Attribute NOT being returned in access-accept but is returned in Access-Challenge
Hi, I have a problem where Attribute MT-Recv-Limit is returned in Access-Challenge but not in Access-Accept. This is my setup. FR 3.0.8 I have configured following in the eap.conf file in the ttls section : copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" /etc/freeradius/sites-available/inner-tunnel. post-auth block, uncommented. update { &outer.session-state: += &reply: } update outer.session-state { MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY } I have a fixed radreply attribute Session-Timeout in the database. This is sent in the Access-Accept. MT-Recv-Limit is sent by a perl script <https://raw.githubusercontent.com/zhex900/radius-config/master/version.3/mods-config/perl/check_usage.pl>. This script add a new radreply $RAD_REPLY{'Mikrotik-Recv-Limit'}. This is called in the site-available/default authorize block. Mikrotik-Recv-Limit does appear in the Access-Challenge but not in the Access-Accept. Any ideas? Jake
On 25 Jun 2015, at 23:21, Jake He <jake.he@gmail.com> wrote:
Hi,
I have a problem where Attribute MT-Recv-Limit is returned in Access-Challenge but not in Access-Accept.
This is my setup. FR 3.0.8
I have configured following in the eap.conf file in the ttls section :
copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel"
/etc/freeradius/sites-available/inner-tunnel. post-auth block, uncommented.
update { &outer.session-state: += &reply: }
update outer.session-state {
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
}
I have a fixed radreply attribute Session-Timeout in the database. This is sent in the Access-Accept.
MT-Recv-Limit is sent by a perl script <https://raw.githubusercontent.com/zhex900/radius-config/master/version.3/mods-config/perl/check_usage.pl>. This script add a new radreply $RAD_REPLY{'Mikrotik-Recv-Limit'}. This is called in the site-available/default authorize block. Mikrotik-Recv-Limit does appear in the Access-Challenge but not in the Access-Accept.
Any ideas?
Not really, seeing as you've not provided the debug output... -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Here is the debug output: Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Ready to process requests (0) Received Access-Request Id 241 from 203.59.132.253:38386 to 172.17.0.68:1812 length 222 (0) Service-Type = Framed-User (0) Framed-MTU = 1400 (0) User-Name = 'jake' (0) NAS-Port-Id = 'wlan4' (0) NAS-Port-Type = Wireless-802.11 (0) Acct-Session-Id = '82200019' (0) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (0) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (0) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (0) EAP-Message = 0x02000009016a616b65 (0) Message-Authenticator = 0x0942bb06979bc2c6859785baa97efea0 (0) NAS-Identifier = 'MikroTik' (0) NAS-IP-Address = 10.1.1.23 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "jake", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent code Response (2) ID 0 length 9 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent method Identity (1) (0) eap: Calling eap_md5 to process EAP data (0) eap_md5: Issuing MD5 Challenge (0) eap: EAP session adding &reply:State = 0x2ae8af442ae9ab52 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Sent Access-Challenge Id 241 from 172.17.0.68:1812 to 203.59.132.253:38386 length 0 (0) EAP-Message = 0x010100160410e9962633c394d82e8af727f23160824c (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x2ae8af442ae9ab526f505f86b4932430 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 242 from 203.59.132.253:44270 to 172.17.0.68:1812 length 237 (1) Service-Type = Framed-User (1) Framed-MTU = 1400 (1) User-Name = 'jake' (1) State = 0x2ae8af442ae9ab526f505f86b4932430 (1) NAS-Port-Id = 'wlan4' (1) NAS-Port-Type = Wireless-802.11 (1) Acct-Session-Id = '82200019' (1) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (1) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (1) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (1) EAP-Message = 0x020100060319 (1) Message-Authenticator = 0x23c1df8ed8c64f231b0e8b9a5c48c798 (1) NAS-Identifier = 'MikroTik' (1) NAS-IP-Address = 10.1.1.23 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "jake", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent code Response (2) ID 1 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) sql: EXPAND %{User-Name} (1) sql: --> jake (1) sql: SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (1) sql: User found in radcheck table (1) sql: Conditional check items matched, merging assignment check items (1) sql: Cleartext-Password := 'fheman123' (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (1) sql: User found in the group table (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (1) sql: Group "14kimberleyst": Conditional check items matched (1) sql: Group "14kimberleyst": Merging assignment check items (1) sql: Reset-Date := '13' (1) sql: Total-Bytes := '999999999999999999' (1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (1) sql: Group "14kimberleyst": Merging reply items (1) sql: Session-Timeout := 10800 rlm_sql (sql): Released connection (4) (1) [sql] = ok (1) policy site-restriction { (1) update request { (1) EXPAND %{User-Name} (1) --> jake (1) SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (1) Executing select query: SET @user = 'jake'; SET @nasmac = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'; SELECT COUNT(*) FROM (SELECT radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON radsitegroup.groupname=radusergroup.groupname WHERE nasshortname='ALL' AND `radusergroup`.`username` = @user UNION ALL SELECT radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON radsitegroup.groupname=radusergroup.groupname INNER JOIN `nas` ON nas.shortname=radsitegroup.nasshortname WHERE nas.nasidentifier=@nasmac AND `radusergroup`.`username` = @user) as a rlm_sql (sql): Released connection (4) (1) EXPAND %{sql:SET @user = '%{User-Name}'; SET @nasmac = '%{request:Called-Station-Id}'; SELECT COUNT(*) FROM (SELECT radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON radsitegroup.groupname=radusergroup.groupname WHERE nasshortname='ALL' AND `radusergroup`.`username` = @user UNION ALL SELECT radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON radsitegroup.groupname=radusergroup.groupname INNER JOIN `nas` ON nas.shortname=radsitegroup.nasshortname WHERE nas.nasidentifier=@nasmac AND `radusergroup`.`username` = @user) as a} (1) --> 1 (1) Site := 1 (1) } # update request = noop (1) if ( Site == '0' ) { (1) if ( Site == '0' ) -> FALSE (1) } # policy site-restriction = noop (1) policy data-restriction { (1) if ((control:Total-Bytes)){ (1) if ((control:Total-Bytes)) -> TRUE (1) if ((control:Total-Bytes)) { (1) update control { (1) EXPAND %{User-Name} (1) --> jake (1) SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (1) Executing select query: SET @reset_date = '13'; SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM `radacct` WHERE UserName='jake' AND DATE(`acctstarttime`) BETWEEN (CASE WHEN @reset_date > DAYOFMONTH(NOW()) THEN DATE( DATE_SUB( CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date ) , INTERVAL 1 MONTH ) ) ELSE CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date )END) AND DATE(NOW()); rlm_sql (sql): Released connection (4) (1) EXPAND %{sql:SET @reset_date = '%{control:Reset-Date}'; SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM `radacct` WHERE UserName='%{request:User-Name}' AND DATE(`acctstarttime`) BETWEEN (CASE WHEN @reset_date > DAYOFMONTH(NOW()) THEN DATE( DATE_SUB( CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date ) , INTERVAL 1 MONTH ) ) ELSE CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date )END) AND DATE(NOW());} (1) --> 154996 (1) Used-Bytes := 154996 (1) EXPAND %{User-Name} (1) --> jake (1) SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (1) Executing select query: SELECT `email` FROM `users` WHERE `username` = 'jake' rlm_sql (sql): Released connection (4) (1) EXPAND %{sql:SELECT `email` FROM `users` WHERE `username` = '%{request:User-Name}'} (1) --> zhex900@gmail.com (1) Email := zhex900@gmail.com (1) EXPAND %{User-Name} (1) --> jake (1) SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (1) Executing select query: SELECT `sentmail` FROM `users` WHERE `username` = 'jake' rlm_sql (sql): Released connection (4) (1) EXPAND %{sql:SELECT `sentmail` FROM `users` WHERE `username` = '%{request:User-Name}'} (1) --> 0 (1) Sent-Mail := 0 (1) EXPAND %{User-Name} (1) --> jake (1) SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (1) Executing select query: SELECT `mobile_suffix` FROM `users` WHERE `username` = 'jake' rlm_sql (sql): Released connection (4) (1) EXPAND %{sql:SELECT `mobile_suffix` FROM `users` WHERE `username` = '%{request:User-Name}'} (1) --> 0433169153 (1) Mobile := 0433169153 (1) } # update control = noop (1) sendmsg: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'jake' (1) sendmsg: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.1.1.23' (1) sendmsg: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User' (1) sendmsg: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1400' (1) sendmsg: $RAD_REQUEST{'State'} = &request:State -> '0x2ae8af442ae9ab526f505f86b4932430' (1) sendmsg: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (1) sendmsg: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'F8-A9-D0-18-F2-24' (1) sendmsg: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'MikroTik' (1) sendmsg: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Wireless-802.11' (1) sendmsg: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> '82200019' (1) sendmsg: $RAD_REQUEST{'Acct-Multi-Session-Id'} = &request:Acct-Multi-Session-Id -> '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (1) sendmsg: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jun 26 2015 03:36:51 UTC' (1) sendmsg: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x020100060319' (1) sendmsg: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x23c1df8ed8c64f231b0e8b9a5c48c798' (1) sendmsg: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'wlan4' (1) sendmsg: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'NAK' (1) sendmsg: $RAD_REQUEST{'SQL-User-Name'} = &request:SQL-User-Name -> 'jake' (1) sendmsg: $RAD_REQUEST{'Site'} = &request:Site -> '1' (1) sendmsg: $RAD_REPLY{'Session-Timeout'} = &reply:Session-Timeout -> '10800' (1) sendmsg: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'EAP' (1) sendmsg: $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> 'fheman123' (1) sendmsg: $RAD_CHECK{'Total-Bytes'} = &control:Total-Bytes -> '999999999999999999' (1) sendmsg: $RAD_CHECK{'Used-Bytes'} = &control:Used-Bytes -> '154996' (1) sendmsg: $RAD_CHECK{'Reset-Date'} = &control:Reset-Date -> '13' (1) sendmsg: $RAD_CHECK{'Email'} = &control:Email -> 'zhex900@gmail.com' (1) sendmsg: $RAD_CHECK{'Sent-Mail'} = &control:Sent-Mail -> '0' (1) sendmsg: $RAD_CHECK{'Mobile'} = &control:Mobile -> '0433169153' (1) sendmsg: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'EAP' (1) sendmsg: $RAD_CONFIG{'Cleartext-Password'} = &control:Cleartext-Password -> 'fheman123' (1) sendmsg: $RAD_CONFIG{'Total-Bytes'} = &control:Total-Bytes -> '999999999999999999' (1) sendmsg: $RAD_CONFIG{'Used-Bytes'} = &control:Used-Bytes -> '154996' (1) sendmsg: $RAD_CONFIG{'Reset-Date'} = &control:Reset-Date -> '13' (1) sendmsg: $RAD_CONFIG{'Email'} = &control:Email -> 'zhex900@gmail.com' (1) sendmsg: $RAD_CONFIG{'Sent-Mail'} = &control:Sent-Mail -> '0' (1) sendmsg: $RAD_CONFIG{'Mobile'} = &control:Mobile -> '0433169153' (1) sendmsg: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1400' (1) sendmsg: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Jun 26 2015 03:36:51 UTC' (1) sendmsg: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User' (1) sendmsg: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> 'F8-A9-D0-18-F2-24' (1) sendmsg: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'jake' (1) sendmsg: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'NAK' (1) sendmsg: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x23c1df8ed8c64f231b0e8b9a5c48c798' (1) sendmsg: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Wireless-802.11' (1) sendmsg: &request:Acct-Multi-Session-Id = $RAD_REQUEST{'Acct-Multi-Session-Id'} -> '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (1) sendmsg: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'} -> 'jake' (1) sendmsg: &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (1) sendmsg: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '10.1.1.23' (1) sendmsg: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> '82200019' (1) sendmsg: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'wlan4' (1) sendmsg: &request:Site = $RAD_REQUEST{'Site'} -> '1' (1) sendmsg: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x020100060319' (1) sendmsg: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'MikroTik' (1) sendmsg: &request:State = $RAD_REQUEST{'State'} -> '0x2ae8af442ae9ab526f505f86b4932430' (1) sendmsg: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} -> '10800' (1) sendmsg: &control:Cleartext-Password = $RAD_CHECK{'Cleartext-Password'} -> 'fheman123' (1) sendmsg: &control:Mobile = $RAD_CHECK{'Mobile'} -> '0433169153' (1) sendmsg: &control:Reset-Date = $RAD_CHECK{'Reset-Date'} -> '13' (1) sendmsg: &control:Sent-Mail = $RAD_CHECK{'Sent-Mail'} -> '0' (1) sendmsg: &control:Total-Bytes = $RAD_CHECK{'Total-Bytes'} -> '999999999999999999' (1) sendmsg: &control:Used-Bytes = $RAD_CHECK{'Used-Bytes'} -> '154996' (1) sendmsg: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'EAP' (1) sendmsg: &control:Email = $RAD_CHECK{'Email'} -> 'zhex900@gmail.com' (1) [sendmsg] = noop (1) check_usage: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'jake' (1) check_usage: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.1.1.23' (1) check_usage: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User' (1) check_usage: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1400' (1) check_usage: $RAD_REQUEST{'State'} = &request:State -> '0x2ae8af442ae9ab526f505f86b4932430' (1) check_usage: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (1) check_usage: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'F8-A9-D0-18-F2-24' (1) check_usage: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'MikroTik' (1) check_usage: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Wireless-802.11' (1) check_usage: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> '82200019' (1) check_usage: $RAD_REQUEST{'Acct-Multi-Session-Id'} = &request:Acct-Multi-Session-Id -> '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (1) check_usage: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jun 26 2015 03:36:51 UTC' (1) check_usage: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x020100060319' (1) check_usage: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x23c1df8ed8c64f231b0e8b9a5c48c798' (1) check_usage: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'wlan4' (1) check_usage: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'NAK' (1) check_usage: $RAD_REQUEST{'SQL-User-Name'} = &request:SQL-User-Name -> 'jake' (1) check_usage: $RAD_REQUEST{'Site'} = &request:Site -> '1' (1) check_usage: $RAD_REPLY{'Session-Timeout'} = &reply:Session-Timeout -> '10800' (1) check_usage: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'EAP' (1) check_usage: $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> 'fheman123' (1) check_usage: $RAD_CHECK{'Total-Bytes'} = &control:Total-Bytes -> '999999999999999999' (1) check_usage: $RAD_CHECK{'Used-Bytes'} = &control:Used-Bytes -> '154996' (1) check_usage: $RAD_CHECK{'Reset-Date'} = &control:Reset-Date -> '13' (1) check_usage: $RAD_CHECK{'Email'} = &control:Email -> ' zhex900@gmail.com' (1) check_usage: $RAD_CHECK{'Sent-Mail'} = &control:Sent-Mail -> '0' (1) check_usage: $RAD_CHECK{'Mobile'} = &control:Mobile -> '0433169153' (1) check_usage: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'EAP' (1) check_usage: $RAD_CONFIG{'Cleartext-Password'} = &control:Cleartext-Password -> 'fheman123' (1) check_usage: $RAD_CONFIG{'Total-Bytes'} = &control:Total-Bytes -> '999999999999999999' (1) check_usage: $RAD_CONFIG{'Used-Bytes'} = &control:Used-Bytes -> '154996' (1) check_usage: $RAD_CONFIG{'Reset-Date'} = &control:Reset-Date -> '13' (1) check_usage: $RAD_CONFIG{'Email'} = &control:Email -> ' zhex900@gmail.com' (1) check_usage: $RAD_CONFIG{'Sent-Mail'} = &control:Sent-Mail -> '0' (1) check_usage: $RAD_CONFIG{'Mobile'} = &control:Mobile -> '0433169153' (1) check_usage: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1400' (1) check_usage: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Jun 26 2015 03:36:51 UTC' (1) check_usage: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User' (1) check_usage: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> 'F8-A9-D0-18-F2-24' (1) check_usage: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'jake' (1) check_usage: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'NAK' (1) check_usage: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x23c1df8ed8c64f231b0e8b9a5c48c798' (1) check_usage: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Wireless-802.11' (1) check_usage: &request:Acct-Multi-Session-Id = $RAD_REQUEST{'Acct-Multi-Session-Id'} -> '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (1) check_usage: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'} -> 'jake' (1) check_usage: &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (1) check_usage: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '10.1.1.23' (1) check_usage: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> '82200019' (1) check_usage: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'wlan4' (1) check_usage: &request:Site = $RAD_REQUEST{'Site'} -> '1' (1) check_usage: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x020100060319' (1) check_usage: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'MikroTik' (1) check_usage: &request:State = $RAD_REQUEST{'State'} -> '0x2ae8af442ae9ab526f505f86b4932430' (1) check_usage: &reply:Mikrotik-Total-Limit-Gigawords = $RAD_REPLY{'Mikrotik-Total-Limit-Gigawords'} -> '232830643' (1) check_usage: &reply:Mikrotik-Total-Limit = $RAD_REPLY{'Mikrotik-Total-Limit'} -> '2808193675' (1) check_usage: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} -> '10800' (1) check_usage: &control:Cleartext-Password = $RAD_CHECK{'Cleartext-Password'} -> 'fheman123' (1) check_usage: &control:Avail-Bytes = $RAD_CHECK{'Avail-Bytes'} -> '999999999999845003' (1) check_usage: &control:Mobile = $RAD_CHECK{'Mobile'} -> '0433169153' (1) check_usage: &control:Reset-Date = $RAD_CHECK{'Reset-Date'} -> '13' (1) check_usage: &control:Sent-Mail = $RAD_CHECK{'Sent-Mail'} -> '0' (1) check_usage: &control:Total-Bytes = $RAD_CHECK{'Total-Bytes'} -> '999999999999999999' (1) check_usage: &control:Used-Bytes = $RAD_CHECK{'Used-Bytes'} -> '154996' (1) check_usage: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'EAP' (1) check_usage: &control:Email = $RAD_CHECK{'Email'} -> 'zhex900@gmail.com' (1) [check_usage] = updated (1) } # if ((control:Total-Bytes)) = updated (1) } # policy data-restriction = updated (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x2ae8af442ae9ab52 (1) eap: Finished EAP session with state 0x2ae8af442ae9ab52 (1) eap: Previous EAP request found for state 0x2ae8af442ae9ab52, released from the list (1) eap: Peer sent method NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling eap_peap to process EAP data (1) eap_peap: Flushing SSL sessions (of #0) (1) eap_peap: Initiate (1) eap_peap: Start returned 1 (1) eap: EAP session adding &reply:State = 0x2ae8af442beab652 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Sent Access-Challenge Id 242 from 172.17.0.68:1812 to 203.59.132.253:44270 length 0 (1) Mikrotik-Total-Limit-Gigawords = 232830643 (1) Mikrotik-Total-Limit = 2808193675 (1) Session-Timeout = 10800 (1) EAP-Message = 0x010200061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x2ae8af442beab6526f505f86b4932430 (1) Finished request Waking up in 4.8 seconds. (2) Received Access-Request Id 243 from 203.59.132.253:52144 to 172.17.0.68:1812 length 427 (2) Service-Type = Framed-User (2) Framed-MTU = 1400 (2) User-Name = 'jake' (2) State = 0x2ae8af442beab6526f505f86b4932430 (2) NAS-Port-Id = 'wlan4' (2) NAS-Port-Type = Wireless-802.11 (2) Acct-Session-Id = '82200019' (2) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (2) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (2) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (2) EAP-Message = 0x020200c41980000000ba16030100b5010000b103016e692cd58137a32168d3f582da80112b10f99f0b740669a6ebb3372583558513000048c014c00a00390038c00fc0050035c013c00900330032c00ec004002fc011c007c00cc00200050004c012c00800160013c00dc003000a001500120009001400 (2) Message-Authenticator = 0xe1a2042b676d0a3bca307cb23bd11d3d (2) NAS-Identifier = 'MikroTik' (2) NAS-IP-Address = 10.1.1.23 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (!&User-Name) { (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) { (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "jake", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent code Response (2) ID 2 length 196 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x2ae8af442beab652 (2) eap: Finished EAP session with state 0x2ae8af442beab652 (2) eap: Previous EAP request found for state 0x2ae8af442beab652, released from the list (2) eap: Peer sent method PEAP (25) (2) eap: EAP PEAP (25) (2) eap: Calling eap_peap to process EAP data (2) eap_peap: processing EAP-TLS (2) eap_peap: TLS Length 186 (2) eap_peap: Length Included (2) eap_peap: eaptls_verify returned 11 (2) eap_peap: (other): before/accept initialization (2) eap_peap: TLS_accept: before/accept initialization (2) eap_peap: <<< TLS 1.0 Handshake [length 00b5], ClientHello (2) eap_peap: TLS_accept: SSLv3 read client hello A (2) eap_peap: >>> TLS 1.0 Handshake [length 0059], ServerHello (2) eap_peap: TLS_accept: SSLv3 write server hello A (2) eap_peap: >>> TLS 1.0 Handshake [length 08d0], Certificate (2) eap_peap: TLS_accept: SSLv3 write certificate A (2) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap: TLS_accept: SSLv3 write key exchange A (2) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap: TLS_accept: SSLv3 write server done A (2) eap_peap: TLS_accept: SSLv3 flush data (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (2) eap_peap: eaptls_process returned 13 (2) eap_peap: FR_TLS_HANDLED (2) eap: EAP session adding &reply:State = 0x2ae8af4428ebb652 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Sent Access-Challenge Id 243 from 172.17.0.68:1812 to 203.59.132.253:52144 length 0 (2) EAP-Message = 0x010303ec19c000000a8c1603010059020000550301d46c8d0a4b602b18e16f0c2eca4ab0b9923c8c75937b6be866c61bccebeff4f020f8318cccbe262c0e3e6529d8f49d6f94bb3d20480c225789496ecaf88b6d23bbc01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x2ae8af4428ebb6526f505f86b4932430 (2) Finished request Waking up in 4.7 seconds. (3) Received Access-Request Id 244 from 203.59.132.253:35924 to 172.17.0.68:1812 length 237 (3) Service-Type = Framed-User (3) Framed-MTU = 1400 (3) User-Name = 'jake' (3) State = 0x2ae8af4428ebb6526f505f86b4932430 (3) NAS-Port-Id = 'wlan4' (3) NAS-Port-Type = Wireless-802.11 (3) Acct-Session-Id = '82200019' (3) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (3) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (3) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (3) EAP-Message = 0x020300061900 (3) Message-Authenticator = 0xbcede2e1f511c39d7829a8d31d3056ca (3) NAS-Identifier = 'MikroTik' (3) NAS-IP-Address = 10.1.1.23 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (!&User-Name) { (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) { (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "jake", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent code Response (2) ID 3 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x2ae8af4428ebb652 (3) eap: Finished EAP session with state 0x2ae8af4428ebb652 (3) eap: Previous EAP request found for state 0x2ae8af4428ebb652, released from the list (3) eap: Peer sent method PEAP (25) (3) eap: EAP PEAP (25) (3) eap: Calling eap_peap to process EAP data (3) eap_peap: processing EAP-TLS (3) eap_peap: Received TLS ACK (3) eap_peap: Received TLS ACK (3) eap_peap: ACK handshake fragment handler (3) eap_peap: eaptls_verify returned 1 (3) eap_peap: eaptls_process returned 13 (3) eap_peap: FR_TLS_HANDLED (3) eap: EAP session adding &reply:State = 0x2ae8af4429ecb652 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Sent Access-Challenge Id 244 from 172.17.0.68:1812 to 203.59.132.253:35924 length 0 (3) EAP-Message = 0x010403e8194070fc3072618327914b90833c80b17761d6b71ed327b33f801709abca73c4785893e2238950ca0494c79dceb74a47d2ae97f2cf40c1857e89d6543f5d275ca54082c2d8a4ec8109ca6d7161699efce7a8d33588e1f1403c619f4ebd02f166ab8a0d9b07ad442d0202e60004e5308204e130 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x2ae8af4429ecb6526f505f86b4932430 (3) Finished request Waking up in 4.6 seconds. (4) Received Access-Request Id 245 from 203.59.132.253:39524 to 172.17.0.68:1812 length 237 (4) Service-Type = Framed-User (4) Framed-MTU = 1400 (4) User-Name = 'jake' (4) State = 0x2ae8af4429ecb6526f505f86b4932430 (4) NAS-Port-Id = 'wlan4' (4) NAS-Port-Type = Wireless-802.11 (4) Acct-Session-Id = '82200019' (4) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (4) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (4) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (4) EAP-Message = 0x020400061900 (4) Message-Authenticator = 0x54aecaf6cd05e5bf1bce8ad82728077d (4) NAS-Identifier = 'MikroTik' (4) NAS-IP-Address = 10.1.1.23 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (!&User-Name) { (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) { (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "jake", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent code Response (2) ID 4 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x2ae8af4429ecb652 (4) eap: Finished EAP session with state 0x2ae8af4429ecb652 (4) eap: Previous EAP request found for state 0x2ae8af4429ecb652, released from the list (4) eap: Peer sent method PEAP (25) (4) eap: EAP PEAP (25) (4) eap: Calling eap_peap to process EAP data (4) eap_peap: processing EAP-TLS (4) eap_peap: Received TLS ACK (4) eap_peap: Received TLS ACK (4) eap_peap: ACK handshake fragment handler (4) eap_peap: eaptls_verify returned 1 (4) eap_peap: eaptls_process returned 13 (4) eap_peap: FR_TLS_HANDLED (4) eap: EAP session adding &reply:State = 0x2ae8af442eedb652 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Sent Access-Challenge Id 245 from 172.17.0.68:1812 to 203.59.132.253:39524 length 0 (4) EAP-Message = 0x010502ce190020417574686f72697479820900b019525dc1d9412e300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101006f73 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x2ae8af442eedb6526f505f86b4932430 (4) Finished request Waking up in 4.4 seconds. (5) Received Access-Request Id 246 from 203.59.132.253:45440 to 172.17.0.68:1812 length 375 (5) Service-Type = Framed-User (5) Framed-MTU = 1400 (5) User-Name = 'jake' (5) State = 0x2ae8af442eedb6526f505f86b4932430 (5) NAS-Port-Id = 'wlan4' (5) NAS-Port-Type = Wireless-802.11 (5) Acct-Session-Id = '82200019' (5) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (5) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (5) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (5) EAP-Message = 0x020500901980000000861603010046100000424104bd66ff8372c1dc049759a9b955193ffa8e8e4da7348cc4e36500cb9b5198ba94ea171b8d06416f4894d5ff73e68fa74a8d6fd8563daec796148288a0a5ed0ebb1403010001011603010030bfe20542d15a4dfa96fecdb720ea6156305308632d1890 (5) Message-Authenticator = 0x7df94396891c33014810e3acbeafcbb1 (5) NAS-Identifier = 'MikroTik' (5) NAS-IP-Address = 10.1.1.23 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (!&User-Name) { (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) { (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "jake", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent code Response (2) ID 5 length 144 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x2ae8af442eedb652 (5) eap: Finished EAP session with state 0x2ae8af442eedb652 (5) eap: Previous EAP request found for state 0x2ae8af442eedb652, released from the list (5) eap: Peer sent method PEAP (25) (5) eap: EAP PEAP (25) (5) eap: Calling eap_peap to process EAP data (5) eap_peap: processing EAP-TLS (5) eap_peap: TLS Length 134 (5) eap_peap: Length Included (5) eap_peap: eaptls_verify returned 11 (5) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap: TLS_accept: SSLv3 read client key exchange A (5) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 read finished A (5) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A (5) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 write finished A (5) eap_peap: TLS_accept: SSLv3 flush data TLS: adding session f8318cccbe262c0e3e6529d8f49d6f94bb3d20480c225789496ecaf88b6d23bb to cache (5) eap_peap: (other): SSL negotiation finished successfully SSL Connection Established (5) eap_peap: eaptls_process returned 13 (5) eap_peap: FR_TLS_HANDLED (5) eap: EAP session adding &reply:State = 0x2ae8af442feeb652 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Sent Access-Challenge Id 246 from 172.17.0.68:1812 to 203.59.132.253:45440 length 0 (5) EAP-Message = 0x0106004119001403010001011603010030b50c5c6bcd7f1f0c3cdb9a9dd16fb6d24bfc64db51180644d3f3806f9a566ed700be78e43a68b107312669ee0fbe6d1f (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x2ae8af442feeb6526f505f86b4932430 (5) Finished request Waking up in 4.3 seconds. (6) Received Access-Request Id 247 from 203.59.132.253:39369 to 172.17.0.68:1812 length 237 (6) Service-Type = Framed-User (6) Framed-MTU = 1400 (6) User-Name = 'jake' (6) State = 0x2ae8af442feeb6526f505f86b4932430 (6) NAS-Port-Id = 'wlan4' (6) NAS-Port-Type = Wireless-802.11 (6) Acct-Session-Id = '82200019' (6) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (6) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (6) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (6) EAP-Message = 0x020600061900 (6) Message-Authenticator = 0xb6affee6faf6ee543b6ef9c9f52f74ec (6) NAS-Identifier = 'MikroTik' (6) NAS-IP-Address = 10.1.1.23 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (!&User-Name) { (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) { (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "jake", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent code Response (2) ID 6 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x2ae8af442feeb652 (6) eap: Finished EAP session with state 0x2ae8af442feeb652 (6) eap: Previous EAP request found for state 0x2ae8af442feeb652, released from the list (6) eap: Peer sent method PEAP (25) (6) eap: EAP PEAP (25) (6) eap: Calling eap_peap to process EAP data (6) eap_peap: processing EAP-TLS (6) eap_peap: Received TLS ACK (6) eap_peap: Received TLS ACK (6) eap_peap: ACK handshake is finished (6) eap_peap: eaptls_verify returned 3 (6) eap_peap: eaptls_process returned 3 (6) eap_peap: FR_TLS_SUCCESS (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: EAP session adding &reply:State = 0x2ae8af442cefb652 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Sent Access-Challenge Id 247 from 172.17.0.68:1812 to 203.59.132.253:39369 length 0 (6) EAP-Message = 0x0107002b190017030100209db4b82b7785ec126910f4c56f3693646b7c87d993175dec544c881e17ff7e66 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x2ae8af442cefb6526f505f86b4932430 (6) Finished request Waking up in 4.2 seconds. (7) Received Access-Request Id 248 from 203.59.132.253:54163 to 172.17.0.68:1812 length 274 (7) Service-Type = Framed-User (7) Framed-MTU = 1400 (7) User-Name = 'jake' (7) State = 0x2ae8af442cefb6526f505f86b4932430 (7) NAS-Port-Id = 'wlan4' (7) NAS-Port-Type = Wireless-802.11 (7) Acct-Session-Id = '82200019' (7) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (7) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (7) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (7) EAP-Message = 0x0207002b190017030100208286978455a47dcaa043b6ee4493bf1162e7a1a6105b84d369f022c49c2db0b8 (7) Message-Authenticator = 0xb259288f94fab665a32a8e25909eabe9 (7) NAS-Identifier = 'MikroTik' (7) NAS-IP-Address = 10.1.1.23 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (!&User-Name) { (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) { (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "jake", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent code Response (2) ID 7 length 43 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x2ae8af442cefb652 (7) eap: Finished EAP session with state 0x2ae8af442cefb652 (7) eap: Previous EAP request found for state 0x2ae8af442cefb652, released from the list (7) eap: Peer sent method PEAP (25) (7) eap: EAP PEAP (25) (7) eap: Calling eap_peap to process EAP data (7) eap_peap: processing EAP-TLS (7) eap_peap: eaptls_verify returned 7 (7) eap_peap: Done initial handshake (7) eap_peap: eaptls_process returned 7 (7) eap_peap: FR_TLS_OK (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - jake (7) eap_peap: Got inner identity 'jake' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02070009016a616b65 (7) eap_peap: Setting User-Name to jake (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02070009016a616b65 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = 'jake' (7) eap_peap: Service-Type = Framed-User (7) eap_peap: Framed-MTU = 1400 (7) eap_peap: NAS-Port-Id = 'wlan4' (7) eap_peap: NAS-Port-Type = Wireless-802.11 (7) eap_peap: Acct-Session-Id = '82200019' (7) eap_peap: Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (7) eap_peap: Calling-Station-Id = 'F8-A9-D0-18-F2-24' (7) eap_peap: Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (7) eap_peap: NAS-Identifier = 'MikroTik' (7) eap_peap: NAS-IP-Address = 10.1.1.23 (7) eap_peap: Event-Timestamp = 'Jun 26 2015 03:36:52 UTC' (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02070009016a616b65 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = 'jake' (7) Service-Type = Framed-User (7) Framed-MTU = 1400 (7) NAS-Port-Id = 'wlan4' (7) NAS-Port-Type = Wireless-802.11 (7) Acct-Session-Id = '82200019' (7) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (7) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (7) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (7) NAS-Identifier = 'MikroTik' (7) NAS-IP-Address = 10.1.1.23 (7) Event-Timestamp = 'Jun 26 2015 03:36:52 UTC' (7) server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "jake", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent code Response (2) ID 7 length 9 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent method Identity (1) (7) eap: Calling eap_mschapv2 to process EAP data (7) eap_mschapv2: Issuing Challenge (7) eap: EAP session adding &reply:State = 0x22b0356022b82f2e (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x0108002a1a010800251014f3168a99ab99e591528dc482b16e2c667265657261646975732d332e302e38 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x22b0356022b82f2e85a63bb65e619718 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x0108002a1a010800251014f3168a99ab99e591528dc482b16e2c667265657261646975732d332e302e38 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x22b0356022b82f2e85a63bb65e619718 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x0108002a1a010800251014f3168a99ab99e591528dc482b16e2c667265657261646975732d332e302e38 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x22b0356022b82f2e85a63bb65e619718 (7) eap_peap: Got tunneled Access-Challenge (7) eap: EAP session adding &reply:State = 0x2ae8af442de0b652 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Sent Access-Challenge Id 248 from 172.17.0.68:1812 to 203.59.132.253:54163 length 0 (7) EAP-Message = 0x0108004b190017030100405d23e6bcb09cb6d20b68d9aaca1f83e4091ceff102e5083ddd35b9012b3d0e7188c3b1e155ea8f9bddc0ea1f850f357d2b8f6240e497819ecfd11cf2a7c0fbbb (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x2ae8af442de0b6526f505f86b4932430 (7) Finished request Waking up in 4.1 seconds. (8) Received Access-Request Id 249 from 203.59.132.253:36869 to 172.17.0.68:1812 length 322 (8) Service-Type = Framed-User (8) Framed-MTU = 1400 (8) User-Name = 'jake' (8) State = 0x2ae8af442de0b6526f505f86b4932430 (8) NAS-Port-Id = 'wlan4' (8) NAS-Port-Type = Wireless-802.11 (8) Acct-Session-Id = '82200019' (8) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (8) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (8) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (8) EAP-Message = 0x0208005b190017030100507a6c5910e9c1dc3a4adf8951c44d459517e50c2a6116265ff2d8924df35f0557e921ca3264d2be55f40dc688cb5fa91b6d9c14b1c9a895996ca03e1c224e31a2efb0740a6415f05685f77b4427b49f76 (8) Message-Authenticator = 0x1b7b410bbe118d5b2da8add5b4ac1a43 (8) NAS-Identifier = 'MikroTik' (8) NAS-IP-Address = 10.1.1.23 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (!&User-Name) { (8) if (!&User-Name) -> FALSE (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@.*@/ ) { (8) if (&User-Name =~ /@.*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "jake", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent code Response (2) ID 8 length 91 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x22b0356022b82f2e (8) eap: Finished EAP session with state 0x2ae8af442de0b652 (8) eap: Previous EAP request found for state 0x2ae8af442de0b652, released from the list (8) eap: Peer sent method PEAP (25) (8) eap: EAP PEAP (25) (8) eap: Calling eap_peap to process EAP data (8) eap_peap: processing EAP-TLS (8) eap_peap: eaptls_verify returned 7 (8) eap_peap: Done initial handshake (8) eap_peap: eaptls_process returned 7 (8) eap_peap: FR_TLS_OK (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP type MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0208003f1a0208003a31fcc0fb5d30dd364f4a9edc06a2029b9d0000000000000000312629d61823e24eb9069392de30e57b93615a8ff11013d1006a616b65 (8) eap_peap: Setting User-Name to jake (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0208003f1a0208003a31fcc0fb5d30dd364f4a9edc06a2029b9d0000000000000000312629d61823e24eb9069392de30e57b93615a8ff11013d1006a616b65 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = 'jake' (8) eap_peap: State = 0x22b0356022b82f2e85a63bb65e619718 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Framed-MTU = 1400 (8) eap_peap: NAS-Port-Id = 'wlan4' (8) eap_peap: NAS-Port-Type = Wireless-802.11 (8) eap_peap: Acct-Session-Id = '82200019' (8) eap_peap: Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (8) eap_peap: Calling-Station-Id = 'F8-A9-D0-18-F2-24' (8) eap_peap: Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (8) eap_peap: NAS-Identifier = 'MikroTik' (8) eap_peap: NAS-IP-Address = 10.1.1.23 (8) eap_peap: Event-Timestamp = 'Jun 26 2015 03:36:52 UTC' (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0208003f1a0208003a31fcc0fb5d30dd364f4a9edc06a2029b9d0000000000000000312629d61823e24eb9069392de30e57b93615a8ff11013d1006a616b65 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = 'jake' (8) State = 0x22b0356022b82f2e85a63bb65e619718 (8) Service-Type = Framed-User (8) Framed-MTU = 1400 (8) NAS-Port-Id = 'wlan4' (8) NAS-Port-Type = Wireless-802.11 (8) Acct-Session-Id = '82200019' (8) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (8) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (8) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (8) NAS-Identifier = 'MikroTik' (8) NAS-IP-Address = 10.1.1.23 (8) Event-Timestamp = 'Jun 26 2015 03:36:52 UTC' (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "jake", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent code Response (2) ID 8 length 63 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) sql: EXPAND %{User-Name} (8) sql: --> jake (8) sql: SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (8) sql: User found in radcheck table (8) sql: Conditional check items matched, merging assignment check items (8) sql: Cleartext-Password := 'fheman123' (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (8) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (8) sql: User found in the group table (8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id (8) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (8) sql: Group "14kimberleyst": Conditional check items matched (8) sql: Group "14kimberleyst": Merging assignment check items (8) sql: Reset-Date := '13' (8) sql: Total-Bytes := '999999999999999999' (8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id (8) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (8) sql: Group "14kimberleyst": Merging reply items (8) sql: Session-Timeout := 10800 rlm_sql (sql): Released connection (4) (8) [sql] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x22b0356022b82f2e (8) eap: Finished EAP session with state 0x22b0356022b82f2e (8) eap: Previous EAP request found for state 0x22b0356022b82f2e, released from the list (8) eap: Peer sent method MSCHAPv2 (26) (8) eap: EAP MSCHAPv2 (26) (8) eap: Calling eap_mschapv2 to process EAP data (8) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: Found Cleartext-Password, hashing to create NT-Password (8) mschap: Found Cleartext-Password, hashing to create LM-Password (8) mschap: Creating challenge hash with username: jake (8) mschap: Client is using MS-CHAPv2 (8) mschap: Adding MS-CHAPv2 MPPE keys (8) [mschap] = ok (8) } # Auth-Type MS-CHAP = ok (8) MSCHAP Success (8) eap: EAP session adding &reply:State = 0x22b0356023b92f2e (8) [eap] = handled (8) } # authenticate = handled (8) } # server inner-tunnel (8) Virtual server sending reply (8) Session-Timeout = 10800 (8) EAP-Message = 0x010900331a0308002e533d41333944323941353645323936313832444636323842413142393243463244353430393334463042 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x22b0356023b92f2e85a63bb65e619718 (8) eap_peap: Got tunneled reply code 11 (8) eap_peap: Session-Timeout = 10800 (8) eap_peap: EAP-Message = 0x010900331a0308002e533d41333944323941353645323936313832444636323842413142393243463244353430393334463042 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0x22b0356023b92f2e85a63bb65e619718 (8) eap_peap: Got tunneled reply RADIUS code 11 (8) eap_peap: Session-Timeout = 10800 (8) eap_peap: EAP-Message = 0x010900331a0308002e533d41333944323941353645323936313832444636323842413142393243463244353430393334463042 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0x22b0356023b92f2e85a63bb65e619718 (8) eap_peap: Got tunneled Access-Challenge (8) eap: EAP session adding &reply:State = 0x2ae8af4422e1b652 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Sent Access-Challenge Id 249 from 172.17.0.68:1812 to 203.59.132.253:36869 length 0 (8) EAP-Message = 0x0109005b19001703010050ff2fa83e838510f3b311adc6a2de5dd4e3bf9e49ca7b67699dc84fd1c698570243feeaa1c808dee3846a38ffbdf223dee1afbe871ba2398fe4bc3653e21b24c6fcee8c9607bbe10fe7370c07f0b041f4 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x2ae8af4422e1b6526f505f86b4932430 (8) Finished request Waking up in 4.0 seconds. (9) Received Access-Request Id 250 from 203.59.132.253:51671 to 172.17.0.68:1812 length 274 (9) Service-Type = Framed-User (9) Framed-MTU = 1400 (9) User-Name = 'jake' (9) State = 0x2ae8af4422e1b6526f505f86b4932430 (9) NAS-Port-Id = 'wlan4' (9) NAS-Port-Type = Wireless-802.11 (9) Acct-Session-Id = '82200019' (9) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (9) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (9) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (9) EAP-Message = 0x0209002b19001703010020b385b35defe2309a0a1087757d0f1334ba0c847fa90fecacec7d8233ff986872 (9) Message-Authenticator = 0xd85c93784094e1af3cf813ae7c2212c5 (9) NAS-Identifier = 'MikroTik' (9) NAS-IP-Address = 10.1.1.23 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (!&User-Name) { (9) if (!&User-Name) -> FALSE (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) { (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "jake", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent code Response (2) ID 9 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x22b0356023b92f2e (9) eap: Finished EAP session with state 0x2ae8af4422e1b652 (9) eap: Previous EAP request found for state 0x2ae8af4422e1b652, released from the list (9) eap: Peer sent method PEAP (25) (9) eap: EAP PEAP (25) (9) eap: Calling eap_peap to process EAP data (9) eap_peap: processing EAP-TLS (9) eap_peap: eaptls_verify returned 7 (9) eap_peap: Done initial handshake (9) eap_peap: eaptls_process returned 7 (9) eap_peap: FR_TLS_OK (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP type MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x020900061a03 (9) eap_peap: Setting User-Name to jake (9) eap_peap: Sending tunneled request to inner-tunnel (9) eap_peap: EAP-Message = 0x020900061a03 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = 'jake' (9) eap_peap: State = 0x22b0356023b92f2e85a63bb65e619718 (9) eap_peap: Service-Type = Framed-User (9) eap_peap: Framed-MTU = 1400 (9) eap_peap: NAS-Port-Id = 'wlan4' (9) eap_peap: NAS-Port-Type = Wireless-802.11 (9) eap_peap: Acct-Session-Id = '82200019' (9) eap_peap: Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (9) eap_peap: Calling-Station-Id = 'F8-A9-D0-18-F2-24' (9) eap_peap: Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (9) eap_peap: NAS-Identifier = 'MikroTik' (9) eap_peap: NAS-IP-Address = 10.1.1.23 (9) eap_peap: Event-Timestamp = 'Jun 26 2015 03:36:52 UTC' (9) Virtual server inner-tunnel received request (9) EAP-Message = 0x020900061a03 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = 'jake' (9) State = 0x22b0356023b92f2e85a63bb65e619718 (9) Service-Type = Framed-User (9) Framed-MTU = 1400 (9) NAS-Port-Id = 'wlan4' (9) NAS-Port-Type = Wireless-802.11 (9) Acct-Session-Id = '82200019' (9) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (9) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (9) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (9) NAS-Identifier = 'MikroTik' (9) NAS-IP-Address = 10.1.1.23 (9) Event-Timestamp = 'Jun 26 2015 03:36:52 UTC' (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "jake", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) update control { (9) &Proxy-To-Realm := LOCAL (9) } # update control = noop (9) eap: Peer sent code Response (2) ID 9 length 6 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop (9) sql: EXPAND %{User-Name} (9) sql: --> jake (9) sql: SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (9) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (9) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (9) sql: User found in radcheck table (9) sql: Conditional check items matched, merging assignment check items (9) sql: Cleartext-Password := 'fheman123' (9) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (9) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (9) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (9) sql: User found in the group table (9) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id (9) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (9) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (9) sql: Group "14kimberleyst": Conditional check items matched (9) sql: Group "14kimberleyst": Merging assignment check items (9) sql: Reset-Date := '13' (9) sql: Total-Bytes := '999999999999999999' (9) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id (9) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (9) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (9) sql: Group "14kimberleyst": Merging reply items (9) sql: Session-Timeout := 10800 rlm_sql (sql): Released connection (4) (9) [sql] = ok (9) [expiration] = noop (9) [logintime] = noop (9) pap: WARNING: Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x22b0356023b92f2e (9) eap: Finished EAP session with state 0x22b0356023b92f2e (9) eap: Previous EAP request found for state 0x22b0356023b92f2e, released from the list (9) eap: Peer sent method MSCHAPv2 (26) (9) eap: EAP MSCHAPv2 (26) (9) eap: Calling eap_mschapv2 to process EAP data (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (9) post-auth { (9) sql: EXPAND .query (9) sql: --> .query (9) sql: Using query template 'query' rlm_sql (sql): Reserved connection (4) (9) sql: EXPAND %{User-Name} (9) sql: --> jake (9) sql: SQL-User-Name set to 'jake' (9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52') (9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52') (9) sql: SQL query returned: success (9) sql: 1 record(s) updated rlm_sql (sql): Released connection (4) (9) [sql] = ok (9) update { (9) &outer.session-state:Session-Timeout += &reply:Session-Timeout -> 10800 (9) &outer.session-state:MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy -> Encryption-Allowed (9) &outer.session-state:MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types -> RC4-40or128-bit-Allowed (9) &outer.session-state:MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key -> 0x89180aba877672b89e8af47487914f88 (9) &outer.session-state:MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key -> 0xeb1d86612d6cfa12c45d9dfa87f470d1 (9) &outer.session-state:EAP-Message += &reply:EAP-Message -> 0x03090004 (9) &outer.session-state:Message-Authenticator += &reply:Message-Authenticator -> 0x00000000000000000000000000000000 (9) &outer.session-state:User-Name += &reply:User-Name -> jake (9) } # update = noop (9) update outer.session-state { (9) MS-MPPE-Encryption-Policy !* ANY (9) MS-MPPE-Encryption-Types !* ANY (9) MS-MPPE-Send-Key !* ANY (9) MS-MPPE-Recv-Key !* ANY (9) Message-Authenticator !* ANY (9) EAP-Message !* ANY (9) Proxy-State !* ANY (9) } # update outer.session-state = noop (9) } # post-auth = ok (9) } # server inner-tunnel (9) Virtual server sending reply (9) Session-Timeout = 10800 (9) MS-MPPE-Encryption-Policy = Encryption-Allowed (9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (9) MS-MPPE-Send-Key = 0x89180aba877672b89e8af47487914f88 (9) MS-MPPE-Recv-Key = 0xeb1d86612d6cfa12c45d9dfa87f470d1 (9) EAP-Message = 0x03090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = 'jake' (9) eap_peap: Got tunneled reply code 2 (9) eap_peap: Session-Timeout = 10800 (9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (9) eap_peap: MS-MPPE-Send-Key = 0x89180aba877672b89e8af47487914f88 (9) eap_peap: MS-MPPE-Recv-Key = 0xeb1d86612d6cfa12c45d9dfa87f470d1 (9) eap_peap: EAP-Message = 0x03090004 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: User-Name = 'jake' (9) eap_peap: Got tunneled reply RADIUS code 2 (9) eap_peap: Session-Timeout = 10800 (9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (9) eap_peap: MS-MPPE-Send-Key = 0x89180aba877672b89e8af47487914f88 (9) eap_peap: MS-MPPE-Recv-Key = 0xeb1d86612d6cfa12c45d9dfa87f470d1 (9) eap_peap: EAP-Message = 0x03090004 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: User-Name = 'jake' (9) eap_peap: Tunneled authentication was successful (9) eap_peap: SUCCESS (9) eap_peap: Saving tunneled attributes for later (9) eap: EAP session adding &reply:State = 0x2ae8af4423e2b652 (9) [eap] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) session-state: Saving cached attributes (9) Session-Timeout += 10800 (9) User-Name += 'jake' (9) Sent Access-Challenge Id 250 from 172.17.0.68:1812 to 203.59.132.253:51671 length 0 (9) EAP-Message = 0x010a002b190017030100209ffa89db62ad66cc4ddee6a4a1950f7ef37a98001a17f318cb0b6beb1492a1e0 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x2ae8af4423e2b6526f505f86b4932430 (9) Finished request Waking up in 3.9 seconds. (10) Received Access-Request Id 251 from 203.59.132.253:49242 to 172.17.0.68:1812 length 274 (10) Service-Type = Framed-User (10) Framed-MTU = 1400 (10) User-Name = 'jake' (10) State = 0x2ae8af4423e2b6526f505f86b4932430 (10) NAS-Port-Id = 'wlan4' (10) NAS-Port-Type = Wireless-802.11 (10) Acct-Session-Id = '82200019' (10) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (10) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (10) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (10) EAP-Message = 0x020a002b1900170301002026447f2d4d239efdc5f79e265525ede34826f132b7d0c5c8874169bacc4ac3a3 (10) Message-Authenticator = 0xa5e90887435c642376fc2a49a006da0b (10) NAS-Identifier = 'MikroTik' (10) NAS-IP-Address = 10.1.1.23 (10) session-state: Found cached attributes (10) Session-Timeout += 10800 (10) User-Name += 'jake' (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (!&User-Name) { (10) if (!&User-Name) -> FALSE (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@.*@/ ) { (10) if (&User-Name =~ /@.*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "jake", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent code Response (2) ID 10 length 43 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) authenticate { (10) eap: Expiring EAP session with state 0x2ae8af4423e2b652 (10) eap: Finished EAP session with state 0x2ae8af4423e2b652 (10) eap: Previous EAP request found for state 0x2ae8af4423e2b652, released from the list (10) eap: Peer sent method PEAP (25) (10) eap: EAP PEAP (25) (10) eap: Calling eap_peap to process EAP data (10) eap_peap: processing EAP-TLS (10) eap_peap: eaptls_verify returned 7 (10) eap_peap: Done initial handshake (10) eap_peap: eaptls_process returned 7 (10) eap_peap: FR_TLS_OK (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state send tlv success (10) eap_peap: Received EAP-TLV response (10) eap_peap: Success (10) eap_peap: Using saved attributes from the original Access-Accept (10) eap_peap: Session-Timeout = 10800 (10) eap_peap: User-Name = 'jake' (10) eap_peap: Saving session f8318cccbe262c0e3e6529d8f49d6f94bb3d20480c225789496ecaf88b6d23bb vps 0x18cb740 in the cache (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (10) post-auth { (10) update { (10) &reply:Session-Timeout += &session-state:Session-Timeout -> 10800 (10) &reply:User-Name += &session-state:User-Name -> jake (10) } # update = noop (10) sql: EXPAND .query (10) sql: --> .query (10) sql: Using query template 'query' rlm_sql (sql): Reserved connection (4) (10) sql: EXPAND %{User-Name} (10) sql: --> jake (10) sql: SQL-User-Name set to 'jake' (10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (10) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52') (10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52') (10) sql: SQL query returned: success (10) sql: 1 record(s) updated rlm_sql (sql): Released connection (4) (10) [sql] = ok (10) [exec] = noop (10) policy remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) { (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else { (10) [noop] = noop (10) } # else = noop (10) } # policy remove_reply_message_if_eap = noop (10) } # post-auth = ok (10) Sent Access-Accept Id 251 from 172.17.0.68:1812 to 203.59.132.253:49242 length 0 (10) Session-Timeout = 10800 (10) User-Name = 'jake' (10) MS-MPPE-Recv-Key = 0xe5deb546fc8f6e00acdf29b623d95704d2ed1020f037955b5200e47def068653 (10) MS-MPPE-Send-Key = 0x1c0c6d0296a173ab78c88bae351114f84de5cdc9386cbb1dc93bb9ff188d29ef (10) EAP-Message = 0x030a0004 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) Session-Timeout += 10800 (10) User-Name += 'jake' (10) Finished request Waking up in 3.8 seconds. (11) Received Accounting-Request Id 252 from 203.59.132.253:49829 to 172.17.0.68:1813 length 205 (11) Service-Type = Framed-User (11) NAS-Port-Id = 'wlan4' (11) NAS-Port-Type = Wireless-802.11 (11) User-Name = 'jake' (11) Acct-Session-Id = '82200019' (11) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18' (11) Calling-Station-Id = 'F8-A9-D0-18-F2-24' (11) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE' (11) Acct-Authentic = RADIUS (11) Acct-Status-Type = Start (11) NAS-Identifier = 'MikroTik' (11) Acct-Delay-Time = 0 (11) NAS-IP-Address = 10.1.1.23 (11) # Executing section preacct from file /etc/freeradius/sites-enabled/default (11) preacct { (11) [preprocess] = ok (11) policy acct_unique { (11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) { (11) EXPAND %{string:Class} (11) --> (11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (11) else { (11) update request { (11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (11) --> fbad663f9e23f248b243af3297e4a26d (11) &Acct-Unique-Session-Id := fbad663f9e23f248b243af3297e4a26d (11) } # update request = noop (11) } # else = noop (11) } # policy acct_unique = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "jake", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) [files] = noop (11) } # preacct = ok (11) # Executing section accounting from file /etc/freeradius/sites-enabled/default (11) accounting { (11) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (11) detail: --> /var/log/freeradius/radacct/ 203.59.132.253/detail-20150626 (11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/203.59.132.253/detail-20150626 (11) detail: EXPAND %t (11) detail: --> Fri Jun 26 03:36:52 2015 (11) [detail] = ok (11) [unix] = ok (11) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (11) sql: --> type.start.query (11) sql: Using query template 'query' rlm_sql (sql): Reserved connection (4) (11) sql: EXPAND %{User-Name} (11) sql: --> jake (11) sql: SQL-User-Name set to 'jake' (11) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}') (11) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('82200019', 'fbad663f9e23f248b243af3297e4a26d', 'jake', '', '10.1.1.23', '', 'Wireless-802.11', FROM_UNIXTIME(1435289812), FROM_UNIXTIME(1435289812), NULL, '0', 'RADIUS', '', '', '0', '0', '02-0C-42-B7-A9-5E:GRACE UPON GRACE', 'F8-A9-D0-18-F2-24', '', 'Framed-User', '', '') (11) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('82200019', 'fbad663f9e23f248b243af3297e4a26d', 'jake', '', '10.1.1.23', '', 'Wireless-802.11', FROM_UNIXTIME(1435289812), FROM_UNIXTIME(1435289812), NULL, '0', 'RADIUS', '', '', '0', '0', '02-0C-42-B7-A9-5E:GRACE UPON GRACE', 'F8-A9-D0-18-F2-24', '', 'Framed-User', '', '') (11) sql: SQL query returned: success (11) sql: 1 record(s) updated rlm_sql (sql): Released connection (4) (11) [sql] = ok (11) [exec] = noop (11) attr_filter.accounting_response: EXPAND %{User-Name} (11) attr_filter.accounting_response: --> jake (11) attr_filter.accounting_response: Matched entry DEFAULT at line 15 (11) [attr_filter.accounting_response] = updated (11) } # accounting = updated (11) Sent Accounting-Response Id 252 from 172.17.0.68:1813 to 203.59.132.253:49829 length 0 (11) Finished request (11) <done>: Cleaning up request packet ID 252 with timestamp +10 Waking up in 3.7 seconds. (0) <done>: Cleaning up request packet ID 241 with timestamp +9 Waking up in 0.1 seconds. (1) <done>: Cleaning up request packet ID 242 with timestamp +9 Waking up in 0.1 seconds. (2) <done>: Cleaning up request packet ID 243 with timestamp +9 Waking up in 0.1 seconds. (3) <done>: Cleaning up request packet ID 244 with timestamp +9 Waking up in 0.1 seconds. (4) <done>: Cleaning up request packet ID 245 with timestamp +9 Waking up in 0.1 seconds. (5) <done>: Cleaning up request packet ID 246 with timestamp +9 Waking up in 0.1 seconds. (6) <done>: Cleaning up request packet ID 247 with timestamp +10 (7) <done>: Cleaning up request packet ID 248 with timestamp +10 Waking up in 0.1 seconds. (8) <done>: Cleaning up request packet ID 249 with timestamp +10 Waking up in 0.1 seconds. (9) <done>: Cleaning up request packet ID 250 with timestamp +10 Waking up in 0.1 seconds. (10) <done>: Cleaning up request packet ID 251 with timestamp +10 Ready to process requests On 26 June 2015 at 11:33, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 25 Jun 2015, at 23:21, Jake He <jake.he@gmail.com> wrote:
Hi,
I have a problem where Attribute MT-Recv-Limit is returned in Access-Challenge but not in Access-Accept.
This is my setup. FR 3.0.8
I have configured following in the eap.conf file in the ttls section :
copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel"
/etc/freeradius/sites-available/inner-tunnel. post-auth block,
uncommented.
update { &outer.session-state: += &reply: }
update outer.session-state {
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
}
I have a fixed radreply attribute Session-Timeout in the database. This
is
sent in the Access-Accept.
MT-Recv-Limit is sent by a perl script < https://raw.githubusercontent.com/zhex900/radius-config/master/version.3/mod... . This script add a new radreply $RAD_REPLY{'Mikrotik-Recv-Limit'}. This is called in the site-available/default authorize block. Mikrotik-Recv-Limit does appear in the Access-Challenge but not in the Access-Accept.
Any ideas?
Not really, seeing as you've not provided the debug output...
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 25, 2015, at 11:38 PM, Jake He <jake.he@gmail.com> wrote:
Here is the debug output:
Why is it double spaced? You should be able to cut & paste plain text, or add it as a text attachment. And if you read the debug messages you posted to the list, you'll see that Mikrotik-Recv-Limit doesn't show up *anywhere*. So it's not being sent in *any* packet. You said it comes from a Perl script. But the debug output clearly shows that the Perl script never sets that attribute. Fix your Perl script. Alan DeKok.
Sorry, I make a mistake. I am using Mikrotik-Total-Limit not Mikrotik-Recv-Limit. This is the debug for my perl script. (1) check_usage: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} -> '10800' (1) check_usage: &reply:Mikrotik-Total-Limit-Gigawords = $RAD_REPLY{'Mikrotik-Total-Limit-Gigawords'} -> '232830643' I tested by this code update control{ Total-Limit := &reply:Mikrotik-Total-Limit Total-Limit-G := &reply:Mikrotik-Total-Limit-Gigawords } debug: (1) update control { (1) Total-Limit := &Mikrotik-Total-Limit -> 2514812512 (1) Total-Limit-G := &Mikrotik-Total-Limit-Gigawords -> 232830643 (1) } # update control = noop This means that Mikrotik-Total-Limit is set right? On 26 June 2015 at 23:55, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 25, 2015, at 11:38 PM, Jake He <jake.he@gmail.com> wrote:
Here is the debug output:
Why is it double spaced? You should be able to cut & paste plain text, or add it as a text attachment.
And if you read the debug messages you posted to the list, you'll see that Mikrotik-Recv-Limit doesn't show up *anywhere*. So it's not being sent in *any* packet.
You said it comes from a Perl script. But the debug output clearly shows that the Perl script never sets that attribute.
Fix your Perl script.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 26, 2015, at 12:08 PM, Jake He <jake.he@gmail.com> wrote:
Sorry, I make a mistake. I am using Mikrotik-Total-Limit not Mikrotik-Recv-Limit.
Describing the problem correctly helps.
This is the debug for my perl script. (1) check_usage: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} -> '10800' (1) check_usage: &reply:Mikrotik-Total-Limit-Gigawords = $RAD_REPLY{'Mikrotik-Total-Limit-Gigawords'} -> ‘232830643'
So it’s getting set. That’s nice.
This means that Mikrotik-Total-Limit is set right?
Yes. Then go read the debug log to see when it’s being set, and when your perl script is being executed. There’s no magic here. Just read the debug output to see what it’s doing. Alan DeKok.
Thank you Alan. Mikrotik-Total-Limit is set in server default. But when virtual server inner-tunnel is called. The sql over write the Mikrotik-Total-Limit. This is my understanding of what happened. Is there a way for inner-tunnel not to set the reply attributes again? Jake (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02010016041045307f80005829c45ec3c5a20be7bc6c (7) User-Name = 'jake' (7) State = 0xc7faab94c7fbaf949e6d25fbda29b50d (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "jake", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent code Response (2) ID 1 length 22 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) sql: EXPAND %{User-Name} (7) sql: --> jake (7) sql: SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (7) sql: User found in radcheck table (7) sql: Conditional check items matched, merging assignment check items (7) sql: Cleartext-Password := 'fheman123' (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (7) sql: User found in the group table (7) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id (7) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (7) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (7) sql: Group "14kimberleyst": Conditional check items matched (7) sql: Group "14kimberleyst": Merging assignment check items (7) sql: Reset-Date := '13' (7) sql: Total-Bytes := '999999999999999999' (7) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id (7) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (7) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (7) sql: Group "14kimberleyst": Merging reply items (7) sql: Session-Timeout := 10800 (7) sql: Mikrotik-Total-Limit := 1 On 27 June 2015 at 01:24, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 26, 2015, at 12:08 PM, Jake He <jake.he@gmail.com> wrote:
Sorry, I make a mistake. I am using Mikrotik-Total-Limit not Mikrotik-Recv-Limit.
Describing the problem correctly helps.
This is the debug for my perl script. (1) check_usage: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} -> '10800' (1) check_usage: &reply:Mikrotik-Total-Limit-Gigawords = $RAD_REPLY{'Mikrotik-Total-Limit-Gigawords'} -> ‘232830643'
So it’s getting set. That’s nice.
This means that Mikrotik-Total-Limit is set right?
Yes.
Then go read the debug log to see when it’s being set, and when your perl script is being executed.
There’s no magic here. Just read the debug output to see what it’s doing.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I fixed it! I called my perl script in inner-tunner server not in the default server. Now the final Access-Accept have the Mikrotik-Total-Limit. Thank you. On 27 June 2015 at 13:34, Jake He <jake.he@gmail.com> wrote:
Thank you Alan.
Mikrotik-Total-Limit is set in server default. But when virtual server inner-tunnel is called. The sql over write the Mikrotik-Total-Limit. This is my understanding of what happened.
Is there a way for inner-tunnel not to set the reply attributes again?
Jake
(7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02010016041045307f80005829c45ec3c5a20be7bc6c (7) User-Name = 'jake' (7) State = 0xc7faab94c7fbaf949e6d25fbda29b50d (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "jake", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent code Response (2) ID 1 length 22 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) sql: EXPAND %{User-Name} (7) sql: --> jake (7) sql: SQL-User-Name set to 'jake' rlm_sql (sql): Reserved connection (4) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id (7) sql: User found in radcheck table (7) sql: Conditional check items matched, merging assignment check items (7) sql: Cleartext-Password := 'fheman123' (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority (7) sql: User found in the group table (7) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id (7) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (7) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id (7) sql: Group "14kimberleyst": Conditional check items matched (7) sql: Group "14kimberleyst": Merging assignment check items (7) sql: Reset-Date := '13' (7) sql: Total-Bytes := '999999999999999999' (7) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id (7) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (7) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id (7) sql: Group "14kimberleyst": Merging reply items (7) sql: Session-Timeout := 10800 (7) sql: Mikrotik-Total-Limit := 1
On 27 June 2015 at 01:24, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 26, 2015, at 12:08 PM, Jake He <jake.he@gmail.com> wrote:
Sorry, I make a mistake. I am using Mikrotik-Total-Limit not Mikrotik-Recv-Limit.
Describing the problem correctly helps.
This is the debug for my perl script. (1) check_usage: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} -> '10800' (1) check_usage: &reply:Mikrotik-Total-Limit-Gigawords = $RAD_REPLY{'Mikrotik-Total-Limit-Gigawords'} -> ‘232830643'
So it’s getting set. That’s nice.
This means that Mikrotik-Total-Limit is set right?
Yes.
Then go read the debug log to see when it’s being set, and when your perl script is being executed.
There’s no magic here. Just read the debug output to see what it’s doing.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can anyone give me some directions? Mikrotik-Total-Limit is in the Access-Challenge reply but it is not in the Access-Accept. How do I fix this? I have no idea. This post http://lists.freeradius.org/pipermail/freeradius-users/2011-January/051167.h... gives some ideas but I still do not know how to fix it. (1) Sent Access-Challenge Id 80 from 172.17.0.71:1812 to 175.38.133.35:42418 length 0 (1) Mikrotik-Total-Limit = 2514816696 (1) Mikrotik-Total-Limit-Gigawords = 232830643 (1) Session-Timeout = 10800 (1) EAP-Message = 0x010200061520 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x568c93d5578e86a3fd1dd204a8afe703 (1) Finished request Waking up in 4.7 seconds. (27) Sent Access-Accept Id 106 from 172.17.0.71:1812 to 175.38.133.35:60453 length 0 (27) Session-Timeout = 10800 (27) Message-Authenticator = 0x00000000000000000000000000000000 (27) User-Name = 'jake' (27) MS-MPPE-Recv-Key = 0xd830d8a84e6bb4c8b7a4504373d28db3ab9b46c567e1b56d50020e3604ad466d (27) MS-MPPE-Send-Key = 0xf4ca3a9664ad56f165f260e37632d8826885a38f19ad46bb219def6384c0c680 (27) EAP-Message = 0x03070004 (27) Session-Timeout += 10800 (27) User-Name += 'jake' (27) Finished request On 26 June 2015 at 11:38, Jake He <jake.he@gmail.com> wrote:
Here is the debug output:
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 241 from 203.59.132.253:38386 to 172.17.0.68:1812 length 222
(0) Service-Type = Framed-User
(0) Framed-MTU = 1400
(0) User-Name = 'jake'
(0) NAS-Port-Id = 'wlan4'
(0) NAS-Port-Type = Wireless-802.11
(0) Acct-Session-Id = '82200019'
(0) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(0) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(0) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(0) EAP-Message = 0x02000009016a616b65
(0) Message-Authenticator = 0x0942bb06979bc2c6859785baa97efea0
(0) NAS-Identifier = 'MikroTik'
(0) NAS-IP-Address = 10.1.1.23
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "jake", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent code Response (2) ID 0 length 9
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent method Identity (1)
(0) eap: Calling eap_md5 to process EAP data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: EAP session adding &reply:State = 0x2ae8af442ae9ab52
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Sent Access-Challenge Id 241 from 172.17.0.68:1812 to 203.59.132.253:38386 length 0
(0) EAP-Message = 0x010100160410e9962633c394d82e8af727f23160824c
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x2ae8af442ae9ab526f505f86b4932430
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 242 from 203.59.132.253:44270 to 172.17.0.68:1812 length 237
(1) Service-Type = Framed-User
(1) Framed-MTU = 1400
(1) User-Name = 'jake'
(1) State = 0x2ae8af442ae9ab526f505f86b4932430
(1) NAS-Port-Id = 'wlan4'
(1) NAS-Port-Type = Wireless-802.11
(1) Acct-Session-Id = '82200019'
(1) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(1) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) EAP-Message = 0x020100060319
(1) Message-Authenticator = 0x23c1df8ed8c64f231b0e8b9a5c48c798
(1) NAS-Identifier = 'MikroTik'
(1) NAS-IP-Address = 10.1.1.23
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "jake", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent code Response (2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) sql: EXPAND %{User-Name}
(1) sql: --> jake
(1) sql: SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql: Cleartext-Password := 'fheman123'
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority
(1) sql: User found in the group table
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(1) sql: Group "14kimberleyst": Conditional check items matched
(1) sql: Group "14kimberleyst": Merging assignment check items
(1) sql: Reset-Date := '13'
(1) sql: Total-Bytes := '999999999999999999'
(1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(1) sql: Group "14kimberleyst": Merging reply items
(1) sql: Session-Timeout := 10800
rlm_sql (sql): Released connection (4)
(1) [sql] = ok
(1) policy site-restriction {
(1) update request {
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SET @user = 'jake'; SET @nasmac = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'; SELECT COUNT(*) FROM (SELECT radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON radsitegroup.groupname=radusergroup.groupname WHERE nasshortname='ALL' AND `radusergroup`.`username` = @user UNION ALL SELECT radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON radsitegroup.groupname=radusergroup.groupname INNER JOIN `nas` ON nas.shortname=radsitegroup.nasshortname WHERE nas.nasidentifier=@nasmac AND `radusergroup`.`username` = @user) as a
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SET @user = '%{User-Name}'; SET @nasmac = '%{request:Called-Station-Id}'; SELECT COUNT(*) FROM (SELECT radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON radsitegroup.groupname=radusergroup.groupname WHERE nasshortname='ALL' AND `radusergroup`.`username` = @user UNION ALL SELECT radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON radsitegroup.groupname=radusergroup.groupname INNER JOIN `nas` ON nas.shortname=radsitegroup.nasshortname WHERE nas.nasidentifier=@nasmac AND `radusergroup`.`username` = @user) as a}
(1) --> 1
(1) Site := 1
(1) } # update request = noop
(1) if ( Site == '0' ) {
(1) if ( Site == '0' ) -> FALSE
(1) } # policy site-restriction = noop
(1) policy data-restriction {
(1) if ((control:Total-Bytes)){
(1) if ((control:Total-Bytes)) -> TRUE
(1) if ((control:Total-Bytes)) {
(1) update control {
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SET @reset_date = '13'; SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM `radacct` WHERE UserName='jake' AND DATE(`acctstarttime`) BETWEEN (CASE WHEN @reset_date > DAYOFMONTH(NOW()) THEN DATE( DATE_SUB( CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date ) , INTERVAL 1 MONTH ) ) ELSE CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date )END) AND DATE(NOW());
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SET @reset_date = '%{control:Reset-Date}'; SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM `radacct` WHERE UserName='%{request:User-Name}' AND DATE(`acctstarttime`) BETWEEN (CASE WHEN @reset_date > DAYOFMONTH(NOW()) THEN DATE( DATE_SUB( CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date ) , INTERVAL 1 MONTH ) ) ELSE CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date )END) AND DATE(NOW());}
(1) --> 154996
(1) Used-Bytes := 154996
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SELECT `email` FROM `users` WHERE `username` = 'jake'
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SELECT `email` FROM `users` WHERE `username` = '%{request:User-Name}'}
(1) --> zhex900@gmail.com
(1) Email := zhex900@gmail.com
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SELECT `sentmail` FROM `users` WHERE `username` = 'jake'
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SELECT `sentmail` FROM `users` WHERE `username` = '%{request:User-Name}'}
(1) --> 0
(1) Sent-Mail := 0
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SELECT `mobile_suffix` FROM `users` WHERE `username` = 'jake'
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SELECT `mobile_suffix` FROM `users` WHERE `username` = '%{request:User-Name}'}
(1) --> 0433169153
(1) Mobile := 0433169153
(1) } # update control = noop
(1) sendmsg: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'jake'
(1) sendmsg: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.1.1.23'
(1) sendmsg: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User'
(1) sendmsg: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1400'
(1) sendmsg: $RAD_REQUEST{'State'} = &request:State -> '0x2ae8af442ae9ab526f505f86b4932430'
(1) sendmsg: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) sendmsg: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'F8-A9-D0-18-F2-24'
(1) sendmsg: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'MikroTik'
(1) sendmsg: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Wireless-802.11'
(1) sendmsg: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> '82200019'
(1) sendmsg: $RAD_REQUEST{'Acct-Multi-Session-Id'} = &request:Acct-Multi-Session-Id -> '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) sendmsg: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jun 26 2015 03:36:51 UTC'
(1) sendmsg: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x020100060319'
(1) sendmsg: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x23c1df8ed8c64f231b0e8b9a5c48c798'
(1) sendmsg: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'wlan4'
(1) sendmsg: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'NAK'
(1) sendmsg: $RAD_REQUEST{'SQL-User-Name'} = &request:SQL-User-Name -> 'jake'
(1) sendmsg: $RAD_REQUEST{'Site'} = &request:Site -> '1'
(1) sendmsg: $RAD_REPLY{'Session-Timeout'} = &reply:Session-Timeout -> '10800'
(1) sendmsg: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'EAP'
(1) sendmsg: $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> 'fheman123'
(1) sendmsg: $RAD_CHECK{'Total-Bytes'} = &control:Total-Bytes -> '999999999999999999'
(1) sendmsg: $RAD_CHECK{'Used-Bytes'} = &control:Used-Bytes -> '154996'
(1) sendmsg: $RAD_CHECK{'Reset-Date'} = &control:Reset-Date -> '13'
(1) sendmsg: $RAD_CHECK{'Email'} = &control:Email -> 'zhex900@gmail.com'
(1) sendmsg: $RAD_CHECK{'Sent-Mail'} = &control:Sent-Mail -> '0'
(1) sendmsg: $RAD_CHECK{'Mobile'} = &control:Mobile -> '0433169153'
(1) sendmsg: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'EAP'
(1) sendmsg: $RAD_CONFIG{'Cleartext-Password'} = &control:Cleartext-Password -> 'fheman123'
(1) sendmsg: $RAD_CONFIG{'Total-Bytes'} = &control:Total-Bytes -> '999999999999999999'
(1) sendmsg: $RAD_CONFIG{'Used-Bytes'} = &control:Used-Bytes -> '154996'
(1) sendmsg: $RAD_CONFIG{'Reset-Date'} = &control:Reset-Date -> '13'
(1) sendmsg: $RAD_CONFIG{'Email'} = &control:Email -> 'zhex900@gmail.com '
(1) sendmsg: $RAD_CONFIG{'Sent-Mail'} = &control:Sent-Mail -> '0'
(1) sendmsg: $RAD_CONFIG{'Mobile'} = &control:Mobile -> '0433169153'
(1) sendmsg: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1400'
(1) sendmsg: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Jun 26 2015 03:36:51 UTC'
(1) sendmsg: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User'
(1) sendmsg: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> 'F8-A9-D0-18-F2-24'
(1) sendmsg: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'jake'
(1) sendmsg: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'NAK'
(1) sendmsg: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x23c1df8ed8c64f231b0e8b9a5c48c798'
(1) sendmsg: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Wireless-802.11'
(1) sendmsg: &request:Acct-Multi-Session-Id = $RAD_REQUEST{'Acct-Multi-Session-Id'} -> '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) sendmsg: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'} -> 'jake'
(1) sendmsg: &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) sendmsg: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '10.1.1.23'
(1) sendmsg: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> '82200019'
(1) sendmsg: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'wlan4'
(1) sendmsg: &request:Site = $RAD_REQUEST{'Site'} -> '1'
(1) sendmsg: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x020100060319'
(1) sendmsg: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'MikroTik'
(1) sendmsg: &request:State = $RAD_REQUEST{'State'} -> '0x2ae8af442ae9ab526f505f86b4932430'
(1) sendmsg: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} -> '10800'
(1) sendmsg: &control:Cleartext-Password = $RAD_CHECK{'Cleartext-Password'} -> 'fheman123'
(1) sendmsg: &control:Mobile = $RAD_CHECK{'Mobile'} -> '0433169153'
(1) sendmsg: &control:Reset-Date = $RAD_CHECK{'Reset-Date'} -> '13'
(1) sendmsg: &control:Sent-Mail = $RAD_CHECK{'Sent-Mail'} -> '0'
(1) sendmsg: &control:Total-Bytes = $RAD_CHECK{'Total-Bytes'} -> '999999999999999999'
(1) sendmsg: &control:Used-Bytes = $RAD_CHECK{'Used-Bytes'} -> '154996'
(1) sendmsg: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'EAP'
(1) sendmsg: &control:Email = $RAD_CHECK{'Email'} -> 'zhex900@gmail.com'
(1) [sendmsg] = noop
(1) check_usage: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'jake'
(1) check_usage: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.1.1.23'
(1) check_usage: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User'
(1) check_usage: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1400'
(1) check_usage: $RAD_REQUEST{'State'} = &request:State -> '0x2ae8af442ae9ab526f505f86b4932430'
(1) check_usage: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) check_usage: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'F8-A9-D0-18-F2-24'
(1) check_usage: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'MikroTik'
(1) check_usage: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Wireless-802.11'
(1) check_usage: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> '82200019'
(1) check_usage: $RAD_REQUEST{'Acct-Multi-Session-Id'} = &request:Acct-Multi-Session-Id -> '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) check_usage: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jun 26 2015 03:36:51 UTC'
(1) check_usage: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x020100060319'
(1) check_usage: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x23c1df8ed8c64f231b0e8b9a5c48c798'
(1) check_usage: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'wlan4'
(1) check_usage: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'NAK'
(1) check_usage: $RAD_REQUEST{'SQL-User-Name'} = &request:SQL-User-Name -> 'jake'
(1) check_usage: $RAD_REQUEST{'Site'} = &request:Site -> '1'
(1) check_usage: $RAD_REPLY{'Session-Timeout'} = &reply:Session-Timeout -> '10800'
(1) check_usage: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'EAP'
(1) check_usage: $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> 'fheman123'
(1) check_usage: $RAD_CHECK{'Total-Bytes'} = &control:Total-Bytes -> '999999999999999999'
(1) check_usage: $RAD_CHECK{'Used-Bytes'} = &control:Used-Bytes -> '154996'
(1) check_usage: $RAD_CHECK{'Reset-Date'} = &control:Reset-Date -> '13'
(1) check_usage: $RAD_CHECK{'Email'} = &control:Email -> ' zhex900@gmail.com'
(1) check_usage: $RAD_CHECK{'Sent-Mail'} = &control:Sent-Mail -> '0'
(1) check_usage: $RAD_CHECK{'Mobile'} = &control:Mobile -> '0433169153'
(1) check_usage: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'EAP'
(1) check_usage: $RAD_CONFIG{'Cleartext-Password'} = &control:Cleartext-Password -> 'fheman123'
(1) check_usage: $RAD_CONFIG{'Total-Bytes'} = &control:Total-Bytes -> '999999999999999999'
(1) check_usage: $RAD_CONFIG{'Used-Bytes'} = &control:Used-Bytes -> '154996'
(1) check_usage: $RAD_CONFIG{'Reset-Date'} = &control:Reset-Date -> '13'
(1) check_usage: $RAD_CONFIG{'Email'} = &control:Email -> ' zhex900@gmail.com'
(1) check_usage: $RAD_CONFIG{'Sent-Mail'} = &control:Sent-Mail -> '0'
(1) check_usage: $RAD_CONFIG{'Mobile'} = &control:Mobile -> '0433169153'
(1) check_usage: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1400'
(1) check_usage: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Jun 26 2015 03:36:51 UTC'
(1) check_usage: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User'
(1) check_usage: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> 'F8-A9-D0-18-F2-24'
(1) check_usage: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'jake'
(1) check_usage: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'NAK'
(1) check_usage: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x23c1df8ed8c64f231b0e8b9a5c48c798'
(1) check_usage: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Wireless-802.11'
(1) check_usage: &request:Acct-Multi-Session-Id = $RAD_REQUEST{'Acct-Multi-Session-Id'} -> '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) check_usage: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'} -> 'jake'
(1) check_usage: &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) check_usage: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '10.1.1.23'
(1) check_usage: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> '82200019'
(1) check_usage: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'wlan4'
(1) check_usage: &request:Site = $RAD_REQUEST{'Site'} -> '1'
(1) check_usage: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x020100060319'
(1) check_usage: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'MikroTik'
(1) check_usage: &request:State = $RAD_REQUEST{'State'} -> '0x2ae8af442ae9ab526f505f86b4932430'
(1) check_usage: &reply:Mikrotik-Total-Limit-Gigawords = $RAD_REPLY{'Mikrotik-Total-Limit-Gigawords'} -> '232830643'
(1) check_usage: &reply:Mikrotik-Total-Limit = $RAD_REPLY{'Mikrotik-Total-Limit'} -> '2808193675'
(1) check_usage: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} -> '10800'
(1) check_usage: &control:Cleartext-Password = $RAD_CHECK{'Cleartext-Password'} -> 'fheman123'
(1) check_usage: &control:Avail-Bytes = $RAD_CHECK{'Avail-Bytes'} -> '999999999999845003'
(1) check_usage: &control:Mobile = $RAD_CHECK{'Mobile'} -> '0433169153'
(1) check_usage: &control:Reset-Date = $RAD_CHECK{'Reset-Date'} -> '13'
(1) check_usage: &control:Sent-Mail = $RAD_CHECK{'Sent-Mail'} -> '0'
(1) check_usage: &control:Total-Bytes = $RAD_CHECK{'Total-Bytes'} -> '999999999999999999'
(1) check_usage: &control:Used-Bytes = $RAD_CHECK{'Used-Bytes'} -> '154996'
(1) check_usage: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'EAP'
(1) check_usage: &control:Email = $RAD_CHECK{'Email'} -> ' zhex900@gmail.com'
(1) [check_usage] = updated
(1) } # if ((control:Total-Bytes)) = updated
(1) } # policy data-restriction = updated
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x2ae8af442ae9ab52
(1) eap: Finished EAP session with state 0x2ae8af442ae9ab52
(1) eap: Previous EAP request found for state 0x2ae8af442ae9ab52, released from the list
(1) eap: Peer sent method NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling eap_peap to process EAP data
(1) eap_peap: Flushing SSL sessions (of #0)
(1) eap_peap: Initiate
(1) eap_peap: Start returned 1
(1) eap: EAP session adding &reply:State = 0x2ae8af442beab652
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Sent Access-Challenge Id 242 from 172.17.0.68:1812 to 203.59.132.253:44270 length 0
(1) Mikrotik-Total-Limit-Gigawords = 232830643
(1) Mikrotik-Total-Limit = 2808193675
(1) Session-Timeout = 10800
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x2ae8af442beab6526f505f86b4932430
(1) Finished request
Waking up in 4.8 seconds.
(2) Received Access-Request Id 243 from 203.59.132.253:52144 to 172.17.0.68:1812 length 427
(2) Service-Type = Framed-User
(2) Framed-MTU = 1400
(2) User-Name = 'jake'
(2) State = 0x2ae8af442beab6526f505f86b4932430
(2) NAS-Port-Id = 'wlan4'
(2) NAS-Port-Type = Wireless-802.11
(2) Acct-Session-Id = '82200019'
(2) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(2) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(2) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(2) EAP-Message = 0x020200c41980000000ba16030100b5010000b103016e692cd58137a32168d3f582da80112b10f99f0b740669a6ebb3372583558513000048c014c00a00390038c00fc0050035c013c00900330032c00ec004002fc011c007c00cc00200050004c012c00800160013c00dc003000a001500120009001400
(2) Message-Authenticator = 0xe1a2042b676d0a3bca307cb23bd11d3d
(2) NAS-Identifier = 'MikroTik'
(2) NAS-IP-Address = 10.1.1.23
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (!&User-Name) {
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ ) {
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "jake", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent code Response (2) ID 2 length 196
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x2ae8af442beab652
(2) eap: Finished EAP session with state 0x2ae8af442beab652
(2) eap: Previous EAP request found for state 0x2ae8af442beab652, released from the list
(2) eap: Peer sent method PEAP (25)
(2) eap: EAP PEAP (25)
(2) eap: Calling eap_peap to process EAP data
(2) eap_peap: processing EAP-TLS
(2) eap_peap: TLS Length 186
(2) eap_peap: Length Included
(2) eap_peap: eaptls_verify returned 11
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: <<< TLS 1.0 Handshake [length 00b5], ClientHello
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> TLS 1.0 Handshake [length 08d0], Certificate
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap: eaptls_process returned 13
(2) eap_peap: FR_TLS_HANDLED
(2) eap: EAP session adding &reply:State = 0x2ae8af4428ebb652
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Sent Access-Challenge Id 243 from 172.17.0.68:1812 to 203.59.132.253:52144 length 0
(2) EAP-Message = 0x010303ec19c000000a8c1603010059020000550301d46c8d0a4b602b18e16f0c2eca4ab0b9923c8c75937b6be866c61bccebeff4f020f8318cccbe262c0e3e6529d8f49d6f94bb3d20480c225789496ecaf88b6d23bbc01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x2ae8af4428ebb6526f505f86b4932430
(2) Finished request
Waking up in 4.7 seconds.
(3) Received Access-Request Id 244 from 203.59.132.253:35924 to 172.17.0.68:1812 length 237
(3) Service-Type = Framed-User
(3) Framed-MTU = 1400
(3) User-Name = 'jake'
(3) State = 0x2ae8af4428ebb6526f505f86b4932430
(3) NAS-Port-Id = 'wlan4'
(3) NAS-Port-Type = Wireless-802.11
(3) Acct-Session-Id = '82200019'
(3) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(3) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(3) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0xbcede2e1f511c39d7829a8d31d3056ca
(3) NAS-Identifier = 'MikroTik'
(3) NAS-IP-Address = 10.1.1.23
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (!&User-Name) {
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ ) {
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "jake", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent code Response (2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x2ae8af4428ebb652
(3) eap: Finished EAP session with state 0x2ae8af4428ebb652
(3) eap: Previous EAP request found for state 0x2ae8af4428ebb652, released from the list
(3) eap: Peer sent method PEAP (25)
(3) eap: EAP PEAP (25)
(3) eap: Calling eap_peap to process EAP data
(3) eap_peap: processing EAP-TLS
(3) eap_peap: Received TLS ACK
(3) eap_peap: Received TLS ACK
(3) eap_peap: ACK handshake fragment handler
(3) eap_peap: eaptls_verify returned 1
(3) eap_peap: eaptls_process returned 13
(3) eap_peap: FR_TLS_HANDLED
(3) eap: EAP session adding &reply:State = 0x2ae8af4429ecb652
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Sent Access-Challenge Id 244 from 172.17.0.68:1812 to 203.59.132.253:35924 length 0
(3) EAP-Message = 0x010403e8194070fc3072618327914b90833c80b17761d6b71ed327b33f801709abca73c4785893e2238950ca0494c79dceb74a47d2ae97f2cf40c1857e89d6543f5d275ca54082c2d8a4ec8109ca6d7161699efce7a8d33588e1f1403c619f4ebd02f166ab8a0d9b07ad442d0202e60004e5308204e130
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x2ae8af4429ecb6526f505f86b4932430
(3) Finished request
Waking up in 4.6 seconds.
(4) Received Access-Request Id 245 from 203.59.132.253:39524 to 172.17.0.68:1812 length 237
(4) Service-Type = Framed-User
(4) Framed-MTU = 1400
(4) User-Name = 'jake'
(4) State = 0x2ae8af4429ecb6526f505f86b4932430
(4) NAS-Port-Id = 'wlan4'
(4) NAS-Port-Type = Wireless-802.11
(4) Acct-Session-Id = '82200019'
(4) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(4) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(4) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(4) EAP-Message = 0x020400061900
(4) Message-Authenticator = 0x54aecaf6cd05e5bf1bce8ad82728077d
(4) NAS-Identifier = 'MikroTik'
(4) NAS-IP-Address = 10.1.1.23
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (!&User-Name) {
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ ) {
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "jake", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent code Response (2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x2ae8af4429ecb652
(4) eap: Finished EAP session with state 0x2ae8af4429ecb652
(4) eap: Previous EAP request found for state 0x2ae8af4429ecb652, released from the list
(4) eap: Peer sent method PEAP (25)
(4) eap: EAP PEAP (25)
(4) eap: Calling eap_peap to process EAP data
(4) eap_peap: processing EAP-TLS
(4) eap_peap: Received TLS ACK
(4) eap_peap: Received TLS ACK
(4) eap_peap: ACK handshake fragment handler
(4) eap_peap: eaptls_verify returned 1
(4) eap_peap: eaptls_process returned 13
(4) eap_peap: FR_TLS_HANDLED
(4) eap: EAP session adding &reply:State = 0x2ae8af442eedb652
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Sent Access-Challenge Id 245 from 172.17.0.68:1812 to 203.59.132.253:39524 length 0
(4) EAP-Message = 0x010502ce190020417574686f72697479820900b019525dc1d9412e300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101006f73
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x2ae8af442eedb6526f505f86b4932430
(4) Finished request
Waking up in 4.4 seconds.
(5) Received Access-Request Id 246 from 203.59.132.253:45440 to 172.17.0.68:1812 length 375
(5) Service-Type = Framed-User
(5) Framed-MTU = 1400
(5) User-Name = 'jake'
(5) State = 0x2ae8af442eedb6526f505f86b4932430
(5) NAS-Port-Id = 'wlan4'
(5) NAS-Port-Type = Wireless-802.11
(5) Acct-Session-Id = '82200019'
(5) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(5) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(5) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(5) EAP-Message = 0x020500901980000000861603010046100000424104bd66ff8372c1dc049759a9b955193ffa8e8e4da7348cc4e36500cb9b5198ba94ea171b8d06416f4894d5ff73e68fa74a8d6fd8563daec796148288a0a5ed0ebb1403010001011603010030bfe20542d15a4dfa96fecdb720ea6156305308632d1890
(5) Message-Authenticator = 0x7df94396891c33014810e3acbeafcbb1
(5) NAS-Identifier = 'MikroTik'
(5) NAS-IP-Address = 10.1.1.23
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (!&User-Name) {
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ ) {
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "jake", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent code Response (2) ID 5 length 144
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x2ae8af442eedb652
(5) eap: Finished EAP session with state 0x2ae8af442eedb652
(5) eap: Previous EAP request found for state 0x2ae8af442eedb652, released from the list
(5) eap: Peer sent method PEAP (25)
(5) eap: EAP PEAP (25)
(5) eap: Calling eap_peap to process EAP data
(5) eap_peap: processing EAP-TLS
(5) eap_peap: TLS Length 134
(5) eap_peap: Length Included
(5) eap_peap: eaptls_verify returned 11
(5) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
TLS: adding session f8318cccbe262c0e3e6529d8f49d6f94bb3d20480c225789496ecaf88b6d23bb to cache
(5) eap_peap: (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap: eaptls_process returned 13
(5) eap_peap: FR_TLS_HANDLED
(5) eap: EAP session adding &reply:State = 0x2ae8af442feeb652
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Sent Access-Challenge Id 246 from 172.17.0.68:1812 to 203.59.132.253:45440 length 0
(5) EAP-Message = 0x0106004119001403010001011603010030b50c5c6bcd7f1f0c3cdb9a9dd16fb6d24bfc64db51180644d3f3806f9a566ed700be78e43a68b107312669ee0fbe6d1f
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x2ae8af442feeb6526f505f86b4932430
(5) Finished request
Waking up in 4.3 seconds.
(6) Received Access-Request Id 247 from 203.59.132.253:39369 to 172.17.0.68:1812 length 237
(6) Service-Type = Framed-User
(6) Framed-MTU = 1400
(6) User-Name = 'jake'
(6) State = 0x2ae8af442feeb6526f505f86b4932430
(6) NAS-Port-Id = 'wlan4'
(6) NAS-Port-Type = Wireless-802.11
(6) Acct-Session-Id = '82200019'
(6) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(6) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(6) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(6) EAP-Message = 0x020600061900
(6) Message-Authenticator = 0xb6affee6faf6ee543b6ef9c9f52f74ec
(6) NAS-Identifier = 'MikroTik'
(6) NAS-IP-Address = 10.1.1.23
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (!&User-Name) {
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ ) {
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jake", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent code Response (2) ID 6 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x2ae8af442feeb652
(6) eap: Finished EAP session with state 0x2ae8af442feeb652
(6) eap: Previous EAP request found for state 0x2ae8af442feeb652, released from the list
(6) eap: Peer sent method PEAP (25)
(6) eap: EAP PEAP (25)
(6) eap: Calling eap_peap to process EAP data
(6) eap_peap: processing EAP-TLS
(6) eap_peap: Received TLS ACK
(6) eap_peap: Received TLS ACK
(6) eap_peap: ACK handshake is finished
(6) eap_peap: eaptls_verify returned 3
(6) eap_peap: eaptls_process returned 3
(6) eap_peap: FR_TLS_SUCCESS
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: EAP session adding &reply:State = 0x2ae8af442cefb652
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Sent Access-Challenge Id 247 from 172.17.0.68:1812 to 203.59.132.253:39369 length 0
(6) EAP-Message = 0x0107002b190017030100209db4b82b7785ec126910f4c56f3693646b7c87d993175dec544c881e17ff7e66
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x2ae8af442cefb6526f505f86b4932430
(6) Finished request
Waking up in 4.2 seconds.
(7) Received Access-Request Id 248 from 203.59.132.253:54163 to 172.17.0.68:1812 length 274
(7) Service-Type = Framed-User
(7) Framed-MTU = 1400
(7) User-Name = 'jake'
(7) State = 0x2ae8af442cefb6526f505f86b4932430
(7) NAS-Port-Id = 'wlan4'
(7) NAS-Port-Type = Wireless-802.11
(7) Acct-Session-Id = '82200019'
(7) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(7) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(7) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(7) EAP-Message = 0x0207002b190017030100208286978455a47dcaa043b6ee4493bf1162e7a1a6105b84d369f022c49c2db0b8
(7) Message-Authenticator = 0xb259288f94fab665a32a8e25909eabe9
(7) NAS-Identifier = 'MikroTik'
(7) NAS-IP-Address = 10.1.1.23
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (!&User-Name) {
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ ) {
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "jake", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent code Response (2) ID 7 length 43
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x2ae8af442cefb652
(7) eap: Finished EAP session with state 0x2ae8af442cefb652
(7) eap: Previous EAP request found for state 0x2ae8af442cefb652, released from the list
(7) eap: Peer sent method PEAP (25)
(7) eap: EAP PEAP (25)
(7) eap: Calling eap_peap to process EAP data
(7) eap_peap: processing EAP-TLS
(7) eap_peap: eaptls_verify returned 7
(7) eap_peap: Done initial handshake
(7) eap_peap: eaptls_process returned 7
(7) eap_peap: FR_TLS_OK
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - jake
(7) eap_peap: Got inner identity 'jake'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x02070009016a616b65
(7) eap_peap: Setting User-Name to jake
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x02070009016a616b65
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = 'jake'
(7) eap_peap: Service-Type = Framed-User
(7) eap_peap: Framed-MTU = 1400
(7) eap_peap: NAS-Port-Id = 'wlan4'
(7) eap_peap: NAS-Port-Type = Wireless-802.11
(7) eap_peap: Acct-Session-Id = '82200019'
(7) eap_peap: Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(7) eap_peap: Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(7) eap_peap: Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(7) eap_peap: NAS-Identifier = 'MikroTik'
(7) eap_peap: NAS-IP-Address = 10.1.1.23
(7) eap_peap: Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x02070009016a616b65
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = 'jake'
(7) Service-Type = Framed-User
(7) Framed-MTU = 1400
(7) NAS-Port-Id = 'wlan4'
(7) NAS-Port-Type = Wireless-802.11
(7) Acct-Session-Id = '82200019'
(7) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(7) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(7) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(7) NAS-Identifier = 'MikroTik'
(7) NAS-IP-Address = 10.1.1.23
(7) Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(7) server inner-tunnel {
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "jake", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent code Response (2) ID 7 length 9
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent method Identity (1)
(7) eap: Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2: Issuing Challenge
(7) eap: EAP session adding &reply:State = 0x22b0356022b82f2e
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x0108002a1a010800251014f3168a99ab99e591528dc482b16e2c667265657261646975732d332e302e38
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x22b0356022b82f2e85a63bb65e619718
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x0108002a1a010800251014f3168a99ab99e591528dc482b16e2c667265657261646975732d332e302e38
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x22b0356022b82f2e85a63bb65e619718
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x0108002a1a010800251014f3168a99ab99e591528dc482b16e2c667265657261646975732d332e302e38
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x22b0356022b82f2e85a63bb65e619718
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: EAP session adding &reply:State = 0x2ae8af442de0b652
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) Sent Access-Challenge Id 248 from 172.17.0.68:1812 to 203.59.132.253:54163 length 0
(7) EAP-Message = 0x0108004b190017030100405d23e6bcb09cb6d20b68d9aaca1f83e4091ceff102e5083ddd35b9012b3d0e7188c3b1e155ea8f9bddc0ea1f850f357d2b8f6240e497819ecfd11cf2a7c0fbbb
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x2ae8af442de0b6526f505f86b4932430
(7) Finished request
Waking up in 4.1 seconds.
(8) Received Access-Request Id 249 from 203.59.132.253:36869 to 172.17.0.68:1812 length 322
(8) Service-Type = Framed-User
(8) Framed-MTU = 1400
(8) User-Name = 'jake'
(8) State = 0x2ae8af442de0b6526f505f86b4932430
(8) NAS-Port-Id = 'wlan4'
(8) NAS-Port-Type = Wireless-802.11
(8) Acct-Session-Id = '82200019'
(8) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(8) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(8) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(8) EAP-Message = 0x0208005b190017030100507a6c5910e9c1dc3a4adf8951c44d459517e50c2a6116265ff2d8924df35f0557e921ca3264d2be55f40dc688cb5fa91b6d9c14b1c9a895996ca03e1c224e31a2efb0740a6415f05685f77b4427b49f76
(8) Message-Authenticator = 0x1b7b410bbe118d5b2da8add5b4ac1a43
(8) NAS-Identifier = 'MikroTik'
(8) NAS-IP-Address = 10.1.1.23
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (!&User-Name) {
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ ) {
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "jake", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent code Response (2) ID 8 length 91
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x22b0356022b82f2e
(8) eap: Finished EAP session with state 0x2ae8af442de0b652
(8) eap: Previous EAP request found for state 0x2ae8af442de0b652, released from the list
(8) eap: Peer sent method PEAP (25)
(8) eap: EAP PEAP (25)
(8) eap: Calling eap_peap to process EAP data
(8) eap_peap: processing EAP-TLS
(8) eap_peap: eaptls_verify returned 7
(8) eap_peap: Done initial handshake
(8) eap_peap: eaptls_process returned 7
(8) eap_peap: FR_TLS_OK
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP type MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x0208003f1a0208003a31fcc0fb5d30dd364f4a9edc06a2029b9d0000000000000000312629d61823e24eb9069392de30e57b93615a8ff11013d1006a616b65
(8) eap_peap: Setting User-Name to jake
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x0208003f1a0208003a31fcc0fb5d30dd364f4a9edc06a2029b9d0000000000000000312629d61823e24eb9069392de30e57b93615a8ff11013d1006a616b65
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = 'jake'
(8) eap_peap: State = 0x22b0356022b82f2e85a63bb65e619718
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Framed-MTU = 1400
(8) eap_peap: NAS-Port-Id = 'wlan4'
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Acct-Session-Id = '82200019'
(8) eap_peap: Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(8) eap_peap: Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(8) eap_peap: Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(8) eap_peap: NAS-Identifier = 'MikroTik'
(8) eap_peap: NAS-IP-Address = 10.1.1.23
(8) eap_peap: Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x0208003f1a0208003a31fcc0fb5d30dd364f4a9edc06a2029b9d0000000000000000312629d61823e24eb9069392de30e57b93615a8ff11013d1006a616b65
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = 'jake'
(8) State = 0x22b0356022b82f2e85a63bb65e619718
(8) Service-Type = Framed-User
(8) Framed-MTU = 1400
(8) NAS-Port-Id = 'wlan4'
(8) NAS-Port-Type = Wireless-802.11
(8) Acct-Session-Id = '82200019'
(8) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(8) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(8) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(8) NAS-Identifier = 'MikroTik'
(8) NAS-IP-Address = 10.1.1.23
(8) Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authorize {
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "jake", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent code Response (2) ID 8 length 63
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) sql: EXPAND %{User-Name}
(8) sql: --> jake
(8) sql: SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: Conditional check items matched, merging assignment check items
(8) sql: Cleartext-Password := 'fheman123'
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority
(8) sql: User found in the group table
(8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(8) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(8) sql: Group "14kimberleyst": Conditional check items matched
(8) sql: Group "14kimberleyst": Merging assignment check items
(8) sql: Reset-Date := '13'
(8) sql: Total-Bytes := '999999999999999999'
(8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(8) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(8) sql: Group "14kimberleyst": Merging reply items
(8) sql: Session-Timeout := 10800
rlm_sql (sql): Released connection (4)
(8) [sql] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x22b0356022b82f2e
(8) eap: Finished EAP session with state 0x22b0356022b82f2e
(8) eap: Previous EAP request found for state 0x22b0356022b82f2e, released from the list
(8) eap: Peer sent method MSCHAPv2 (26)
(8) eap: EAP MSCHAPv2 (26)
(8) eap: Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2: Auth-Type MS-CHAP {
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Found Cleartext-Password, hashing to create LM-Password
(8) mschap: Creating challenge hash with username: jake
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) } # Auth-Type MS-CHAP = ok
(8) MSCHAP Success
(8) eap: EAP session adding &reply:State = 0x22b0356023b92f2e
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Session-Timeout = 10800
(8) EAP-Message = 0x010900331a0308002e533d41333944323941353645323936313832444636323842413142393243463244353430393334463042
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x22b0356023b92f2e85a63bb65e619718
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: Session-Timeout = 10800
(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41333944323941353645323936313832444636323842413142393243463244353430393334463042
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x22b0356023b92f2e85a63bb65e619718
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: Session-Timeout = 10800
(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41333944323941353645323936313832444636323842413142393243463244353430393334463042
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x22b0356023b92f2e85a63bb65e619718
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: EAP session adding &reply:State = 0x2ae8af4422e1b652
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Sent Access-Challenge Id 249 from 172.17.0.68:1812 to 203.59.132.253:36869 length 0
(8) EAP-Message = 0x0109005b19001703010050ff2fa83e838510f3b311adc6a2de5dd4e3bf9e49ca7b67699dc84fd1c698570243feeaa1c808dee3846a38ffbdf223dee1afbe871ba2398fe4bc3653e21b24c6fcee8c9607bbe10fe7370c07f0b041f4
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x2ae8af4422e1b6526f505f86b4932430
(8) Finished request
Waking up in 4.0 seconds.
(9) Received Access-Request Id 250 from 203.59.132.253:51671 to 172.17.0.68:1812 length 274
(9) Service-Type = Framed-User
(9) Framed-MTU = 1400
(9) User-Name = 'jake'
(9) State = 0x2ae8af4422e1b6526f505f86b4932430
(9) NAS-Port-Id = 'wlan4'
(9) NAS-Port-Type = Wireless-802.11
(9) Acct-Session-Id = '82200019'
(9) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(9) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(9) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(9) EAP-Message = 0x0209002b19001703010020b385b35defe2309a0a1087757d0f1334ba0c847fa90fecacec7d8233ff986872
(9) Message-Authenticator = 0xd85c93784094e1af3cf813ae7c2212c5
(9) NAS-Identifier = 'MikroTik'
(9) NAS-IP-Address = 10.1.1.23
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (!&User-Name) {
(9) if (!&User-Name) -> FALSE
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ ) {
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "jake", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent code Response (2) ID 9 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x22b0356023b92f2e
(9) eap: Finished EAP session with state 0x2ae8af4422e1b652
(9) eap: Previous EAP request found for state 0x2ae8af4422e1b652, released from the list
(9) eap: Peer sent method PEAP (25)
(9) eap: EAP PEAP (25)
(9) eap: Calling eap_peap to process EAP data
(9) eap_peap: processing EAP-TLS
(9) eap_peap: eaptls_verify returned 7
(9) eap_peap: Done initial handshake
(9) eap_peap: eaptls_process returned 7
(9) eap_peap: FR_TLS_OK
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP type MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: Setting User-Name to jake
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = 'jake'
(9) eap_peap: State = 0x22b0356023b92f2e85a63bb65e619718
(9) eap_peap: Service-Type = Framed-User
(9) eap_peap: Framed-MTU = 1400
(9) eap_peap: NAS-Port-Id = 'wlan4'
(9) eap_peap: NAS-Port-Type = Wireless-802.11
(9) eap_peap: Acct-Session-Id = '82200019'
(9) eap_peap: Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(9) eap_peap: Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(9) eap_peap: Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(9) eap_peap: NAS-Identifier = 'MikroTik'
(9) eap_peap: NAS-IP-Address = 10.1.1.23
(9) eap_peap: Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x020900061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = 'jake'
(9) State = 0x22b0356023b92f2e85a63bb65e619718
(9) Service-Type = Framed-User
(9) Framed-MTU = 1400
(9) NAS-Port-Id = 'wlan4'
(9) NAS-Port-Type = Wireless-802.11
(9) Acct-Session-Id = '82200019'
(9) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(9) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(9) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(9) NAS-Identifier = 'MikroTik'
(9) NAS-IP-Address = 10.1.1.23
(9) Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(9) authorize {
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "jake", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent code Response (2) ID 9 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [files] = noop
(9) sql: EXPAND %{User-Name}
(9) sql: --> jake
(9) sql: SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jake' ORDER BY id
(9) sql: User found in radcheck table
(9) sql: Conditional check items matched, merging assignment check items
(9) sql: Cleartext-Password := 'fheman123'
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jake' ORDER BY id
(9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(9) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority
(9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'jake' ORDER BY priority
(9) sql: User found in the group table
(9) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(9) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(9) sql: Group "14kimberleyst": Conditional check items matched
(9) sql: Group "14kimberleyst": Merging assignment check items
(9) sql: Reset-Date := '13'
(9) sql: Total-Bytes := '999999999999999999'
(9) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(9) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(9) sql: Group "14kimberleyst": Merging reply items
(9) sql: Session-Timeout := 10800
rlm_sql (sql): Released connection (4)
(9) [sql] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x22b0356023b92f2e
(9) eap: Finished EAP session with state 0x22b0356023b92f2e
(9) eap: Previous EAP request found for state 0x22b0356023b92f2e, released from the list
(9) eap: Peer sent method MSCHAPv2 (26)
(9) eap: EAP MSCHAPv2 (26)
(9) eap: Calling eap_mschapv2 to process EAP data
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
(9) post-auth {
(9) sql: EXPAND .query
(9) sql: --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND %{User-Name}
(9) sql: --> jake
(9) sql: SQL-User-Name set to 'jake'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(9) [sql] = ok
(9) update {
(9) &outer.session-state:Session-Timeout += &reply:Session-Timeout -> 10800
(9) &outer.session-state:MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy -> Encryption-Allowed
(9) &outer.session-state:MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types -> RC4-40or128-bit-Allowed
(9) &outer.session-state:MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key -> 0x89180aba877672b89e8af47487914f88
(9) &outer.session-state:MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key -> 0xeb1d86612d6cfa12c45d9dfa87f470d1
(9) &outer.session-state:EAP-Message += &reply:EAP-Message -> 0x03090004
(9) &outer.session-state:Message-Authenticator += &reply:Message-Authenticator -> 0x00000000000000000000000000000000
(9) &outer.session-state:User-Name += &reply:User-Name -> jake
(9) } # update = noop
(9) update outer.session-state {
(9) MS-MPPE-Encryption-Policy !* ANY
(9) MS-MPPE-Encryption-Types !* ANY
(9) MS-MPPE-Send-Key !* ANY
(9) MS-MPPE-Recv-Key !* ANY
(9) Message-Authenticator !* ANY
(9) EAP-Message !* ANY
(9) Proxy-State !* ANY
(9) } # update outer.session-state = noop
(9) } # post-auth = ok
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) Session-Timeout = 10800
(9) MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) MS-MPPE-Send-Key = 0x89180aba877672b89e8af47487914f88
(9) MS-MPPE-Recv-Key = 0xeb1d86612d6cfa12c45d9dfa87f470d1
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = 'jake'
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: Session-Timeout = 10800
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0x89180aba877672b89e8af47487914f88
(9) eap_peap: MS-MPPE-Recv-Key = 0xeb1d86612d6cfa12c45d9dfa87f470d1
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = 'jake'
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: Session-Timeout = 10800
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0x89180aba877672b89e8af47487914f88
(9) eap_peap: MS-MPPE-Recv-Key = 0xeb1d86612d6cfa12c45d9dfa87f470d1
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = 'jake'
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap_peap: Saving tunneled attributes for later
(9) eap: EAP session adding &reply:State = 0x2ae8af4423e2b652
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) session-state: Saving cached attributes
(9) Session-Timeout += 10800
(9) User-Name += 'jake'
(9) Sent Access-Challenge Id 250 from 172.17.0.68:1812 to 203.59.132.253:51671 length 0
(9) EAP-Message = 0x010a002b190017030100209ffa89db62ad66cc4ddee6a4a1950f7ef37a98001a17f318cb0b6beb1492a1e0
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x2ae8af4423e2b6526f505f86b4932430
(9) Finished request
Waking up in 3.9 seconds.
(10) Received Access-Request Id 251 from 203.59.132.253:49242 to 172.17.0.68:1812 length 274
(10) Service-Type = Framed-User
(10) Framed-MTU = 1400
(10) User-Name = 'jake'
(10) State = 0x2ae8af4423e2b6526f505f86b4932430
(10) NAS-Port-Id = 'wlan4'
(10) NAS-Port-Type = Wireless-802.11
(10) Acct-Session-Id = '82200019'
(10) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(10) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(10) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(10) EAP-Message = 0x020a002b1900170301002026447f2d4d239efdc5f79e265525ede34826f132b7d0c5c8874169bacc4ac3a3
(10) Message-Authenticator = 0xa5e90887435c642376fc2a49a006da0b
(10) NAS-Identifier = 'MikroTik'
(10) NAS-IP-Address = 10.1.1.23
(10) session-state: Found cached attributes
(10) Session-Timeout += 10800
(10) User-Name += 'jake'
(10) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (!&User-Name) {
(10) if (!&User-Name) -> FALSE
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@.*@/ ) {
(10) if (&User-Name =~ /@.*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "jake", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent code Response (2) ID 10 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0x2ae8af4423e2b652
(10) eap: Finished EAP session with state 0x2ae8af4423e2b652
(10) eap: Previous EAP request found for state 0x2ae8af4423e2b652, released from the list
(10) eap: Peer sent method PEAP (25)
(10) eap: EAP PEAP (25)
(10) eap: Calling eap_peap to process EAP data
(10) eap_peap: processing EAP-TLS
(10) eap_peap: eaptls_verify returned 7
(10) eap_peap: Done initial handshake
(10) eap_peap: eaptls_process returned 7
(10) eap_peap: FR_TLS_OK
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap_peap: Using saved attributes from the original Access-Accept
(10) eap_peap: Session-Timeout = 10800
(10) eap_peap: User-Name = 'jake'
(10) eap_peap: Saving session f8318cccbe262c0e3e6529d8f49d6f94bb3d20480c225789496ecaf88b6d23bb vps 0x18cb740 in the cache
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(10) post-auth {
(10) update {
(10) &reply:Session-Timeout += &session-state:Session-Timeout -> 10800
(10) &reply:User-Name += &session-state:User-Name -> jake
(10) } # update = noop
(10) sql: EXPAND .query
(10) sql: --> .query
(10) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(10) sql: EXPAND %{User-Name}
(10) sql: --> jake
(10) sql: SQL-User-Name set to 'jake'
(10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(10) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52')
(10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52')
(10) sql: SQL query returned: success
(10) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(10) [sql] = ok
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # post-auth = ok
(10) Sent Access-Accept Id 251 from 172.17.0.68:1812 to 203.59.132.253:49242 length 0
(10) Session-Timeout = 10800
(10) User-Name = 'jake'
(10) MS-MPPE-Recv-Key = 0xe5deb546fc8f6e00acdf29b623d95704d2ed1020f037955b5200e47def068653
(10) MS-MPPE-Send-Key = 0x1c0c6d0296a173ab78c88bae351114f84de5cdc9386cbb1dc93bb9ff188d29ef
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) Session-Timeout += 10800
(10) User-Name += 'jake'
(10) Finished request
Waking up in 3.8 seconds.
(11) Received Accounting-Request Id 252 from 203.59.132.253:49829 to 172.17.0.68:1813 length 205
(11) Service-Type = Framed-User
(11) NAS-Port-Id = 'wlan4'
(11) NAS-Port-Type = Wireless-802.11
(11) User-Name = 'jake'
(11) Acct-Session-Id = '82200019'
(11) Acct-Multi-Session-Id = '02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(11) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(11) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(11) Acct-Authentic = RADIUS
(11) Acct-Status-Type = Start
(11) NAS-Identifier = 'MikroTik'
(11) Acct-Delay-Time = 0
(11) NAS-IP-Address = 10.1.1.23
(11) # Executing section preacct from file /etc/freeradius/sites-enabled/default
(11) preacct {
(11) [preprocess] = ok
(11) policy acct_unique {
(11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(11) EXPAND %{string:Class}
(11) -->
(11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(11) else {
(11) update request {
(11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(11) --> fbad663f9e23f248b243af3297e4a26d
(11) &Acct-Unique-Session-Id := fbad663f9e23f248b243af3297e4a26d
(11) } # update request = noop
(11) } # else = noop
(11) } # policy acct_unique = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "jake", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) [files] = noop
(11) } # preacct = ok
(11) # Executing section accounting from file /etc/freeradius/sites-enabled/default
(11) accounting {
(11) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(11) detail: --> /var/log/freeradius/radacct/ 203.59.132.253/detail-20150626
(11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/203.59.132.253/detail-20150626
(11) detail: EXPAND %t
(11) detail: --> Fri Jun 26 03:36:52 2015
(11) [detail] = ok
(11) [unix] = ok
(11) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(11) sql: --> type.start.query
(11) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(11) sql: EXPAND %{User-Name}
(11) sql: --> jake
(11) sql: SQL-User-Name set to 'jake'
(11) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(11) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('82200019', 'fbad663f9e23f248b243af3297e4a26d', 'jake', '', '10.1.1.23', '', 'Wireless-802.11', FROM_UNIXTIME(1435289812), FROM_UNIXTIME(1435289812), NULL, '0', 'RADIUS', '', '', '0', '0', '02-0C-42-B7-A9-5E:GRACE UPON GRACE', 'F8-A9-D0-18-F2-24', '', 'Framed-User', '', '')
(11) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('82200019', 'fbad663f9e23f248b243af3297e4a26d', 'jake', '', '10.1.1.23', '', 'Wireless-802.11', FROM_UNIXTIME(1435289812), FROM_UNIXTIME(1435289812), NULL, '0', 'RADIUS', '', '', '0', '0', '02-0C-42-B7-A9-5E:GRACE UPON GRACE', 'F8-A9-D0-18-F2-24', '', 'Framed-User', '', '')
(11) sql: SQL query returned: success
(11) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(11) [sql] = ok
(11) [exec] = noop
(11) attr_filter.accounting_response: EXPAND %{User-Name}
(11) attr_filter.accounting_response: --> jake
(11) attr_filter.accounting_response: Matched entry DEFAULT at line 15
(11) [attr_filter.accounting_response] = updated
(11) } # accounting = updated
(11) Sent Accounting-Response Id 252 from 172.17.0.68:1813 to 203.59.132.253:49829 length 0
(11) Finished request
(11) <done>: Cleaning up request packet ID 252 with timestamp +10
Waking up in 3.7 seconds.
(0) <done>: Cleaning up request packet ID 241 with timestamp +9
Waking up in 0.1 seconds.
(1) <done>: Cleaning up request packet ID 242 with timestamp +9
Waking up in 0.1 seconds.
(2) <done>: Cleaning up request packet ID 243 with timestamp +9
Waking up in 0.1 seconds.
(3) <done>: Cleaning up request packet ID 244 with timestamp +9
Waking up in 0.1 seconds.
(4) <done>: Cleaning up request packet ID 245 with timestamp +9
Waking up in 0.1 seconds.
(5) <done>: Cleaning up request packet ID 246 with timestamp +9
Waking up in 0.1 seconds.
(6) <done>: Cleaning up request packet ID 247 with timestamp +10
(7) <done>: Cleaning up request packet ID 248 with timestamp +10
Waking up in 0.1 seconds.
(8) <done>: Cleaning up request packet ID 249 with timestamp +10
Waking up in 0.1 seconds.
(9) <done>: Cleaning up request packet ID 250 with timestamp +10
Waking up in 0.1 seconds.
(10) <done>: Cleaning up request packet ID 251 with timestamp +10
Ready to process requests
On 26 June 2015 at 11:33, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 25 Jun 2015, at 23:21, Jake He <jake.he@gmail.com> wrote:
Hi,
I have a problem where Attribute MT-Recv-Limit is returned in Access-Challenge but not in Access-Accept.
This is my setup. FR 3.0.8
I have configured following in the eap.conf file in the ttls section :
copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel"
/etc/freeradius/sites-available/inner-tunnel. post-auth block,
uncommented.
update { &outer.session-state: += &reply: }
update outer.session-state {
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
}
I have a fixed radreply attribute Session-Timeout in the database.
This is
sent in the Access-Accept.
MT-Recv-Limit is sent by a perl script < https://raw.githubusercontent.com/zhex900/radius-config/master/version.3/mod... . This script add a new radreply $RAD_REPLY{'Mikrotik-Recv-Limit'}. This is called in the site-available/default authorize block. Mikrotik-Recv-Limit does appear in the Access-Challenge but not in the Access-Accept.
Any ideas?
Not really, seeing as you've not provided the debug output...
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Jake He