Re: Queue Statistics always showing 0
Hi Alan, Is that mean Freeradius will show 0 in the Queue Statistics in both cases: Full / Empty? this is what we are getting now. Is there another way to check if the Queue full rather than checking the logs? Thanks On Mon, Jan 23, 2023 at 6:39 PM < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Queue Statistics always showing 0 (Alan DeKok) 2. FR 3.0.26 and TLS 1.3 (Chris Howley) 3. Freeradius-server-3.0.25 docking mariadb error (=?gb18030?B?zfjC58qxtPo=?=) 4. Freeradius Google Secure LDAP EAP-GTC issues (Henning Kessler)
----------------------------------------------------------------------
Message: 1 Date: Mon, 23 Jan 2023 08:46:56 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Queue Statistics always showing 0 Message-ID: <4F2136FC-DB9C-418B-995D-2C499FF7BD82@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Jan 23, 2023, at 3:24 AM, Ashraf Al-Basti <albasti@gmail.com> wrote:
I'm trying to get Freeradius statistics but I can see that the Queue statistics are always 0.
That's a side effect of moving to the faster atomic queues. It''s more difficult to get accurate stats for the queue length.
Plus, the queue starts are generally meaningless. Either everything is OK, and the queue length is zero, or things are going wrong, and the queue is full.
There is very very few situations where the queue are partially full.
Alan DeKok.
------------------------------
Message: 2 Date: Mon, 23 Jan 2023 14:18:56 +0000 From: Chris Howley <C.P.Howley@leeds.ac.uk> To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Subject: FR 3.0.26 and TLS 1.3 Message-ID: < AS4PR03MB823284ABA3422F7FBDAB898E8EC89@AS4PR03MB8232.eurprd03.prod.outlook.com
Content-Type: text/plain; charset="iso-8859-1"
Hello Support team,
I recently download the FR packages from your CentOS 7 repository, and I noticed that the 3.0.26 server was built with OpenSSL 1.0.2k (see below). Should the server be built with OpenSSL 1.1.1 to support TLS 1.3? Please excuse my ignorance if I've asked a stupid question.
Thanks,
Chris Howley
Mon Jan 23 13:50:17 2023 : Debug: Server was built with: Mon Jan 23 13:50:17 2023 : Debug: accounting : yes Mon Jan 23 13:50:17 2023 : Debug: authentication : yes Mon Jan 23 13:50:17 2023 : Debug: ascend-binary-attributes : yes Mon Jan 23 13:50:17 2023 : Debug: coa : yes Mon Jan 23 13:50:17 2023 : Debug: control-socket : yes Mon Jan 23 13:50:17 2023 : Debug: detail : yes Mon Jan 23 13:50:17 2023 : Debug: dhcp : yes Mon Jan 23 13:50:17 2023 : Debug: dynamic-clients : yes Mon Jan 23 13:50:17 2023 : Debug: osfc2 : no Mon Jan 23 13:50:17 2023 : Debug: proxy : yes Mon Jan 23 13:50:17 2023 : Debug: regex-pcre : yes Mon Jan 23 13:50:17 2023 : Debug: regex-posix : no Mon Jan 23 13:50:17 2023 : Debug: regex-posix-extended : no Mon Jan 23 13:50:17 2023 : Debug: session-management : yes Mon Jan 23 13:50:17 2023 : Debug: stats : yes Mon Jan 23 13:50:17 2023 : Debug: systemd : yes Mon Jan 23 13:50:17 2023 : Debug: tcp : yes Mon Jan 23 13:50:17 2023 : Debug: threads : yes Mon Jan 23 13:50:17 2023 : Debug: tls : yes Mon Jan 23 13:50:17 2023 : Debug: unlang : yes Mon Jan 23 13:50:17 2023 : Debug: vmps : yes Mon Jan 23 13:50:17 2023 : Debug: developer : no Mon Jan 23 13:50:17 2023 : Debug: Server core libs: Mon Jan 23 13:50:17 2023 : Debug: freeradius-server : 3.0.26 Mon Jan 23 13:50:17 2023 : Debug: talloc : 2.1.* Mon Jan 23 13:50:17 2023 : Debug: ssl : 1.0.2k release Mon Jan 23 13:50:17 2023 : Debug: pcre : 8.32 2012-11-30 Mon Jan 23 13:50:17 2023 : Debug: Endianness: Mon Jan 23 13:50:17 2023 : Debug: little Mon Jan 23 13:50:17 2023 : Debug: Compilation flags: Mon Jan 23 13:50:17 2023 : Debug: cppflags : Mon Jan 23 13:50:17 2023 : Debug: cflags : -I. -Isrc -include src/freeradius-devel/autoconf.h -include src/freeradius-devel/build.h -include src/freeradius-devel/featur es.h -include src/freeradius-devel/radpaths.h -fno-strict-aliasing -Wno-date-time -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=s sp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1 Mon Jan 23 13:50:17 2023 : Debug: ldflags : -Wl,--build-id Mon Jan 23 13:50:17 2023 : Debug: libs : -lcrypto -lssl -ltalloc -lpcre -lnsl -lresolv -ldl -lpthread -lreadline Mon Jan 23 13:50:17 2023 : Debug: Mon Jan 23 13:50:17 2023 : Info: FreeRADIUS Version 3.0.26
------------------------------
Message: 3 Date: Mon, 23 Jan 2023 22:29:20 +0800 From: "=?gb18030?B?zfjC58qxtPo=?=" <1511815642@qq.com> To: "=?gb18030?B?ZnJlZXJhZGl1cy11c2Vycw==?=" <freeradius-users@lists.freeradius.org> Subject: Freeradius-server-3.0.25 docking mariadb error Message-ID: <tencent_7F1BF56F0ABA0721320788A7754655CCA108@qq.com> Content-Type: text/plain; charset="gb18030"
Hello, ezhangiso@ezhangiso-virtual-machine:/$ docker exec -it radius-test /bin/bash root@4ff809b932fe:/# chgrp -h freerad /etc/freeradius/mods-available/sql root@4ff809b932fe:/# chown -R freerad:freerad /etc/freeradius/mods-enabled/sql root@4ff809b932fe:/# vi etc/freeradius/mods-available/sql root@4ff809b932fe:/# vi /etc/freeradius/sites-available/default root@4ff809b932fe:/# vi /etc/freeradius/sites-available/inner-tunnel root@4ff809b932fe:/# vi radiusd.conf root@4ff809b932fe:/# vi /etc/freeradius/radiusd.conf root@4ff809b932fe:/# cat etc/freeradius/mods-available/sql
dialect = "mysql" driver = "rlm_sql_mysql" sqlite { filename = "/tmp/freeradius.db" busy_timeout = 200 bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql" }
mysql {
tls_required = no tls_check_cert = no tls_check_cert_cn = no } warnings = auto }
postgresql {
send_application_name = yes }
# mongo { appname = "freeradius"
tls { certificate_file = /path/to/file certificate_password = "password" ca_file = /path/to/file ca_dir = /path/to/directory crl_file = /path/to/file weak_cert_validation = false allow_invalid_hostname = false
server = "10.0.8.31" port = 3306 login = "radius" password = "radius"
radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" groupcheck_table = "radgroupcheck" authreply_table = "radreply" groupreply_table = "radgroupreply" usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 client_table = "nas" group_attribute = "SQL-Group" $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf } root@4ff809b932fe:/# cat /etc/freeradius/radiusd.conf
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
correct_escapes = true max_request_time = 30 cleanup_delay = 5 hostname_lookups = no log { destination = files colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } checkrad = ${sbindir}/checkrad ENV { }
security { user = freerad group = freerad allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = yes }
proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 modules { $INCLUDE mods-enabled/sql
$INCLUDE mods-enabled/ }
policy { $INCLUDE policy.d/ }
$INCLUDE sites-enabled/
root@4ff809b932fe:/# apt install mariadb-client
root@4ff809b932fe:/# mysql -h 10.0.8.31 -uradius -p radius Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [radius]> show tables; +------------------+ | Tables_in_radius | +------------------+ | nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | radusergroup | +------------------+ 8 rows in set (0.00 sec)
MariaDB [radius]> exit Bye root@4ff809b932fe:/# exit exit ezhangiso@ezhangiso-virtual-machine:/$ docker commit radius-test radius-mariadb sha256:1b5a68d2c3c3aaf70be72f8dcbfda27a7cf63e7ba448f412b73bd5f0d8aef63b ezhangiso@ezhangiso-virtual-machine:/$ docker stop radius-test radius-test ezhangiso@ezhangiso-virtual-machine:/$ docker run --rm --name myradius -t -p1812-1813:1812-1813/udp radius-mariadb -X FreeRADIUS Version 3.0.25 Copyright (C) 1999-2021 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/mods-enabled/sql /etc/freeradius/mods-enabled/sql[365]: Reference "${dialect}" not found Errors reading or parsing /etc/freeradius/radiusd.conf ezhangiso@ezhangiso-virtual-machine:/$
Can anyone shed some light on this and point me in the right direction what else should I do?
------------------------------
Message: 4 Date: Mon, 23 Jan 2023 15:38:42 +0100 From: Henning Kessler <maillist@henningkessler.de> To: freeradius-users@lists.freeradius.org Subject: Freeradius Google Secure LDAP EAP-GTC issues Message-ID: <54ECCD6B-D2B4-4F67-9E5A-89EB44B2EBE3@henningkessler.de> Content-Type: text/plain; charset=utf-8
Hello,
I followed this tutorial ( https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes several times and it worked flawlessly. several month later I wanted to put it in production and it stop working.
This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I tried an Ubuntu client as well.
Binding to Google LDAP works without any issues (radtest results in Access-Accept) I even see that the Radius server sends an ?Access-Accept? to the clients but shortly after the client starts another Access-Request an that fails with:
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x864de94f8144fc95 (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (9) eap: Failed in handler
Any idea what is happening here?
Here the full output of a test with freeradius -X
Ready to process requests (0) Received Access-Request Id 18 from 10.100.2.39:54686 to 10.100.1.65:1812 length 253 (0) User-Name = "klaus.mustermann" (0) NAS-IP-Address = 10.100.2.39 (0) NAS-Identifier = "8283c219e7f9" (0) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "690B866461ACEC60" (0) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (0) Mobility-Domain-Id = 46476 (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027075 (0) Framed-MTU = 1400 (0) EAP-Message = 0x02670015016b6c6175732e6d75737465726d616e6e (0) Message-Authenticator = 0x8d4fe3c9b693e2d71ed16670b1d148a8 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 103 length 21 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: (TLS) Initiating new session (0) eap: Sending EAP Request (code 1) ID 104 length 6 (0) eap: EAP session adding &reply:State = 0x33754777331d52c5 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 18 from 10.100.1.65:1812 to 10.100.2.39:54686 length 64 (0) EAP-Message = 0x016800061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x33754777331d52c5d9592c39c6f43193 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 19 from 10.100.2.39:54686 to 10.100.1.65:1812 length 411 (1) User-Name = "klaus.mustermann" (1) NAS-IP-Address = 10.100.2.39 (1) NAS-Identifier = "8283c219e7f9" (1) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "690B866461ACEC60" (1) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (1) Mobility-Domain-Id = 46476 (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027075 (1) Framed-MTU = 1400 (1) EAP-Message = 0x026800a115800000009716030100920100008e030363ce9a00af0158c4304b8191e349a5c4d7e344c71cf9ceb42fc1dc05eee1d4ea00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (1) State = 0x33754777331d52c5d9592c39c6f43193 (1) Message-Authenticator = 0xaf2835db2d901930a1abf923e81f8d4b (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 104 length 161 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x33754777331d52c5 (1) eap: Finished EAP session with state 0x33754777331d52c5 (1) eap: Previous EAP request found for state 0x33754777331d52c5, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes (1) eap_ttls: (TLS) EAP Got all data (151 bytes) (1) eap_ttls: (TLS) Handshake state - before SSL initialization (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization (1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello (1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (1) eap_ttls: (TLS) In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 105 length 1004 (1) eap: EAP session adding &reply:State = 0x33754777321c52c5 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 19 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068 (1) EAP-Message = 0x016903ec15c000001151160303003d02000039030333251bb0257a7e942419ced1c14e2115f3355723303c682158f6d50e662be4da00c030000011ff01000100000b000403000102001700001603030eaf0b000eab000ea800071930820715308204fda0030201020208651e057cf4b3407c300d06092a864886f70d01010b05003081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3233303130323030303030305a170d3235303430353233353935395a3081bb310b3009060355040613024445310f300d0603 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x33754777321c52c5d9592c39c6f43193 (1) Finished request Waking up in 4.8 seconds. (2) Received Access-Request Id 20 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256 (2) User-Name = "klaus.mustermann" (2) NAS-IP-Address = 10.100.2.39 (2) NAS-Identifier = "8283c219e7f9" (2) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) Acct-Session-Id = "690B866461ACEC60" (2) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (2) Mobility-Domain-Id = 46476 (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027075 (2) Framed-MTU = 1400 (2) EAP-Message = 0x026900061500 (2) State = 0x33754777321c52c5d9592c39c6f43193 (2) Message-Authenticator = 0x61c34e69e7f5f253a9fdf8868c0f8826 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 105 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x33754777321c52c5 (2) eap: Finished EAP session with state 0x33754777321c52c5 (2) eap: Previous EAP request found for state 0x33754777321c52c5, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 106 length 1004 (2) eap: EAP session adding &reply:State = 0x33754777311f52c5 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) Sent Access-Challenge Id 20 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068 (2) EAP-Message = 0x016a03ec15c000001151634a5ca32fca591c963a10e1e4fc909ecc4cf2f3259d2cc70fde28bea17fe514687c8e2ceb902a9d47fde53d01733845bba3e9d6a95f90195118e26a7a98ef957393cd519e06e02ec652ceb9fef0ef8e67a1dc250203010001a382011730820113300c0603551d130101ff04023000301d0603551d0e041604140d3fc210b4abae8368f6656c2f4182ded3cba973301f0603551d23041830168014bb50e659b6554824eb10703f59de33b5ab10d343300e0603551d0f0101ff0404030203e830130603551d25040c300a06082b0601050507030130260603551d11041f301d821b6265723072616430342e696e742e62756464796272616e642e646530430603551d1f0101ff043930373035a033a031862f687474703a2f2f63726c2e62756464796272616e642e64653a383038302f696e746572636130345f63726c2e70656d301106096086480186f8420101040403020640301e06096086480186f842010d0411160f7863612063657274 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x33754777311f52c5d9592c39c6f43193 (2) Finished request Waking up in 4.8 seconds. (3) Received Access-Request Id 21 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256 (3) User-Name = "klaus.mustermann" (3) NAS-IP-Address = 10.100.2.39 (3) NAS-Identifier = "8283c219e7f9" (3) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) Acct-Session-Id = "690B866461ACEC60" (3) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (3) Mobility-Domain-Id = 46476 (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027075 (3) Framed-MTU = 1400 (3) EAP-Message = 0x026a00061500 (3) State = 0x33754777311f52c5d9592c39c6f43193 (3) Message-Authenticator = 0xc8e04779851766a986a21ceea4790d00 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 106 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x33754777311f52c5 (3) eap: Finished EAP session with state 0x33754777311f52c5 (3) eap: Previous EAP request found for state 0x33754777311f52c5, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 107 length 1004 (3) eap: EAP session adding &reply:State = 0x33754777301e52c5 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) Sent Access-Challenge Id 21 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068 (3) EAP-Message = 0x016b03ec15c0000011516e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3231303432333131353030305a170d3331303432333131353030305a3081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e646530820222300d06092a (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x33754777301e52c5d9592c39c6f43193 (3) Finished request Waking up in 4.8 seconds. (4) Received Access-Request Id 22 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256 (4) User-Name = "klaus.mustermann" (4) NAS-IP-Address = 10.100.2.39 (4) NAS-Identifier = "8283c219e7f9" (4) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) Acct-Session-Id = "690B866461ACEC60" (4) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (4) Mobility-Domain-Id = 46476 (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027076 (4) WLAN-AKM-Suite = 1027075 (4) Framed-MTU = 1400 (4) EAP-Message = 0x026b00061500 (4) State = 0x33754777301e52c5d9592c39c6f43193 (4) Message-Authenticator = 0x8ebe69d74f104b81490506fbfd4fcc22 (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 107 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x33754777301e52c5 (4) eap: Finished EAP session with state 0x33754777301e52c5 (4) eap: Previous EAP request found for state 0x33754777301e52c5, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 108 length 1004 (4) eap: EAP session adding &reply:State = 0x33754777371952c5 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) Sent Access-Challenge Id 22 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068 (4) EAP-Message = 0x016c03ec15c00000115155040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e64658209009ce5d9f001129991300e0603551d0f0101ff04040302018630400603551d1f0101ff043630343032a030a02e862c687474703a2f2f63726c2e62756464796272616e642e64653a383038302f726f6f7463615f63726c2e70656d301106096086480186f8420101040403020007301e06096086480186f842010d0411160f786361206365727469666963617465300d06092a864886f70d01010b0500038202010014ba00b7b369be8d469dc9fe7cb4ea2b8b69f5ddf664529e7cfa7e5c23 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x33754777371952c5d9592c39c6f43193 (4) Finished request Waking up in 4.7 seconds. (5) Received Access-Request Id 23 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256 (5) User-Name = "klaus.mustermann" (5) NAS-IP-Address = 10.100.2.39 (5) NAS-Identifier = "8283c219e7f9" (5) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) Acct-Session-Id = "690B866461ACEC60" (5) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (5) Mobility-Domain-Id = 46476 (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027075 (5) Framed-MTU = 1400 (5) EAP-Message = 0x026c00061500 (5) State = 0x33754777371952c5d9592c39c6f43193 (5) Message-Authenticator = 0x2954664567eb90b58df983559fafc7ef (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 108 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x33754777371952c5 (5) eap: Finished EAP session with state 0x33754777371952c5 (5) eap: Previous EAP request found for state 0x33754777371952c5, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: (TLS) Peer ACKed our handshake fragment (5) eap: Sending EAP Request (code 1) ID 109 length 467 (5) eap: EAP session adding &reply:State = 0x33754777361852c5 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) Sent Access-Challenge Id 23 from 10.100.1.65:1812 to 10.100.2.39:54686 length 527 (5) EAP-Message = 0x016d01d3158000001151c7ae0d9a4018dc0ce7aab22f77890b68228d8c81607a7cd59e58e5b314f938dfe8d81ca660735e53afd3f6eb0939e78859296a954ea1d3046dbcf4333aa72aaad39f3f152ab2b3a2ed59dc1bfdbc773787acbba803d0201cda94c46c440afa65d844464271d2a2dcb7e409ff9c9c30a411ea245b8c2424110ac5191f2c594afe070d15b670dd08c238fd3b672b5bbed9bc7141c3b6e95b61bb78889da5182b33b0883e08339b927b4fd0ef118175f30d3e232be2fc5c92ef1eae2a30a21ba88a0477b8a0a89b903ea37327d4b41dc15ac604f4c057eff9a454748056d6b919f4756ee70de3878196b23441f9252252e5ee8bebe2519a11cb9967ff91ce3d43a9f3e3e39e82277f7bc39200d0e9d8178afdf2b479684b66ee8b2c6b6d258d172684d801780ede278d3c6bbce36875649bc181dcecd10a2ecc83bc920f0b97cf3f2b51a234b69f88e884f5c248fb1062aba73cb402765bf2005825f8379389178cafae7ad9723c0f9e3f63b375c2 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x33754777361852c5d9592c39c6f43193 (5) Finished request Waking up in 4.7 seconds. (6) Received Access-Request Id 24 from 10.100.2.39:54686 to 10.100.1.65:1812 length 386 (6) User-Name = "klaus.mustermann" (6) NAS-IP-Address = 10.100.2.39 (6) NAS-Identifier = "8283c219e7f9" (6) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) Acct-Session-Id = "690B866461ACEC60" (6) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (6) Mobility-Domain-Id = 46476 (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027075 (6) Framed-MTU = 1400 (6) EAP-Message = 0x026d008815800000007e16030300461000004241041bdfa74e961e11ce04aae11e59adff899c7e45c93c23a868913c8e6dbc6b61c8c93027484c43331a120609e34bb63d4a01335611c152662eda522aa015747d24140303000101160303002896671043239b41663014b73a88eb2b056a398cc8c31e8c6f1940273f2cc64b884907fe10b3c697de (6) State = 0x33754777361852c5d9592c39c6f43193 (6) Message-Authenticator = 0x02f8f3ac8779506b6dc11ac581eb8a01 (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 109 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x33754777361852c5 (6) eap: Finished EAP session with state 0x33754777361852c5 (6) eap: Previous EAP request found for state 0x33754777361852c5, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes (6) eap_ttls: (TLS) EAP Got all data (126 bytes) (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished (6) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished (6) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully (6) eap_ttls: (TLS) Connection Established (6) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_ttls: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 110 length 61 (6) eap: EAP session adding &reply:State = 0x33754777351b52c5 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 24 from 10.100.1.65:1812 to 10.100.2.39:54686 length 119 (6) EAP-Message = 0x016e003d1580000000331403030001011603030028c5e315035630988a3b83c13d63026f7f68b51fc4cae498e85bec63a7b3beba6177951acbd7c9e48e (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x33754777351b52c5d9592c39c6f43193 (6) Finished request Waking up in 4.7 seconds. (7) Received Access-Request Id 25 from 10.100.2.39:54686 to 10.100.1.65:1812 length 321 (7) User-Name = "klaus.mustermann" (7) NAS-IP-Address = 10.100.2.39 (7) NAS-Identifier = "8283c219e7f9" (7) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) Acct-Session-Id = "690B866461ACEC60" (7) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (7) Mobility-Domain-Id = 46476 (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027075 (7) Framed-MTU = 1400 (7) EAP-Message = 0x026e004715800000003d170303003896671043239b4167e00afbeca8b555b120c23769698d81a6b5a879ecc3c8fd3cd740dc135bdef5fcadd7fda6a166609e4d7957502348d9f3 (7) State = 0x33754777351b52c5d9592c39c6f43193 (7) Message-Authenticator = 0xa8b841519028def71e27cfef249be756 (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 110 length 71 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x33754777351b52c5 (7) eap: Finished EAP session with state 0x33754777351b52c5 (7) eap: Previous EAP request found for state 0x33754777351b52c5, released from the list (7) eap: Peer sent packet with method EAP TTLS (21) (7) eap: Calling submodule eap_ttls to process data (7) eap_ttls: Authenticate (7) eap_ttls: (TLS) EAP Peer says that the final record size will be 61 bytes (7) eap_ttls: (TLS) EAP Got all data (61 bytes) (7) eap_ttls: Session established. Proceeding to decode tunneled attributes (7) eap_ttls: Got tunneled request (7) eap_ttls: EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e (7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_ttls: Got tunneled identity of klaus.mustermann (7) eap_ttls: Setting default EAP type for tunneled EAP session (7) eap_ttls: Sending tunneled request (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "klaus.mustermann" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 0 length 21 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_gtc to process data (7) eap_gtc: EXPAND Password: (7) eap_gtc: --> Password: (7) eap: Sending EAP Request (code 1) ID 1 length 15 (7) eap: EAP session adding &reply:State = 0xb4a2b867b4a3bebf (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x0101000f0650617373776f72643a20 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb4a2b867b4a3bebfd5edaac839855c28 (7) eap_ttls: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 111 length 63 (7) eap: EAP session adding &reply:State = 0x33754777341a52c5 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 25 from 10.100.1.65:1812 to 10.100.2.39:54686 length 121 (7) EAP-Message = 0x016f003f1580000000351703030030c5e315035630988b4ad830befda4dba2a51fa8f9388f8da63a7ea11b76e432bbb988ecf99f49e2ebe5cd501621aec81b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x33754777341a52c5d9592c39c6f43193 (7) Finished request Waking up in 4.6 seconds. (8) Received Access-Request Id 26 from 10.100.2.39:54686 to 10.100.1.65:1812 length 317 (8) User-Name = "klaus.mustermann" (8) NAS-IP-Address = 10.100.2.39 (8) NAS-Identifier = "8283c219e7f9" (8) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) Acct-Session-Id = "690B866461ACEC60" (8) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (8) Mobility-Domain-Id = 46476 (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027075 (8) Framed-MTU = 1400 (8) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7 (8) State = 0x33754777341a52c5d9592c39c6f43193 (8) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 111 length 67 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf (8) eap: Finished EAP session with state 0x33754777341a52c5 (8) eap: Previous EAP request found for state 0x33754777341a52c5, released from the list (8) eap: Peer sent packet with method EAP TTLS (21) (8) eap: Calling submodule eap_ttls to process data (8) eap_ttls: Authenticate (8) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes (8) eap_ttls: (TLS) EAP Got all data (57 bytes) (8) eap_ttls: Session established. Proceeding to decode tunneled attributes (8) eap_ttls: Got tunneled request (8) eap_ttls: EAP-Message = 0x0201001306736167616e382e53697a61626c65 (8) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_ttls: Sending tunneled request (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0201001306736167616e382e53697a61626c65 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "klaus.mustermann" (8) State = 0xb4a2b867b4a3bebfd5edaac839855c28 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 1 length 19 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (0) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=klaus.mustermann) (8) ldap: Performing search in "dc=pretendco,dc=de" with filter "(uid=klaus.mustermann)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" (8) ldap: Processing user attributes (8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed, errno=11. rlm_ldap (ldap): Bind successful (8) [ldap] = ok (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) if (User-Password) { (8) if (User-Password) -> FALSE (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf (8) eap: Finished EAP session with state 0xb4a2b867b4a3bebf (8) eap: Previous EAP request found for state 0xb4a2b867b4a3bebf, released from the list (8) eap: Peer sent packet with method EAP GTC (6) (8) eap: Calling submodule eap_gtc to process data (8) eap_gtc: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) eap_gtc: Auth-Type PAP { rlm_ldap (ldap): Reserved connection (1) (8) ldap: Login attempt by "klaus.mustermann" (8) ldap: Using user DN from request "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" (8) ldap: Waiting for bind result... (8) ldap: Bind successful (8) ldap: Bind as user "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" was successful rlm_ldap (ldap): Released connection (1) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed, errno=11. rlm_ldap (ldap): Bind successful (8) eap_gtc: [ldap] = ok (8) eap_gtc: } # Auth-Type PAP = ok (8) eap: Sending EAP Success (code 3) ID 1 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) post-auth { (8) if (0) { (8) if (0) -> FALSE (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x03010004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "klaus.mustermann" (8) eap_ttls: Got tunneled Access-Accept (8) eap: Sending EAP Success (code 3) ID 111 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (8) post-auth { (8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (8) update { (8) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (8) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (8) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (8) } # update = noop (8) [exec] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # post-auth = noop (8) Sent Access-Accept Id 26 from 10.100.1.65:1812 to 10.100.2.39:54686 length 184 (8) MS-MPPE-Recv-Key = 0xeb472d316fdc874c9b4fab09804dffb9627d034a793910ca0f276473f2db3e62 (8) MS-MPPE-Send-Key = 0x3cde6513ea1f92c64ee3d938a85980091ecccdeb288c640f958a8f0d4324af64 (8) EAP-Message = 0x036f0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "klaus.mustermann" (8) Framed-MTU += 994 (8) Finished request Waking up in 1.1 seconds. (9) Received Access-Request Id 26 from 10.100.2.39:38737 to 10.100.1.65:1812 length 317 (9) User-Name = "klaus.mustermann" (9) NAS-IP-Address = 10.100.2.39 (9) NAS-Identifier = "8283c219e7f9" (9) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (9) Connect-Info = "CONNECT 0Mbps 802.11b" (9) Acct-Session-Id = "690B866461ACEC60" (9) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (9) Mobility-Domain-Id = 46476 (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027075 (9) Framed-MTU = 1400 (9) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7 (9) State = 0x33754777341a52c5d9592c39c6f43193 (9) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 111 length 67 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) authenticate { (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5 (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (9) eap: Failed in handler (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> klaus.mustermann (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5 (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (9) eap: Failed to get handler, probably already removed, not inserting EAP-Failure (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (10) Received Access-Request Id 26 from 10.100.2.39:45497 to 10.100.1.65:1812 length 317 (10) User-Name = "klaus.mustermann" (10) NAS-IP-Address = 10.100.2.39 (10) NAS-Identifier = "8283c219e7f9" (10) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (10) Connect-Info = "CONNECT 0Mbps 802.11b" (10) Acct-Session-Id = "690B866461ACEC60" (10) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (10) Mobility-Domain-Id = 46476 (10) WLAN-Pairwise-Cipher = 1027076 (10) WLAN-Group-Cipher = 1027076 (10) WLAN-AKM-Suite = 1027075 (10) Framed-MTU = 1400 (10) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7 (10) State = 0x33754777341a52c5d9592c39c6f43193 (10) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 111 length 67 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (10) authenticate { (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5 (10) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (10) eap: Failed in handler (10) [eap] = invalid (10) } # authenticate = invalid (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (10) Post-Auth-Type REJECT { (10) attr_filter.access_reject: EXPAND %{User-Name} (10) attr_filter.access_reject: --> klaus.mustermann (10) attr_filter.access_reject: Matched entry DEFAULT at line 11 (10) [attr_filter.access_reject] = updated (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5 (10) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (10) eap: Failed to get handler, probably already removed, not inserting EAP-Failure (10) [eap] = noop (10) policy remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) { (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else { (10) [noop] = noop (10) } # else = noop (10) } # policy remove_reply_message_if_eap = noop (10) } # Post-Auth-Type REJECT = updated (10) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.2 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:38737 length 20 Waking up in 0.1 seconds. (0) Cleaning up request packet ID 18 with timestamp +35 due to cleanup_delay was reached Waking up in 0.1 seconds. (1) Cleaning up request packet ID 19 with timestamp +35 due to cleanup_delay was reached (2) Cleaning up request packet ID 20 with timestamp +35 due to cleanup_delay was reached (3) Cleaning up request packet ID 21 with timestamp +35 due to cleanup_delay was reached (4) Cleaning up request packet ID 22 with timestamp +35 due to cleanup_delay was reached (5) Cleaning up request packet ID 23 with timestamp +35 due to cleanup_delay was reached (6) Cleaning up request packet ID 24 with timestamp +35 due to cleanup_delay was reached (7) Cleaning up request packet ID 25 with timestamp +35 due to cleanup_delay was reached (10) Sending delayed response (10) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:45497 length 20
Any Idea what I am doing wrong here?
Regards
Henning
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 213, Issue 21 *************************************************
-- Best regards, Ashraf Al-Basti
On Jan 25, 2023, at 1:00 AM, Ashraf Al-Basti <albasti@gmail.com> wrote:
Hi Alan, Is that mean Freeradius will show 0 in the Queue Statistics in both cases: Full / Empty? this is what we are getting now.
That is what I said.
Is there another way to check if the Queue full rather than checking the logs?
Unfortunately, no. Alan DeKok.
participants (2)
-
Alan DeKok -
Ashraf Al-Basti