" (13) EXPAND %{reply:Cached-Session-Policy[0]} (13) --> (13) &Service-Type := 0 (13) EXPAND %{reply:Cached-Session-Policy[1]} (13) --> (13) &Tunnel-Medium-Type := 0 (13) EXPAND %{reply:Cached-Session-Policy[2]} (13) --> (13) &Tunnel-Type := 0 (13) EXPAND %{reply:Cached-Session-Policy[3]} (13) --> (13) &My-Local-employeeStatus := (13) EXPAND %{reply:Cached-Session-Policy[4]} (13) --> (13) &Tunnel-Private-Group-ID := (13) } # update reply = noop (13) } # else = noop (13) } # post-auth = noop (13) EXPAND %{Aruba-Essid-Name} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type} %{reply:My-Local-fsuEduWINStatus} (13) --> FSUCorex wg-a105-136-hrm.rsb.wireless.fsu.edu Shaw iPhone (13) Login OK: [dw10j] (from client CamL8 port 0 cli B8E856A8659B) FSUCorex wg-a105-136-hrm.rsb.wireless.fsu.edu Shaw iPhone (13) Sent Access-Accept Id 47 from 128.186.255.220:1814 to 128.186.255.238:42749 length 0 (13) MS-MPPE-Recv-Key = 0xd4642af1af234bbe423648b840dd1159c886031d2b8a3815366c6f99cc8328ab (13) MS-MPPE-Send-Key = 0x92ae704edf421546f722959cde45b4adc7098784763b3c331a164a5170a823a5 (13) EAP-Message = 0x03040004 (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) User-Name := "" (13) Reply-Message += "This is from outer-post-auth" (13) Service-Type := 0 (13) Tunnel-Medium-Type := 0 (13) Tunnel-Type := 0 (13) Tunnel-Private-Group-Id := "" (13) Finished request Waking up in 1.9 seconds. (10) Cleaning up request packet ID 44 with timestamp +45 (11) Cleaning up request packet ID 45 with timestamp +45 (12) Cleaning up request packet ID 46 with timestamp +45 (13) Cleaning up request packet ID 47 with timestamp +45
Wussler, Doug <doug.wussler@fsu.edu> wrote:
But now I am trying to add TLS Session Cache, which looks like an under-appreciated and very cool capability.
I jotted some notes on how we got it working here. Not quite sure if there have been tweaks since then, but give this a whir: http://lists.freeradius.org/pipermail/freeradius-users/2016-January/081595.h...
participants (2)
-
Brian Julin -
Wussler, Doug