check user device mac address without doing mac-auth
Is it possible to check mac address of user device when doing standard 802.1x authentication and allow access without doing mac-auth + 802.1x ?. The requirement is to restrict users from connecting from other devices(say BYOD) other than IT approved device allocated to user. When using mac-auth-802.1x, server have no way of knowing which device the user is mapped to and user can connect from any authorised device in the list. Questions, 1, Is there a guide on how to achieve this with mysql integration ?. 2a, Is it recommended to add new columns to include mac-addr in radcheck table ?. 2b, If so, will freeradius automatically check new columns values and do access-accept/reject automatically ?. Any hints will be helpful. Thanks,
On Mar 22, 2023, at 10:40 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Is it possible to check mac address of user device when doing standard 802.1x authentication and allow access without doing mac-auth + 802.1x ?.
No. You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC. You cannot force authentication to succeed if the MAC is known, but 80-2.1X authentication fails. It's impossible.
The requirement is to restrict users from connecting from other devices(say BYOD) other than IT approved device allocated to user.
That can be done: if (mac is not known) { reject }
When using mac-auth-802.1x, server have no way of knowing which device the user is mapped to and user can connect from any authorised device in the list.
The devices MAC comes in the RADIUS packet. So it is trivial to match a user to a particular device.
Questions, 1, Is there a guide on how to achieve this with mysql integration ?.
No. You cannot force authentication to succeed.
2a, Is it recommended to add new columns to include mac-addr in radcheck table ?.
No.
2b, If so, will freeradius automatically check new columns values and do access-accept/reject automatically ?.
Absolutely not. You can't just add a column, and have FreeRADIUS magically know what the column means, and how to use it. Alan DeKok.
Many thanks,
You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC.
Are you talking about "authorized_macs" file or mac mapped(Calling-Station-Id) to particular user in users file ?.
The devices MAC comes in the RADIUS packet. So it is trivial to match a user to a particular device.
Is it not possible to grab Calling-Station-Id from Access-Request and check against db ?. Somewhere i read additional checks can be done with Calling-Station-Id when using PPP. Does this feature only work with PPP / SLIP ?. Thanks, On Wednesday, 22 March, 2023, 08:16:38 pm IST, Alan DeKok <aland@deployingradius.com> wrote: On Mar 22, 2023, at 10:40 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Is it possible to check mac address of user device when doing standard 802.1x authentication and allow access without doing mac-auth + 802.1x ?.
No. You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC. You cannot force authentication to succeed if the MAC is known, but 80-2.1X authentication fails. It's impossible.
The requirement is to restrict users from connecting from other devices(say BYOD) other than IT approved device allocated to user.
That can be done: if (mac is not known) { reject }
When using mac-auth-802.1x, server have no way of knowing which device the user is mapped to and user can connect from any authorised device in the list.
The devices MAC comes in the RADIUS packet. So it is trivial to match a user to a particular device.
Questions, 1, Is there a guide on how to achieve this with mysql integration ?.
No. You cannot force authentication to succeed.
2a, Is it recommended to add new columns to include mac-addr in radcheck table ?.
No.
2b, If so, will freeradius automatically check new columns values and do access-accept/reject automatically ?.
Absolutely not. You can't just add a column, and have FreeRADIUS magically know what the column means, and how to use it. Alan DeKok.
On Mar 22, 2023, at 11:44 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC.
Are you talking about "authorized_macs" file or mac mapped(Calling-Station-Id) to particular user in users file ?.
If that's where you want to put MAC addresses, yes.
The devices MAC comes in the RADIUS packet. So it is trivial to match a user to a particular device.
Is it not possible to grab Calling-Station-Id from Access-Request and check against db ?.
That's not what I said.
Somewhere i read additional checks can be done with Calling-Station-Id when using PPP. Does this feature only work with PPP / SLIP ?.
No. Alan DeKok.
Thanks Alan,
Are you talking about "authorized_macs" file or mac mapped(Calling-Station-Id) to particular user in users file ?. If that's where you want to put MAC addresses, yes.
I have installed freeradius without sql integration for testing. 1, changed # Instead of "use_tunneled_reply", value to "if (1) {. 2, users file have following entry on top. testing Password := "password", Calling-Station-Id := "0cf346e648f3" Unauthorised devices with same login are granted access once authorised device is authenticated and server receive accounting-request is from unauthorised device. But when unauthorised devices try to connect for the first time, we see access-reject. I'm not sure if this happen due to any stale sessions, as these android devices to do not have a wireless disconnect button to properly terminate accounting. unauthorised device mac - 06ad2e0b874b Thanks, truncated debug output, hope this does not include junk info for troubleshooting. ################################################################################# Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 49880 Listening on proxy address :: port 52573 Ready to process requests (0) Received Access-Request Id 233 from 10.225.251.10:52377 to 172.16.2.4:1812 length 187 (0) User-Name = "testing" (0) NAS-IP-Address = 10.225.251.10 (0) NAS-Port = 0 (0) NAS-Identifier = "172.16.6.62" (0) NAS-Port-Type = Wireless-802.11 (0) Calling-Station-Id = "0cf346e648f3" (0) Called-Station-Id = "removed" (0) Service-Type = Login-User (0) Framed-MTU = 1100 (0) EAP-Message = 0x0201000c0174657374696e67 (0) Aruba-Essid-Name = "wtf" (0) Aruba-Location-Id = "Building-A" (0) Aruba-AP-Group = "Cluster" (0) Message-Authenticator = 0x6b374ac5a93bce8c2437b87861837f2e (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testing", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 12 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x26ecb91326eebd98 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 233 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (0) EAP-Message = 0x010200160410b87d1a4e19320c5a96ecd9c38383c104 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x26ecb91326eebd9834dbb54fecf0e9db (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 234 from 10.225.251.10:52377 to 172.16.2.4:1812 length 201 (1) User-Name = "testing" (1) NAS-IP-Address = 10.225.251.10 (1) NAS-Port = 0 (1) NAS-Identifier = "172.16.6.62" (1) NAS-Port-Type = Wireless-802.11 (1) Calling-Station-Id = "0cf346e648f3" (1) Called-Station-Id = "removed" (1) Service-Type = Login-User (1) Framed-MTU = 1100 (1) EAP-Message = 0x0202000803191534 (1) State = 0x26ecb91326eebd9834dbb54fecf0e9db (1) Aruba-Essid-Name = "wtf" (1) Aruba-Location-Id = "Building-A" (1) Aruba-AP-Group = "Cluster" (1) Message-Authenticator = 0x54bb5e57cb31ffae2f7b88043cf81436 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "testing", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 8 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry testing at line 1 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x26ecb91326eebd98 (1) eap: Finished EAP session with state 0x26ecb91326eebd98 (1) eap: Previous EAP request found for state 0x26ecb91326eebd98, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 3 length 6 (1) eap: EAP session adding &reply:State = 0x26ecb91327efa098 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 234 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (1) EAP-Message = 0x010300061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x26ecb91327efa09834dbb54fecf0e9db (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 235 from 10.225.251.10:52377 to 172.16.2.4:1812 length 334 (2) User-Name = "testing" (2) NAS-IP-Address = 10.225.251.10 (2) NAS-Port = 0 (2) NAS-Identifier = "172.16.6.62" (2) NAS-Port-Type = Wireless-802.11 (2) Calling-Station-Id = "0cf346e648f3" (2) Called-Station-Id = "removed" (2) Service-Type = Login-User (2) Framed-MTU = 1100 (2) EAP-Message = 0x0203008d198000000083160301007e0100007a0303060aa89fafeaaf392589d5fe6fb92e44af5a6ecd2ee85b1aeacad97cb6f7b48a00001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d (2) State = 0x26ecb91327efa09834dbb54fecf0e9db (2) Aruba-Essid-Name = "wtf" (2) Aruba-Location-Id = "Building-A" (2) Aruba-AP-Group = "Cluster" (2) Message-Authenticator = 0xdbadf9ba93a059334f8680af0fe6c4b5 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "testing", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 141 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x26ecb91327efa098 (2) eap: Finished EAP session with state 0x26ecb91327efa098 (2) eap: Previous EAP request found for state 0x26ecb91327efa098, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 131 bytes (2) eap_peap: Got complete TLS record (131 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 007e] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 003d] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 02ed] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 014d] (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 1004 (2) eap: EAP session adding &reply:State = 0x26ecb91324e8a098 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 235 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (2) EAP-Message = 0x010403ec19c00000048f160303003d0200003903038d3a1204d1b8331e273aa41d6f940848b75a78c30a3530d9444f574e4752440100c02f000011ff01000100000b0004030001020017000016030302ed0b0002e90002e60002e3308202df308201c7a00302010202144332d5c60c9f4d943c5616923e (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x26ecb91324e8a09834dbb54fecf0e9db (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 236 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (3) User-Name = "testing" (3) NAS-IP-Address = 10.225.251.10 (3) NAS-Port = 0 (3) NAS-Identifier = "172.16.6.62" (3) NAS-Port-Type = Wireless-802.11 (3) Calling-Station-Id = "0cf346e648f3" (3) Called-Station-Id = "removed" (3) Service-Type = Login-User (3) Framed-MTU = 1100 (3) EAP-Message = 0x020400061900 (3) State = 0x26ecb91324e8a09834dbb54fecf0e9db (3) Aruba-Essid-Name = "wtf" (3) Aruba-Location-Id = "Building-A" (3) Aruba-AP-Group = "Cluster" (3) Message-Authenticator = 0x0ca5b03d33d32f13fa1d7fa508466f90 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "testing", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x26ecb91324e8a098 (3) eap: Finished EAP session with state 0x26ecb91324e8a098 (3) eap: Previous EAP request found for state 0x26ecb91324e8a098, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 5 length 179 (3) eap: EAP session adding &reply:State = 0x26ecb91325e9a098 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 236 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (3) EAP-Message = 0x010500b3190021c7f360b873becbfa70b91b337e04c5a6311621341a44518886b69767800fca211ab4ddd1e5e10d9cd553895b1b1d948973e3959e053e09fa38f0964c9063e0f7a0bb9d5933236b3b07bab59dd46b46b1bbdcc397f7be6c45bcc193ab1127f61adca3aa6a987813a4352f081dc792fd5d (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x26ecb91325e9a09834dbb54fecf0e9db (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 237 from 10.225.251.10:52377 to 172.16.2.4:1812 length 329 (4) User-Name = "testing" (4) NAS-IP-Address = 10.225.251.10 (4) NAS-Port = 0 (4) NAS-Identifier = "172.16.6.62" (4) NAS-Port-Type = Wireless-802.11 (4) Calling-Station-Id = "0cf346e648f3" (4) Called-Station-Id = "removed" (4) Service-Type = Login-User (4) Framed-MTU = 1100 (4) EAP-Message = 0x0205008819800000007e1603030046100000424104d51ed9058fa13b42818aeed7c2d686aac07c3682ee808b17625b4e1c511314e62eb452b1449b24311a9a55961f811a931966f08055b69ce5589356585ac9847a140303000101160303002800000000000000000a3e6bdb506872b81bc568b13f53b0 (4) State = 0x26ecb91325e9a09834dbb54fecf0e9db (4) Aruba-Essid-Name = "wtf" (4) Aruba-Location-Id = "Building-A" (4) Aruba-AP-Group = "Cluster" (4) Message-Authenticator = 0x72178224b9c9119753955ab0e5f3b71f (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "testing", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 5 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x26ecb91325e9a098 (4) eap: Finished EAP session with state 0x26ecb91325e9a098 (4) eap: Previous EAP request found for state 0x26ecb91325e9a098, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: TLS_accept: SSLv3/TLS write server done (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS read finished (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS write finished (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 6 length 57 (4) eap: EAP session adding &reply:State = 0x26ecb91322eaa098 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 237 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (4) EAP-Message = 0x0106003919001403030001011603030028dd27973f8182c94ca4f1925e99fd7a9230f8231af5e52990249dea19962109ae1227daa1aa18f296 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x26ecb91322eaa09834dbb54fecf0e9db (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 238 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (5) User-Name = "testing" (5) NAS-IP-Address = 10.225.251.10 (5) NAS-Port = 0 (5) NAS-Identifier = "172.16.6.62" (5) NAS-Port-Type = Wireless-802.11 (5) Calling-Station-Id = "0cf346e648f3" (5) Called-Station-Id = "removed" (5) Service-Type = Login-User (5) Framed-MTU = 1100 (5) EAP-Message = 0x020600061900 (5) State = 0x26ecb91322eaa09834dbb54fecf0e9db (5) Aruba-Essid-Name = "wtf" (5) Aruba-Location-Id = "Building-A" (5) Aruba-AP-Group = "Cluster" (5) Message-Authenticator = 0xcf603138502bf912302edf3d39c0bade (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "testing", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 6 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x26ecb91322eaa098 (5) eap: Finished EAP session with state 0x26ecb91322eaa098 (5) eap: Previous EAP request found for state 0x26ecb91322eaa098, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 7 length 40 (5) eap: EAP session adding &reply:State = 0x26ecb91323eba098 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 238 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (5) EAP-Message = 0x010700281900170303001ddd27973f8182c94d6975d89772745d4712cd702dfaa3c80366c524bb9b (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x26ecb91323eba09834dbb54fecf0e9db (5) Finished request Waking up in 4.8 seconds. (6) Received Access-Request Id 239 from 10.225.251.10:52377 to 172.16.2.4:1812 length 236 (6) User-Name = "testing" (6) NAS-IP-Address = 10.225.251.10 (6) NAS-Port = 0 (6) NAS-Identifier = "172.16.6.62" (6) NAS-Port-Type = Wireless-802.11 (6) Calling-Station-Id = "0cf346e648f3" (6) Called-Station-Id = "removed" (6) Service-Type = Login-User (6) Framed-MTU = 1100 (6) EAP-Message = 0x0207002b190017030300200000000000000001b79a353c2acffa5086f5d27b61130dc019f2fc2f117920c2 (6) State = 0x26ecb91323eba09834dbb54fecf0e9db (6) Aruba-Essid-Name = "wtf" (6) Aruba-Location-Id = "Building-A" (6) Aruba-AP-Group = "Cluster" (6) Message-Authenticator = 0x305948d9985d10f1fc907ab52fb03b57 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "testing", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 43 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x26ecb91323eba098 (6) eap: Finished EAP session with state 0x26ecb91323eba098 (6) eap: Previous EAP request found for state 0x26ecb91323eba098, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - testing (6) eap_peap: Got inner identity 'testing' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (6) eap_peap: Setting User-Name to testing (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "testing" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0207000c0174657374696e67 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "testing" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "testing", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 12 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 43 (6) eap: EAP session adding &reply:State = 0x2ea1368a2ea92c2a (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0108002b1a010800261084853adf713aeb5b9367bccd0e5ae601667265657261646975732d332e302e3136 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x2ea1368a2ea92c2ab71bf7409912d765 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0108002b1a010800261084853adf713aeb5b9367bccd0e5ae601667265657261646975732d332e302e3136 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x2ea1368a2ea92c2ab71bf7409912d765 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0108002b1a010800261084853adf713aeb5b9367bccd0e5ae601667265657261646975732d332e302e3136 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x2ea1368a2ea92c2ab71bf7409912d765 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 74 (6) eap: EAP session adding &reply:State = 0x26ecb91320e4a098 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 239 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (6) EAP-Message = 0x0108004a1900170303003fdd27973f8182c94ebae01294a307e163cb7811f64a56fb051792c4356b4bb2eaa2ba42fab24fd88c8e8d86d894a8bffddf1f32a9ce4f8a260a190661e0a4bb (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x26ecb91320e4a09834dbb54fecf0e9db (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 240 from 10.225.251.10:52377 to 172.16.2.4:1812 length 290 (7) User-Name = "testing" (7) NAS-IP-Address = 10.225.251.10 (7) NAS-Port = 0 (7) NAS-Identifier = "172.16.6.62" (7) NAS-Port-Type = Wireless-802.11 (7) Calling-Station-Id = "0cf346e648f3" (7) Called-Station-Id = "removed" (7) Service-Type = Login-User (7) Framed-MTU = 1100 (7) EAP-Message = 0x0208006119001703030056000000000000000255e3756b8198a325c561878777ec4d23e1317189f62014fa5f28ffc199956b64f7afd4cee0939fb0fe438e01f6fd074d24246fa6acd514ebdbc9e56f1d7cd50bf6782b0b1bb618564742e1f65e0d (7) State = 0x26ecb91320e4a09834dbb54fecf0e9db (7) Aruba-Essid-Name = "wtf" (7) Aruba-Location-Id = "Building-A" (7) Aruba-AP-Group = "Cluster" (7) Message-Authenticator = 0x249f707d7c4b10a7db58fa0192977675 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "testing", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 8 length 97 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x2ea1368a2ea92c2a (7) eap: Finished EAP session with state 0x26ecb91320e4a098 (7) eap: Previous EAP request found for state 0x26ecb91320e4a098, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x020800421a0208003d31f5f81f06d523e49c46444b5ea79bbc7f0000000000000000d4efc0e6e084153be5618a6dfdd5ad08a74e5d07c8d528c10074657374696e67 (7) eap_peap: Setting User-Name to testing (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x020800421a0208003d31f5f81f06d523e49c46444b5ea79bbc7f0000000000000000d4efc0e6e084153be5618a6dfdd5ad08a74e5d07c8d528c10074657374696e67 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "testing" (7) eap_peap: State = 0x2ea1368a2ea92c2ab71bf7409912d765 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x020800421a0208003d31f5f81f06d523e49c46444b5ea79bbc7f0000000000000000d4efc0e6e084153be5618a6dfdd5ad08a74e5d07c8d528c10074657374696e67 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "testing" (7) State = 0x2ea1368a2ea92c2ab71bf7409912d765 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "testing", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 8 length 66 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files: users: Matched entry testing at line 1 (7) [files] = ok (7) [expiration] = noop (7) [logintime] = noop (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x2ea1368a2ea92c2a (7) eap: Finished EAP session with state 0x2ea1368a2ea92c2a (7) eap: Previous EAP request found for state 0x2ea1368a2ea92c2a, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: testing (7) mschap: Client is using MS-CHAPv2 (7) mschap: Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # authenticate = ok (7) MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 9 length 51 (7) eap: EAP session adding &reply:State = 0x2ea1368a2fa82c2a (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x010900331a0308002e533d32334644333531354545374644334331383431303434413139373244324238353932313441464636 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x2ea1368a2fa82c2ab71bf7409912d765 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x010900331a0308002e533d32334644333531354545374644334331383431303434413139373244324238353932313441464636 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x2ea1368a2fa82c2ab71bf7409912d765 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x010900331a0308002e533d32334644333531354545374644334331383431303434413139373244324238353932313441464636 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x2ea1368a2fa82c2ab71bf7409912d765 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 9 length 82 (7) eap: EAP session adding &reply:State = 0x26ecb91321e5a098 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 240 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (7) EAP-Message = 0x0109005219001703030047dd27973f8182c94f61e31c86381c9ec1a5e493e2a1e053f284bea160e03e1ea47f03e0b7ea785681c214523240b4a271cdb9dfe8d8c3f23c007deb6e9ce44595120fecd4003694 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x26ecb91321e5a09834dbb54fecf0e9db (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 241 from 10.225.251.10:52377 to 172.16.2.4:1812 length 230 (8) User-Name = "testing" (8) NAS-IP-Address = 10.225.251.10 (8) NAS-Port = 0 (8) NAS-Identifier = "172.16.6.62" (8) NAS-Port-Type = Wireless-802.11 (8) Calling-Station-Id = "0cf346e648f3" (8) Called-Station-Id = "removed" (8) Service-Type = Login-User (8) Framed-MTU = 1100 (8) EAP-Message = 0x020900251900170303001a0000000000000003c6ffb6d7d0fe9efaa852faca49166d526817 (8) State = 0x26ecb91321e5a09834dbb54fecf0e9db (8) Aruba-Essid-Name = "wtf" (8) Aruba-Location-Id = "Building-A" (8) Aruba-AP-Group = "Cluster" (8) Message-Authenticator = 0x1222cf19f68850add1e1ced0f33858cb (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "testing", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 37 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x2ea1368a2fa82c2a (8) eap: Finished EAP session with state 0x26ecb91321e5a098 (8) eap: Previous EAP request found for state 0x26ecb91321e5a098, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: Setting User-Name to testing (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "testing" (8) eap_peap: State = 0x2ea1368a2fa82c2ab71bf7409912d765 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020900061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "testing" (8) State = 0x2ea1368a2fa82c2ab71bf7409912d765 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "testing", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) files: users: Matched entry testing at line 1 (8) [files] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x2ea1368a2fa82c2a (8) eap: Finished EAP session with state 0x2ea1368a2fa82c2a (8) eap: Previous EAP request found for state 0x2ea1368a2fa82c2a, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 9 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) post-auth { (8) if (1) { (8) if (1) -> TRUE (8) if (1) { (8) update reply { (8) User-Name !* ANY (8) Message-Authenticator !* ANY (8) EAP-Message !* ANY (8) Proxy-State !* ANY (8) MS-MPPE-Encryption-Types !* ANY (8) MS-MPPE-Encryption-Policy !* ANY (8) MS-MPPE-Send-Key !* ANY (8) MS-MPPE-Recv-Key !* ANY (8) } # update reply = noop (8) update { (8) No attributes updated (8) } # update = noop (8) } # if (1) = noop (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 10 length 46 (8) eap: EAP session adding &reply:State = 0x26ecb9132ee6a098 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 241 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (8) EAP-Message = 0x010a002e19001703030023dd27973f8182c9506b6c812b8d338645bb98f38584dc0f5ff7f6ca62583242b986081b (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x26ecb9132ee6a09834dbb54fecf0e9db (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 242 from 10.225.251.10:52377 to 172.16.2.4:1812 length 239 (9) User-Name = "testing" (9) NAS-IP-Address = 10.225.251.10 (9) NAS-Port = 0 (9) NAS-Identifier = "172.16.6.62" (9) NAS-Port-Type = Wireless-802.11 (9) Calling-Station-Id = "0cf346e648f3" (9) Called-Station-Id = "removed" (9) Service-Type = Login-User (9) Framed-MTU = 1100 (9) EAP-Message = 0x020a002e190017030300230000000000000004f6b4015bb76668d7defe5fbaa272b19d37cb7660b5f38334a55592 (9) State = 0x26ecb9132ee6a09834dbb54fecf0e9db (9) Aruba-Essid-Name = "wtf" (9) Aruba-Location-Id = "Building-A" (9) Aruba-AP-Group = "Cluster" (9) Message-Authenticator = 0xbfeb9e46ea138b7b564ba6f041b2ab71 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "testing", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 10 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x26ecb9132ee6a098 (9) eap: Finished EAP session with state 0x26ecb9132ee6a098 (9) eap: Previous EAP request found for state 0x26ecb9132ee6a098, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap: Sending EAP Success (code 3) ID 10 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (9) post-auth { (9) update { (9) No attributes updated (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 242 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (9) MS-MPPE-Recv-Key = 0x0ea59c83fc37bd0daeaa9242a6e0cf94e51dd3ece25ac81cfaffbc9946c94522 (9) MS-MPPE-Send-Key = 0x7a5be9e771c473a5ed942fa234930a4051f6461b0157dc51f5de7c2391d16022 (9) EAP-Message = 0x030a0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "testing" (9) Finished request Waking up in 4.8 seconds. (10) Received Accounting-Request Id 243 from 10.225.251.10:52377 to 172.16.2.4:1813 length 218 (10) Acct-Status-Type = Start (10) NAS-IP-Address = 10.225.251.10 (10) User-Name = "testing" (10) NAS-Port = 0 (10) NAS-Port-Type = Wireless-802.11 (10) Calling-Station-Id = "0cf346e648f3" (10) Called-Station-Id = "removed" (10) Framed-IP-Address = 10.225.251.61 (10) Acct-Multi-Session-Id = "0CF346E648F3-1679732014" (10) Acct-Session-Id = "F05C1986E387-0CF346E648F3-641EAD2F-9DA8F" (10) Acct-Delay-Time = 0 (10) Aruba-Essid-Name = "wtf" (10) Aruba-Location-Id = "Building-A" (10) Aruba-User-Vlan = 51 (10) Acct-Authentic = 0 (10) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (10) preacct { (10) [preprocess] = ok (10) policy acct_unique { (10) update request { (10) &Tmp-String-9 := "ai:" (10) } # update request = noop (10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (10) EXPAND %{hex:&Class} (10) --> (10) EXPAND ^%{hex:&Tmp-String-9} (10) --> ^61693a (10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (10) else { (10) update request { (10) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (10) --> f50bcba9a953cd64b2995ff219b0e0bc (10) &Acct-Unique-Session-Id := f50bcba9a953cd64b2995ff219b0e0bc (10) } # update request = noop (10) } # else = noop (10) } # policy acct_unique = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "testing", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) [files] = noop (10) } # preacct = ok (10) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (10) accounting { (10) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (10) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (10) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (10) detail: EXPAND %t (10) detail: --> Sat Mar 25 13:43:35 2023 (10) [detail] = ok (10) [unix] = ok (10) [exec] = noop (10) attr_filter.accounting_response: EXPAND %{User-Name} (10) attr_filter.accounting_response: --> testing (10) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (10) [attr_filter.accounting_response] = updated (10) } # accounting = updated (10) Sent Accounting-Response Id 243 from 172.16.2.4:1813 to 10.225.251.10:52377 length 0 (10) Finished request (10) Cleaning up request packet ID 243 with timestamp +29 Waking up in 4.7 seconds. (0) Cleaning up request packet ID 233 with timestamp +29 (1) Cleaning up request packet ID 234 with timestamp +29 (2) Cleaning up request packet ID 235 with timestamp +29 (3) Cleaning up request packet ID 236 with timestamp +29 (4) Cleaning up request packet ID 237 with timestamp +29 (5) Cleaning up request packet ID 238 with timestamp +29 (6) Cleaning up request packet ID 239 with timestamp +29 (7) Cleaning up request packet ID 240 with timestamp +29 (8) Cleaning up request packet ID 241 with timestamp +29 (9) Cleaning up request packet ID 242 with timestamp +29 Ready to process requests (11) Received Access-Request Id 244 from 10.225.251.10:52377 to 172.16.2.4:1812 length 187 (11) User-Name = "testing" (11) NAS-IP-Address = 10.225.251.10 (11) NAS-Port = 0 (11) NAS-Identifier = "172.16.6.62" (11) NAS-Port-Type = Wireless-802.11 (11) Calling-Station-Id = "06ad2e0b874b" (11) Called-Station-Id = "removed" (11) Service-Type = Login-User (11) Framed-MTU = 1100 (11) EAP-Message = 0x0201000c0174657374696e67 (11) Aruba-Essid-Name = "wtf" (11) Aruba-Location-Id = "Building-A" (11) Aruba-AP-Group = "Cluster" (11) Message-Authenticator = 0x226998c0a30b9bc73e64a5278ff8df75 (11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "testing", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) eap: Peer sent EAP Response (code 2) ID 1 length 12 (11) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) authenticate { (11) eap: Peer sent packet with method EAP Identity (1) (11) eap: Calling submodule eap_md5 to process data (11) eap_md5: Issuing MD5 Challenge (11) eap: Sending EAP Request (code 1) ID 2 length 22 (11) eap: EAP session adding &reply:State = 0xbb30d846bb32dce8 (11) [eap] = handled (11) } # authenticate = handled (11) Using Post-Auth-Type Challenge (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (11) Challenge { ... } # empty sub-section is ignored (11) Sent Access-Challenge Id 244 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (11) EAP-Message = 0x0102001604102aabbe281b9b4ef7b6791e1a0e2f0e84 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0xbb30d846bb32dce8d4ac4e5dffc91c7d (11) Finished request Waking up in 4.9 seconds. (12) Received Access-Request Id 245 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (12) User-Name = "testing" (12) NAS-IP-Address = 10.225.251.10 (12) NAS-Port = 0 (12) NAS-Identifier = "172.16.6.62" (12) NAS-Port-Type = Wireless-802.11 (12) Calling-Station-Id = "06ad2e0b874b" (12) Called-Station-Id = "removed" (12) Service-Type = Login-User (12) Framed-MTU = 1100 (12) EAP-Message = 0x020200060319 (12) State = 0xbb30d846bb32dce8d4ac4e5dffc91c7d (12) Aruba-Essid-Name = "wtf" (12) Aruba-Location-Id = "Building-A" (12) Aruba-AP-Group = "Cluster" (12) Message-Authenticator = 0x488b93679e0ff25cabd26b6cd61599b9 (12) session-state: No cached attributes (12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "testing", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 2 length 6 (12) eap: No EAP Start, assuming it's an on-going EAP conversation (12) [eap] = updated (12) files: users: Matched entry testing at line 1 (12) [files] = ok (12) [expiration] = noop (12) [logintime] = noop (12) pap: WARNING: Auth-Type already set. Not setting to PAP (12) [pap] = noop (12) } # authorize = updated (12) Found Auth-Type = eap (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) authenticate { (12) eap: Expiring EAP session with state 0xbb30d846bb32dce8 (12) eap: Finished EAP session with state 0xbb30d846bb32dce8 (12) eap: Previous EAP request found for state 0xbb30d846bb32dce8, released from the list (12) eap: Peer sent packet with method EAP NAK (3) (12) eap: Found mutually acceptable type PEAP (25) (12) eap: Calling submodule eap_peap to process data (12) eap_peap: Initiating new EAP-TLS session (12) eap_peap: [eaptls start] = request (12) eap: Sending EAP Request (code 1) ID 3 length 6 (12) eap: EAP session adding &reply:State = 0xbb30d846ba33c1e8 (12) [eap] = handled (12) } # authenticate = handled (12) Using Post-Auth-Type Challenge (12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (12) Challenge { ... } # empty sub-section is ignored (12) Sent Access-Challenge Id 245 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (12) EAP-Message = 0x010300061920 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0xbb30d846ba33c1e8d4ac4e5dffc91c7d (12) Finished request Waking up in 4.9 seconds. (13) Received Access-Request Id 246 from 10.225.251.10:52377 to 172.16.2.4:1812 length 334 (13) User-Name = "testing" (13) NAS-IP-Address = 10.225.251.10 (13) NAS-Port = 0 (13) NAS-Identifier = "172.16.6.62" (13) NAS-Port-Type = Wireless-802.11 (13) Calling-Station-Id = "06ad2e0b874b" (13) Called-Station-Id = "removed" (13) Service-Type = Login-User (13) Framed-MTU = 1100 (13) EAP-Message = 0x0203008d198000000083160301007e0100007a0303ac80a1e0cfb54d63b1b8b1ebe9fd9a28499814f0094affe277d8f45891311a7b00001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d (13) State = 0xbb30d846ba33c1e8d4ac4e5dffc91c7d (13) Aruba-Essid-Name = "wtf" (13) Aruba-Location-Id = "Building-A" (13) Aruba-AP-Group = "Cluster" (13) Message-Authenticator = 0xe7149581d1b428b6b5bf8b4df035ca6e (13) session-state: No cached attributes (13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "testing", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) eap: Peer sent EAP Response (code 2) ID 3 length 141 (13) eap: Continuing tunnel setup (13) [eap] = ok (13) } # authorize = ok (13) Found Auth-Type = eap (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) authenticate { (13) eap: Expiring EAP session with state 0xbb30d846ba33c1e8 (13) eap: Finished EAP session with state 0xbb30d846ba33c1e8 (13) eap: Previous EAP request found for state 0xbb30d846ba33c1e8, released from the list (13) eap: Peer sent packet with method EAP PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: Continuing EAP-TLS (13) eap_peap: Peer indicated complete TLS record size will be 131 bytes (13) eap_peap: Got complete TLS record (131 bytes) (13) eap_peap: [eaptls verify] = length included (13) eap_peap: (other): before SSL initialization (13) eap_peap: TLS_accept: before SSL initialization (13) eap_peap: TLS_accept: before SSL initialization (13) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 007e] (13) eap_peap: TLS_accept: SSLv3/TLS read client hello (13) eap_peap: >>> send TLS 1.2 [length 003d] (13) eap_peap: TLS_accept: SSLv3/TLS write server hello (13) eap_peap: >>> send TLS 1.2 [length 02ed] (13) eap_peap: TLS_accept: SSLv3/TLS write certificate (13) eap_peap: >>> send TLS 1.2 [length 014d] (13) eap_peap: TLS_accept: SSLv3/TLS write key exchange (13) eap_peap: >>> send TLS 1.2 [length 0004] (13) eap_peap: TLS_accept: SSLv3/TLS write server done (13) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (13) eap_peap: In SSL Handshake Phase (13) eap_peap: In SSL Accept mode (13) eap_peap: [eaptls process] = handled (13) eap: Sending EAP Request (code 1) ID 4 length 1004 (13) eap: EAP session adding &reply:State = 0xbb30d846b934c1e8 (13) [eap] = handled (13) } # authenticate = handled (13) Using Post-Auth-Type Challenge (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) Challenge { ... } # empty sub-section is ignored (13) Sent Access-Challenge Id 246 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (13) EAP-Message = 0x010403ec19c00000048f160303003d020000390303ce804def818f33b72d5290f269346761c0174b90392d63cf444f574e4752440100c02f000011ff01000100000b0004030001020017000016030302ed0b0002e90002e60002e3308202df308201c7a00302010202144332d5c60c9f4d943c5616923e (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0xbb30d846b934c1e8d4ac4e5dffc91c7d (13) Finished request Waking up in 4.9 seconds. (14) Received Access-Request Id 247 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (14) User-Name = "testing" (14) NAS-IP-Address = 10.225.251.10 (14) NAS-Port = 0 (14) NAS-Identifier = "172.16.6.62" (14) NAS-Port-Type = Wireless-802.11 (14) Calling-Station-Id = "06ad2e0b874b" (14) Called-Station-Id = "removed" (14) Service-Type = Login-User (14) Framed-MTU = 1100 (14) EAP-Message = 0x020400061900 (14) State = 0xbb30d846b934c1e8d4ac4e5dffc91c7d (14) Aruba-Essid-Name = "wtf" (14) Aruba-Location-Id = "Building-A" (14) Aruba-AP-Group = "Cluster" (14) Message-Authenticator = 0x09a019e8b7748dd384ded96b90487c23 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "testing", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 4 length 6 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0xbb30d846b934c1e8 (14) eap: Finished EAP session with state 0xbb30d846b934c1e8 (14) eap: Previous EAP request found for state 0xbb30d846b934c1e8, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer ACKed our handshake fragment (14) eap_peap: [eaptls verify] = request (14) eap_peap: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 5 length 179 (14) eap: EAP session adding &reply:State = 0xbb30d846b835c1e8 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) Sent Access-Challenge Id 247 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (14) EAP-Message = 0x010500b319004b062413d146deea5af650c4d176b054f6bea9d1f35f00f7ee65ad4a65f229c64167c739a51b216a4a4f284063b0fab80a743fc68e912ffb12011fc9340b15e0b90037aebb2fc7dc8472e8fa37c8e89d5394268a92f2991493ce624c2722bc1df2f42342589abc220092edd96e78a1bb7b (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0xbb30d846b835c1e8d4ac4e5dffc91c7d (14) Finished request Waking up in 4.9 seconds. (15) Received Access-Request Id 248 from 10.225.251.10:52377 to 172.16.2.4:1812 length 329 (15) User-Name = "testing" (15) NAS-IP-Address = 10.225.251.10 (15) NAS-Port = 0 (15) NAS-Identifier = "172.16.6.62" (15) NAS-Port-Type = Wireless-802.11 (15) Calling-Station-Id = "06ad2e0b874b" (15) Called-Station-Id = "removed" (15) Service-Type = Login-User (15) Framed-MTU = 1100 (15) EAP-Message = 0x0205008819800000007e1603030046100000424104a0764b4f1161a0da2cb31cb2304059a4e88c3758d26baeafc5dce494af6b49009edd0e37c5c4c275958cd7f9f5d739094741d530dee468e859e5f38a4d0a785614030300010116030300280000000000000000e7a05889da33645bc83c4cb6667024 (15) State = 0xbb30d846b835c1e8d4ac4e5dffc91c7d (15) Aruba-Essid-Name = "wtf" (15) Aruba-Location-Id = "Building-A" (15) Aruba-AP-Group = "Cluster" (15) Message-Authenticator = 0x0f0a1f0a76d70586c876d8425371f243 (15) session-state: No cached attributes (15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) [preprocess] = ok (15) [chap] = noop (15) [mschap] = noop (15) [digest] = noop (15) suffix: Checking for suffix after "@" (15) suffix: No '@' in User-Name = "testing", looking up realm NULL (15) suffix: No such realm "NULL" (15) [suffix] = noop (15) eap: Peer sent EAP Response (code 2) ID 5 length 136 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # authorize = ok (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) authenticate { (15) eap: Expiring EAP session with state 0xbb30d846b835c1e8 (15) eap: Finished EAP session with state 0xbb30d846b835c1e8 (15) eap: Previous EAP request found for state 0xbb30d846b835c1e8, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: Continuing EAP-TLS (15) eap_peap: Peer indicated complete TLS record size will be 126 bytes (15) eap_peap: Got complete TLS record (126 bytes) (15) eap_peap: [eaptls verify] = length included (15) eap_peap: TLS_accept: SSLv3/TLS write server done (15) eap_peap: <<< recv TLS 1.2 [length 0046] (15) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (15) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (15) eap_peap: <<< recv TLS 1.2 [length 0010] (15) eap_peap: TLS_accept: SSLv3/TLS read finished (15) eap_peap: >>> send TLS 1.2 [length 0001] (15) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (15) eap_peap: >>> send TLS 1.2 [length 0010] (15) eap_peap: TLS_accept: SSLv3/TLS write finished (15) eap_peap: (other): SSL negotiation finished successfully (15) eap_peap: SSL Connection Established (15) eap_peap: [eaptls process] = handled (15) eap: Sending EAP Request (code 1) ID 6 length 57 (15) eap: EAP session adding &reply:State = 0xbb30d846bf36c1e8 (15) [eap] = handled (15) } # authenticate = handled (15) Using Post-Auth-Type Challenge (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) Challenge { ... } # empty sub-section is ignored (15) Sent Access-Challenge Id 248 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (15) EAP-Message = 0x01060039190014030300010116030300284201276eba70648c4775e39c857a1aa878536f8d697f772bb04b977b86c33e27d40197981b4f839a (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0xbb30d846bf36c1e8d4ac4e5dffc91c7d (15) Finished request Waking up in 4.9 seconds. (16) Received Access-Request Id 249 from 10.225.251.10:52377 to 172.16.2.4:1812 length 199 (16) User-Name = "testing" (16) NAS-IP-Address = 10.225.251.10 (16) NAS-Port = 0 (16) NAS-Identifier = "172.16.6.62" (16) NAS-Port-Type = Wireless-802.11 (16) Calling-Station-Id = "06ad2e0b874b" (16) Called-Station-Id = "removed" (16) Service-Type = Login-User (16) Framed-MTU = 1100 (16) EAP-Message = 0x020600061900 (16) State = 0xbb30d846bf36c1e8d4ac4e5dffc91c7d (16) Aruba-Essid-Name = "wtf" (16) Aruba-Location-Id = "Building-A" (16) Aruba-AP-Group = "Cluster" (16) Message-Authenticator = 0x5d7556cb27c97467b088fe568724e3c2 (16) session-state: No cached attributes (16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "testing", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 6 length 6 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) authenticate { (16) eap: Expiring EAP session with state 0xbb30d846bf36c1e8 (16) eap: Finished EAP session with state 0xbb30d846bf36c1e8 (16) eap: Previous EAP request found for state 0xbb30d846bf36c1e8, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: Peer ACKed our handshake fragment. handshake is finished (16) eap_peap: [eaptls verify] = success (16) eap_peap: [eaptls process] = success (16) eap_peap: Session established. Decoding tunneled attributes (16) eap_peap: PEAP state TUNNEL ESTABLISHED (16) eap: Sending EAP Request (code 1) ID 7 length 40 (16) eap: EAP session adding &reply:State = 0xbb30d846be37c1e8 (16) [eap] = handled (16) } # authenticate = handled (16) Using Post-Auth-Type Challenge (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) Challenge { ... } # empty sub-section is ignored (16) Sent Access-Challenge Id 249 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (16) EAP-Message = 0x010700281900170303001d4201276eba70648d3b620ce7536e8c53900d37371466508abf55213857 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0xbb30d846be37c1e8d4ac4e5dffc91c7d (16) Finished request Waking up in 4.8 seconds. (17) Received Access-Request Id 250 from 10.225.251.10:52377 to 172.16.2.4:1812 length 236 (17) User-Name = "testing" (17) NAS-IP-Address = 10.225.251.10 (17) NAS-Port = 0 (17) NAS-Identifier = "172.16.6.62" (17) NAS-Port-Type = Wireless-802.11 (17) Calling-Station-Id = "06ad2e0b874b" (17) Called-Station-Id = "removed" (17) Service-Type = Login-User (17) Framed-MTU = 1100 (17) EAP-Message = 0x0207002b1900170303002000000000000000017ab663bea468e74c54fb1cec7c5bf9ee306ceff0c6d2f249 (17) State = 0xbb30d846be37c1e8d4ac4e5dffc91c7d (17) Aruba-Essid-Name = "wtf" (17) Aruba-Location-Id = "Building-A" (17) Aruba-AP-Group = "Cluster" (17) Message-Authenticator = 0x14d294600ff184197766e4e7d44c7d13 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [chap] = noop (17) [mschap] = noop (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "testing", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 7 length 43 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) authenticate { (17) eap: Expiring EAP session with state 0xbb30d846be37c1e8 (17) eap: Finished EAP session with state 0xbb30d846be37c1e8 (17) eap: Previous EAP request found for state 0xbb30d846be37c1e8, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: Continuing EAP-TLS (17) eap_peap: [eaptls verify] = ok (17) eap_peap: Done initial handshake (17) eap_peap: [eaptls process] = ok (17) eap_peap: Session established. Decoding tunneled attributes (17) eap_peap: PEAP state WAITING FOR INNER IDENTITY (17) eap_peap: Identity - testing (17) eap_peap: Got inner identity 'testing' (17) eap_peap: Setting default EAP type for tunneled EAP session (17) eap_peap: Got tunneled request (17) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (17) eap_peap: Setting User-Name to testing (17) eap_peap: Sending tunneled request to inner-tunnel (17) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (17) eap_peap: User-Name = "testing" (17) Virtual server inner-tunnel received request (17) EAP-Message = 0x0207000c0174657374696e67 (17) FreeRADIUS-Proxied-To = 127.0.0.1 (17) User-Name = "testing" (17) WARNING: Outer and inner identities are the same. User privacy is compromised. (17) server inner-tunnel { (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [chap] = noop (17) [mschap] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "testing", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) update control { (17) &Proxy-To-Realm := LOCAL (17) } # update control = noop (17) eap: Peer sent EAP Response (code 2) ID 7 length 12 (17) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (17) authenticate { (17) eap: Peer sent packet with method EAP Identity (1) (17) eap: Calling submodule eap_mschapv2 to process data (17) eap_mschapv2: Issuing Challenge (17) eap: Sending EAP Request (code 1) ID 8 length 43 (17) eap: EAP session adding &reply:State = 0xee7e375dee762d2c (17) [eap] = handled (17) } # authenticate = handled (17) } # server inner-tunnel (17) Virtual server sending reply (17) EAP-Message = 0x0108002b1a01080026104a0033ce0718110cf2abb2b7768e5d1e667265657261646975732d332e302e3136 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0xee7e375dee762d2c9ed555c269b92565 (17) eap_peap: Got tunneled reply code 11 (17) eap_peap: EAP-Message = 0x0108002b1a01080026104a0033ce0718110cf2abb2b7768e5d1e667265657261646975732d332e302e3136 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0xee7e375dee762d2c9ed555c269b92565 (17) eap_peap: Got tunneled reply RADIUS code 11 (17) eap_peap: EAP-Message = 0x0108002b1a01080026104a0033ce0718110cf2abb2b7768e5d1e667265657261646975732d332e302e3136 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0xee7e375dee762d2c9ed555c269b92565 (17) eap_peap: Got tunneled Access-Challenge (17) eap: Sending EAP Request (code 1) ID 8 length 74 (17) eap: EAP session adding &reply:State = 0xbb30d846bd38c1e8 (17) [eap] = handled (17) } # authenticate = handled (17) Using Post-Auth-Type Challenge (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) Challenge { ... } # empty sub-section is ignored (17) Sent Access-Challenge Id 250 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (17) EAP-Message = 0x0108004a1900170303003f4201276eba70648e8aa60e9cc363cf6285913d08cfba8a1b001a814fca6b0a1fa428123f8cfa8dd46a9a3f3c9a28f8eac9286e7fe6efb84e54768028883f30 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0xbb30d846bd38c1e8d4ac4e5dffc91c7d (17) Finished request Waking up in 4.7 seconds. (18) Received Access-Request Id 251 from 10.225.251.10:52377 to 172.16.2.4:1812 length 290 (18) User-Name = "testing" (18) NAS-IP-Address = 10.225.251.10 (18) NAS-Port = 0 (18) NAS-Identifier = "172.16.6.62" (18) NAS-Port-Type = Wireless-802.11 (18) Calling-Station-Id = "06ad2e0b874b" (18) Called-Station-Id = "removed" (18) Service-Type = Login-User (18) Framed-MTU = 1100 (18) EAP-Message = 0x02080061190017030300560000000000000002bd616127f9f4538bdfc0c4c3a370af2d4395e40d18319e3d2b9ba513cda95c8d728e01a017dd652dec6cc8677efc8468f3703880a0f2205707186895b0ecb61099e571ce149c5e61c8a9c310158e (18) State = 0xbb30d846bd38c1e8d4ac4e5dffc91c7d (18) Aruba-Essid-Name = "wtf" (18) Aruba-Location-Id = "Building-A" (18) Aruba-AP-Group = "Cluster" (18) Message-Authenticator = 0x828d76d65586579076d531392c3accd6 (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) [chap] = noop (18) [mschap] = noop (18) [digest] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "testing", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) eap: Peer sent EAP Response (code 2) ID 8 length 97 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) authenticate { (18) eap: Expiring EAP session with state 0xee7e375dee762d2c (18) eap: Finished EAP session with state 0xbb30d846bd38c1e8 (18) eap: Previous EAP request found for state 0xbb30d846bd38c1e8, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: Continuing EAP-TLS (18) eap_peap: [eaptls verify] = ok (18) eap_peap: Done initial handshake (18) eap_peap: [eaptls process] = ok (18) eap_peap: Session established. Decoding tunneled attributes (18) eap_peap: PEAP state phase2 (18) eap_peap: EAP method MSCHAPv2 (26) (18) eap_peap: Got tunneled request (18) eap_peap: EAP-Message = 0x020800421a0208003d31c1786ac1466cb5941e97a205bc31cbb800000000000000009fadb90f90a03108ff6d84284c102dfef3b2db1e77b9b6a50074657374696e67 (18) eap_peap: Setting User-Name to testing (18) eap_peap: Sending tunneled request to inner-tunnel (18) eap_peap: EAP-Message = 0x020800421a0208003d31c1786ac1466cb5941e97a205bc31cbb800000000000000009fadb90f90a03108ff6d84284c102dfef3b2db1e77b9b6a50074657374696e67 (18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (18) eap_peap: User-Name = "testing" (18) eap_peap: State = 0xee7e375dee762d2c9ed555c269b92565 (18) Virtual server inner-tunnel received request (18) EAP-Message = 0x020800421a0208003d31c1786ac1466cb5941e97a205bc31cbb800000000000000009fadb90f90a03108ff6d84284c102dfef3b2db1e77b9b6a50074657374696e67 (18) FreeRADIUS-Proxied-To = 127.0.0.1 (18) User-Name = "testing" (18) State = 0xee7e375dee762d2c9ed555c269b92565 (18) WARNING: Outer and inner identities are the same. User privacy is compromised. (18) server inner-tunnel { (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [chap] = noop (18) [mschap] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "testing", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) update control { (18) &Proxy-To-Realm := LOCAL (18) } # update control = noop (18) eap: Peer sent EAP Response (code 2) ID 8 length 66 (18) eap: No EAP Start, assuming it's an on-going EAP conversation (18) [eap] = updated (18) files: users: Matched entry testing at line 1 (18) [files] = ok (18) [expiration] = noop (18) [logintime] = noop (18) pap: WARNING: Auth-Type already set. Not setting to PAP (18) [pap] = noop (18) } # authorize = updated (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (18) authenticate { (18) eap: Expiring EAP session with state 0xee7e375dee762d2c (18) eap: Finished EAP session with state 0xee7e375dee762d2c (18) eap: Previous EAP request found for state 0xee7e375dee762d2c, released from the list (18) eap: Peer sent packet with method EAP MSCHAPv2 (26) (18) eap: Calling submodule eap_mschapv2 to process data (18) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (18) eap_mschapv2: authenticate { (18) mschap: Found Cleartext-Password, hashing to create NT-Password (18) mschap: Found Cleartext-Password, hashing to create LM-Password (18) mschap: Creating challenge hash with username: testing (18) mschap: Client is using MS-CHAPv2 (18) mschap: Adding MS-CHAPv2 MPPE keys (18) [mschap] = ok (18) } # authenticate = ok (18) MSCHAP Success (18) eap: Sending EAP Request (code 1) ID 9 length 51 (18) eap: EAP session adding &reply:State = 0xee7e375def772d2c (18) [eap] = handled (18) } # authenticate = handled (18) } # server inner-tunnel (18) Virtual server sending reply (18) EAP-Message = 0x010900331a0308002e533d31333238314544374343433133353831374141323541453745374537434235454330363736363833 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0xee7e375def772d2c9ed555c269b92565 (18) eap_peap: Got tunneled reply code 11 (18) eap_peap: EAP-Message = 0x010900331a0308002e533d31333238314544374343433133353831374141323541453745374537434235454330363736363833 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: State = 0xee7e375def772d2c9ed555c269b92565 (18) eap_peap: Got tunneled reply RADIUS code 11 (18) eap_peap: EAP-Message = 0x010900331a0308002e533d31333238314544374343433133353831374141323541453745374537434235454330363736363833 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: State = 0xee7e375def772d2c9ed555c269b92565 (18) eap_peap: Got tunneled Access-Challenge (18) eap: Sending EAP Request (code 1) ID 9 length 82 (18) eap: EAP session adding &reply:State = 0xbb30d846bc39c1e8 (18) [eap] = handled (18) } # authenticate = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) Sent Access-Challenge Id 251 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (18) EAP-Message = 0x01090052190017030300474201276eba70648fc8e92f391280d5fe3c398af80b47b9c5e66793fc7999a5cbd618c8f37c5c1b7142f79c39782f0cda89c8c5f308c8fcc2101e943996179e0d1066c184925566 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0xbb30d846bc39c1e8d4ac4e5dffc91c7d (18) Finished request Waking up in 4.7 seconds. (19) Received Access-Request Id 252 from 10.225.251.10:52377 to 172.16.2.4:1812 length 230 (19) User-Name = "testing" (19) NAS-IP-Address = 10.225.251.10 (19) NAS-Port = 0 (19) NAS-Identifier = "172.16.6.62" (19) NAS-Port-Type = Wireless-802.11 (19) Calling-Station-Id = "06ad2e0b874b" (19) Called-Station-Id = "removed" (19) Service-Type = Login-User (19) Framed-MTU = 1100 (19) EAP-Message = 0x020900251900170303001a00000000000000034ab686ec9309d5efe6560664c3957f46370b (19) State = 0xbb30d846bc39c1e8d4ac4e5dffc91c7d (19) Aruba-Essid-Name = "wtf" (19) Aruba-Location-Id = "Building-A" (19) Aruba-AP-Group = "Cluster" (19) Message-Authenticator = 0x2198a78e45accbd8224cc6014c7db134 (19) session-state: No cached attributes (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) [chap] = noop (19) [mschap] = noop (19) [digest] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "testing", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) eap: Peer sent EAP Response (code 2) ID 9 length 37 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) authenticate { (19) eap: Expiring EAP session with state 0xee7e375def772d2c (19) eap: Finished EAP session with state 0xbb30d846bc39c1e8 (19) eap: Previous EAP request found for state 0xbb30d846bc39c1e8, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: Continuing EAP-TLS (19) eap_peap: [eaptls verify] = ok (19) eap_peap: Done initial handshake (19) eap_peap: [eaptls process] = ok (19) eap_peap: Session established. Decoding tunneled attributes (19) eap_peap: PEAP state phase2 (19) eap_peap: EAP method MSCHAPv2 (26) (19) eap_peap: Got tunneled request (19) eap_peap: EAP-Message = 0x020900061a03 (19) eap_peap: Setting User-Name to testing (19) eap_peap: Sending tunneled request to inner-tunnel (19) eap_peap: EAP-Message = 0x020900061a03 (19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (19) eap_peap: User-Name = "testing" (19) eap_peap: State = 0xee7e375def772d2c9ed555c269b92565 (19) Virtual server inner-tunnel received request (19) EAP-Message = 0x020900061a03 (19) FreeRADIUS-Proxied-To = 127.0.0.1 (19) User-Name = "testing" (19) State = 0xee7e375def772d2c9ed555c269b92565 (19) WARNING: Outer and inner identities are the same. User privacy is compromised. (19) server inner-tunnel { (19) session-state: No cached attributes (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [chap] = noop (19) [mschap] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "testing", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) update control { (19) &Proxy-To-Realm := LOCAL (19) } # update control = noop (19) eap: Peer sent EAP Response (code 2) ID 9 length 6 (19) eap: No EAP Start, assuming it's an on-going EAP conversation (19) [eap] = updated (19) files: users: Matched entry testing at line 1 (19) [files] = ok (19) [expiration] = noop (19) [logintime] = noop (19) pap: WARNING: Auth-Type already set. Not setting to PAP (19) [pap] = noop (19) } # authorize = updated (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (19) authenticate { (19) eap: Expiring EAP session with state 0xee7e375def772d2c (19) eap: Finished EAP session with state 0xee7e375def772d2c (19) eap: Previous EAP request found for state 0xee7e375def772d2c, released from the list (19) eap: Peer sent packet with method EAP MSCHAPv2 (26) (19) eap: Calling submodule eap_mschapv2 to process data (19) eap: Sending EAP Success (code 3) ID 9 length 4 (19) eap: Freeing handler (19) [eap] = ok (19) } # authenticate = ok (19) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (19) post-auth { (19) if (1) { (19) if (1) -> TRUE (19) if (1) { (19) update reply { (19) User-Name !* ANY (19) Message-Authenticator !* ANY (19) EAP-Message !* ANY (19) Proxy-State !* ANY (19) MS-MPPE-Encryption-Types !* ANY (19) MS-MPPE-Encryption-Policy !* ANY (19) MS-MPPE-Send-Key !* ANY (19) MS-MPPE-Recv-Key !* ANY (19) } # update reply = noop (19) update { (19) No attributes updated (19) } # update = noop (19) } # if (1) = noop (19) } # post-auth = noop (19) } # server inner-tunnel (19) Virtual server sending reply (19) eap_peap: Got tunneled reply code 2 (19) eap_peap: Got tunneled reply RADIUS code 2 (19) eap_peap: Tunneled authentication was successful (19) eap_peap: SUCCESS (19) eap: Sending EAP Request (code 1) ID 10 length 46 (19) eap: EAP session adding &reply:State = 0xbb30d846b33ac1e8 (19) [eap] = handled (19) } # authenticate = handled (19) Using Post-Auth-Type Challenge (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) Challenge { ... } # empty sub-section is ignored (19) Sent Access-Challenge Id 252 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (19) EAP-Message = 0x010a002e190017030300234201276eba7064902d47ab407d6aea6dee89c758ae90760829c985d2bffc780063b0d8 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0xbb30d846b33ac1e8d4ac4e5dffc91c7d (19) Finished request Waking up in 4.6 seconds. (20) Received Access-Request Id 253 from 10.225.251.10:52377 to 172.16.2.4:1812 length 239 (20) User-Name = "testing" (20) NAS-IP-Address = 10.225.251.10 (20) NAS-Port = 0 (20) NAS-Identifier = "172.16.6.62" (20) NAS-Port-Type = Wireless-802.11 (20) Calling-Station-Id = "06ad2e0b874b" (20) Called-Station-Id = "removed" (20) Service-Type = Login-User (20) Framed-MTU = 1100 (20) EAP-Message = 0x020a002e190017030300230000000000000004e58fb57b705b3663b5b6addcd7d8a8d04dc22802a8dfe380422c66 (20) State = 0xbb30d846b33ac1e8d4ac4e5dffc91c7d (20) Aruba-Essid-Name = "wtf" (20) Aruba-Location-Id = "Building-A" (20) Aruba-AP-Group = "Cluster" (20) Message-Authenticator = 0xc49072610d2b6fb631f2905d88ae6abf (20) session-state: No cached attributes (20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [preprocess] = ok (20) [chap] = noop (20) [mschap] = noop (20) [digest] = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "testing", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) eap: Peer sent EAP Response (code 2) ID 10 length 46 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # authorize = ok (20) Found Auth-Type = eap (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) authenticate { (20) eap: Expiring EAP session with state 0xbb30d846b33ac1e8 (20) eap: Finished EAP session with state 0xbb30d846b33ac1e8 (20) eap: Previous EAP request found for state 0xbb30d846b33ac1e8, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: Continuing EAP-TLS (20) eap_peap: [eaptls verify] = ok (20) eap_peap: Done initial handshake (20) eap_peap: [eaptls process] = ok (20) eap_peap: Session established. Decoding tunneled attributes (20) eap_peap: PEAP state send tlv success (20) eap_peap: Received EAP-TLV response (20) eap_peap: Success (20) eap: Sending EAP Success (code 3) ID 10 length 4 (20) eap: Freeing handler (20) [eap] = ok (20) } # authenticate = ok (20) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (20) post-auth { (20) update { (20) No attributes updated (20) } # update = noop (20) [exec] = noop (20) policy remove_reply_message_if_eap { (20) if (&reply:EAP-Message && &reply:Reply-Message) { (20) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (20) else { (20) [noop] = noop (20) } # else = noop (20) } # policy remove_reply_message_if_eap = noop (20) } # post-auth = noop (20) Sent Access-Accept Id 253 from 172.16.2.4:1812 to 10.225.251.10:52377 length 0 (20) MS-MPPE-Recv-Key = 0x8283e35b99b7b882bd65c95ec9192f5cecdda69b747efeebc9a46e2e9116023c (20) MS-MPPE-Send-Key = 0xee65f3c0cb02806b88fb67d9496cf06c4a4834e6e2e4c6dcb2fa2d92d7db171f (20) EAP-Message = 0x030a0004 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) User-Name = "testing" (20) Finished request Waking up in 4.6 seconds. (21) Received Accounting-Request Id 254 from 10.225.251.10:52377 to 172.16.2.4:1813 length 218 (21) Acct-Status-Type = Start (21) NAS-IP-Address = 10.225.251.10 (21) User-Name = "testing" (21) NAS-Port = 0 (21) NAS-Port-Type = Wireless-802.11 (21) Calling-Station-Id = "06ad2e0b874b" (21) Called-Station-Id = "removed" (21) Framed-IP-Address = 10.225.251.60 (21) Acct-Multi-Session-Id = "06AD2E0B874B-1679732048" (21) Acct-Session-Id = "F05C1986E387-06AD2E0B874B-641EAD51-695AE" (21) Acct-Delay-Time = 0 (21) Aruba-Essid-Name = "wtf" (21) Aruba-Location-Id = "Building-A" (21) Aruba-User-Vlan = 51 (21) Acct-Authentic = 0 (21) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (21) preacct { (21) [preprocess] = ok (21) policy acct_unique { (21) update request { (21) &Tmp-String-9 := "ai:" (21) } # update request = noop (21) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (21) EXPAND %{hex:&Class} (21) --> (21) EXPAND ^%{hex:&Tmp-String-9} (21) --> ^61693a (21) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (21) else { (21) update request { (21) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (21) --> 972d51b6ddd250023babc6265b81f320 (21) &Acct-Unique-Session-Id := 972d51b6ddd250023babc6265b81f320 (21) } # update request = noop (21) } # else = noop (21) } # policy acct_unique = noop (21) suffix: Checking for suffix after "@" (21) suffix: No '@' in User-Name = "testing", looking up realm NULL (21) suffix: No such realm "NULL" (21) [suffix] = noop (21) [files] = noop (21) } # preacct = ok (21) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (21) accounting { (21) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (21) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (21) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (21) detail: EXPAND %t (21) detail: --> Sat Mar 25 13:44:09 2023 (21) [detail] = ok (21) [unix] = ok (21) [exec] = noop (21) attr_filter.accounting_response: EXPAND %{User-Name} (21) attr_filter.accounting_response: --> testing (21) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (21) [attr_filter.accounting_response] = updated (21) } # accounting = updated (21) Sent Accounting-Response Id 254 from 172.16.2.4:1813 to 10.225.251.10:52377 length 0 (21) Finished request (21) Cleaning up request packet ID 254 with timestamp +63 Waking up in 4.6 seconds. (11) Cleaning up request packet ID 244 with timestamp +63 (12) Cleaning up request packet ID 245 with timestamp +63 (13) Cleaning up request packet ID 246 with timestamp +63 (14) Cleaning up request packet ID 247 with timestamp +63 (15) Cleaning up request packet ID 248 with timestamp +63 (16) Cleaning up request packet ID 249 with timestamp +63 (17) Cleaning up request packet ID 250 with timestamp +63 (18) Cleaning up request packet ID 251 with timestamp +63 (19) Cleaning up request packet ID 252 with timestamp +63 (20) Cleaning up request packet ID 253 with timestamp +63 Ready to process requests (22) Received Accounting-Request Id 255 from 10.225.251.10:52377 to 172.16.2.4:1813 length 242 (22) Acct-Status-Type = Interim-Update (22) NAS-IP-Address = 10.225.251.10 (22) User-Name = "testing" (22) NAS-Port = 0 (22) NAS-Port-Type = Wireless-802.11 (22) Calling-Station-Id = "0cf346e648f3" (22) Called-Station-Id = "removed" (22) Framed-IP-Address = 10.225.251.61 (22) Acct-Multi-Session-Id = "0CF346E648F3-1679732014" (22) Acct-Session-Id = "F05C1986E387-0CF346E648F3-641EAD2F-9DA8F" (22) Acct-Delay-Time = 0 (22) Aruba-Essid-Name = "wtf" (22) Aruba-Location-Id = "Building-A" (22) Aruba-User-Vlan = 51 (22) Acct-Input-Octets = 40285 (22) Acct-Output-Octets = 5625 (22) Acct-Input-Packets = 370 (22) Acct-Output-Packets = 31 (22) Acct-Session-Time = 51 (22) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (22) preacct { (22) [preprocess] = ok (22) policy acct_unique { (22) update request { (22) &Tmp-String-9 := "ai:" (22) } # update request = noop (22) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (22) EXPAND %{hex:&Class} (22) --> (22) EXPAND ^%{hex:&Tmp-String-9} (22) --> ^61693a (22) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (22) else { (22) update request { (22) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (22) --> f50bcba9a953cd64b2995ff219b0e0bc (22) &Acct-Unique-Session-Id := f50bcba9a953cd64b2995ff219b0e0bc (22) } # update request = noop (22) } # else = noop (22) } # policy acct_unique = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "testing", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) [files] = noop (22) } # preacct = ok (22) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (22) accounting { (22) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (22) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (22) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (22) detail: EXPAND %t (22) detail: --> Sat Mar 25 13:44:26 2023 (22) [detail] = ok (22) [unix] = noop (22) [exec] = noop (22) attr_filter.accounting_response: EXPAND %{User-Name} (22) attr_filter.accounting_response: --> testing (22) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (22) [attr_filter.accounting_response] = updated (22) } # accounting = updated (22) Sent Accounting-Response Id 255 from 172.16.2.4:1813 to 10.225.251.10:52377 length 0 (22) Finished request (22) Cleaning up request packet ID 255 with timestamp +80 Ready to process requests (23) Received Accounting-Request Id 1 from 10.225.251.10:52377 to 172.16.2.4:1813 length 242 (23) Acct-Status-Type = Interim-Update (23) NAS-IP-Address = 10.225.251.10 (23) User-Name = "testing" (23) NAS-Port = 0 (23) NAS-Port-Type = Wireless-802.11 (23) Calling-Station-Id = "06ad2e0b874b" (23) Called-Station-Id = "removed" (23) Framed-IP-Address = 10.225.251.60 (23) Acct-Multi-Session-Id = "06AD2E0B874B-1679732048" (23) Acct-Session-Id = "F05C1986E387-06AD2E0B874B-641EAD51-695AE" (23) Acct-Delay-Time = 0 (23) Aruba-Essid-Name = "wtf" (23) Aruba-Location-Id = "Building-A" (23) Aruba-User-Vlan = 51 (23) Acct-Input-Octets = 13616 (23) Acct-Output-Octets = 2231 (23) Acct-Input-Packets = 403 (23) Acct-Output-Packets = 14 (23) Acct-Session-Time = 18 (23) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (23) preacct { (23) [preprocess] = ok (23) policy acct_unique { (23) update request { (23) &Tmp-String-9 := "ai:" (23) } # update request = noop (23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (23) EXPAND %{hex:&Class} (23) --> (23) EXPAND ^%{hex:&Tmp-String-9} (23) --> ^61693a (23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (23) else { (23) update request { (23) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (23) --> 972d51b6ddd250023babc6265b81f320 (23) &Acct-Unique-Session-Id := 972d51b6ddd250023babc6265b81f320 (23) } # update request = noop (23) } # else = noop (23) } # policy acct_unique = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "testing", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) [files] = noop (23) } # preacct = ok (23) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (23) accounting { (23) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (23) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (23) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230325 (23) detail: EXPAND %t (23) detail: --> Sat Mar 25 13:44:26 2023 (23) [detail] = ok (23) [unix] = noop (23) [exec] = noop (23) attr_filter.accounting_response: EXPAND %{User-Name} (23) attr_filter.accounting_response: --> testing (23) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (23) [attr_filter.accounting_response] = updated (23) } # accounting = updated (23) Sent Accounting-Response Id 1 from 172.16.2.4:1813 to 10.225.251.10:52377 length 0 (23) Finished request (23) Cleaning up request packet ID 1 with timestamp +80 Ready to process requests On Wednesday, 22 March, 2023, 09:25:13 pm IST, Alan DeKok <aland@deployingradius.com> wrote: On Mar 22, 2023, at 11:44 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC.
Are you talking about "authorized_macs" file or mac mapped(Calling-Station-Id) to particular user in users file ?.
If that's where you want to put MAC addresses, yes.
The devices MAC comes in the RADIUS packet. So it is trivial to match a user to a particular device.
Is it not possible to grab Calling-Station-Id from Access-Request and check against db ?.
That's not what I said.
Somewhere i read additional checks can be done with Calling-Station-Id when using PPP. Does this feature only work with PPP / SLIP ?.
No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 25, 2023, at 8:03 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have installed freeradius without sql integration for testing.
1, changed # Instead of "use_tunneled_reply", value to "if (1) {. 2, users file have following entry on top. testing Password := "password", Calling-Station-Id := "0cf346e648f3
I'm pretty sure that won't do what you want, I suggest reading the documentation to see how the operators work in the "users" file.
Unauthorised devices with same login are granted access once authorised device is authenticated and server receive accounting-request is from unauthorised device. But when unauthorised devices try to connect for the first time, we see access-reject.
The debug log will show whu.
I'm not sure if this happen due to any stale sessions,
Authentication has nothing to do with stale sessions. What you want is s policy which says: if user is X and MAC is not Y reject So... write that in "unlang". What you wrote in the "users" file doesn't do that, and doesn't follow the documentation for the "users" file. Alan DeKok.
testing Password := "password", Calling-Station-Id := "0cf346e648f3 I'm pretty sure that won't do what you want, I suggest reading the documentation to see how the operators work in the "users" file.
My bad, have used "==" operator with "users" file. The following in radcheck is working, is it possible to add multiple mac-addr values ?. I tried adding 3rd row with different mac-addr, it did not work. +----+--------------+--------------------+----+--------------+ | id | username | attribute | op | value | +----+--------------+--------------------+----+--------------+ | 1 | testing | Cleartext-Password | := | password | | 2 | testing | Calling-Station-Id | == | 1002b52c096b | +----+--------------+--------------------+----+--------------+
What you want is s policy which says:
if user is X and MAC is not Y reject
Where to add this query ?. In sites-enabled/default, under authenticate {} or authorize {} section or somewhere else ?. I have created new mac-address table for this, mapped against username. mysql> select * from macaddrlist; +----+--------------+--------------+----------+----------+ | id | username | macaddr1 | macaddr2 | macaddr3 | +----+--------------+--------------+----------+----------+ | 1 | testing | 1002b52c096b | NULL | NULL | +----+--------------+--------------+----------+----------+ 1 row in set (0.00 sec) thanks, On Saturday, 25 March, 2023, 10:12:32 pm IST, Alan DeKok <aland@deployingradius.com> wrote: On Mar 25, 2023, at 8:03 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have installed freeradius without sql integration for testing.
1, changed # Instead of "use_tunneled_reply", value to "if (1) {. 2, users file have following entry on top. testing Password := "password", Calling-Station-Id := "0cf346e648f3
I'm pretty sure that won't do what you want, I suggest reading the documentation to see how the operators work in the "users" file.
Unauthorised devices with same login are granted access once authorised device is authenticated and server receive accounting-request is from unauthorised device. But when unauthorised devices try to connect for the first time, we see access-reject.
The debug log will show whu.
I'm not sure if this happen due to any stale sessions,
Authentication has nothing to do with stale sessions. What you want is s policy which says: if user is X and MAC is not Y reject So... write that in "unlang". What you wrote in the "users" file doesn't do that, and doesn't follow the documentation for the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 3, 2023, at 1:10 PM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
My bad, have used "==" operator with "users" file.
That's good.
The following in radcheck is working, is it possible to add multiple mac-addr values ?. I tried adding 3rd row with different mac-addr, it did not work.
Please read the SQL module documentation. See the wiki for "rlm_sql". The documentation describes how the module works, and what needs to go into SQL. You can't just add things to SQL and expect FreeRADIUS to understand what you mean.
What you want is s policy which says:
if user is X and MAC is not Y reject
Where to add this query ?.
In sites-enabled/default, under authenticate {} or authorize {} section or somewhere else ?.
You can add some "unlang" to the "authorize" section. If you see the sample configuration for sites-available/default, for the difference between "authorize" and "authentication", the location for the rules should be fairly clear. You can't just put the SQL query into a virtual server, though. Alan DeKok.
Thanks Alan,
You can add some "unlang" to the "authorize" section. If you see the sample configuration for sites-available/default, for the difference between "authorize" and "authentication", the location for the rules should be fairly clear.
Have tried adding the following in /sites-enabled/default bottom of "authoriztion { } section", inside "preacct { preprocess } section" and inside "post-auth { } section", any device can connect. if("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { ok } else { reject } Removed Calling-Station-Id from radcheck, any device can connect with login credentials. When Calling-Station-Id attribute is used in radcheck, only the the device mac-addr in radcheck can connect, without "unlang", adding more than 1 mac-addr in radcheck is not working. mysql> select * from radcheck; +----+----------+--------------------+----+----------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------+ | 1 | testing | Cleartext-Password | := | password | +----+----------+--------------------+----+----------+ 1 row in set (0.00 sec) mysql> select * from macaddrlist; +----+----------+--------------+----------+----------+ | id | username | macaddr1 | macaddr2 | macaddr3 | +----+----------+--------------+----------+----------+ | 1 | testing | 1002b52c096b | NULL | NULL | +----+----------+--------------+----------+----------+ 1 row in set (0.00 sec) mysql> debug output ################################################################################################ detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.909128 sec (17) Received Access-Request Id 5 from 10.225.251.10:56766 to 172.16.2.4:1812 length 184 (17) User-Name = "testing" (17) NAS-IP-Address = 10.225.251.10 (17) NAS-Port = 0 (17) NAS-Identifier = "172.16.6.63" (17) NAS-Port-Type = Wireless-802.11 (17) Calling-Station-Id = "f894c2addb53" (17) Called-Station-Id = "removed" (17) Service-Type = Login-User (17) Framed-MTU = 1100 (17) EAP-Message = 0x0202000c0174657374696e67 (17) Aruba-Essid-Name = "wtf" (17) Aruba-Location-Id = "Building-A" (17) Aruba-AP-Group = "Cluster" (17) Message-Authenticator = 0x23e7c95a6d11b0eefbfc4986de4ee921 (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [chap] = noop (17) [mschap] = noop (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "testing", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 2 length 12 (17) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) authenticate { (17) eap: Peer sent packet with method EAP Identity (1) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: Initiating new EAP-TLS session (17) eap_peap: [eaptls start] = request (17) eap: Sending EAP Request (code 1) ID 3 length 6 (17) eap: EAP session adding &reply:State = 0x735d7f17735e66c6 (17) [eap] = handled (17) } # authenticate = handled (17) Using Post-Auth-Type Challenge (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (17) Challenge { ... } # empty sub-section is ignored (17) Sent Access-Challenge Id 5 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (17) EAP-Message = 0x010300061920 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x735d7f17735e66c6a880ae3bd9d49d0e (17) Finished request Waking up in 4.9 seconds. (18) Received Access-Request Id 6 from 10.225.251.10:56766 to 172.16.2.4:1812 length 362 (18) User-Name = "testing" (18) NAS-IP-Address = 10.225.251.10 (18) NAS-Port = 0 (18) NAS-Identifier = "172.16.6.63" (18) NAS-Port-Type = Wireless-802.11 (18) Calling-Station-Id = "f894c2addb53" (18) Called-Station-Id = "removed" (18) Service-Type = Login-User (18) Framed-MTU = 1100 (18) EAP-Message = 0x020300ac1980000000a2160303009d010000990303642bdf14a9bfdb6161357fc070503ec4d997eed1d0309e2acef37c8b7f4b122900002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d (18) State = 0x735d7f17735e66c6a880ae3bd9d49d0e (18) Aruba-Essid-Name = "wtf" (18) Aruba-Location-Id = "Building-A" (18) Aruba-AP-Group = "Cluster" (18) Message-Authenticator = 0x76908f7c21e3f826fc836b0caab67eb3 (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) [chap] = noop (18) [mschap] = noop (18) [digest] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "testing", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) eap: Peer sent EAP Response (code 2) ID 3 length 172 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) authenticate { (18) eap: Expiring EAP session with state 0x735d7f17735e66c6 (18) eap: Finished EAP session with state 0x735d7f17735e66c6 (18) eap: Previous EAP request found for state 0x735d7f17735e66c6, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: Continuing EAP-TLS (18) eap_peap: Peer indicated complete TLS record size will be 162 bytes (18) eap_peap: Got complete TLS record (162 bytes) (18) eap_peap: [eaptls verify] = length included (18) eap_peap: (other): before SSL initialization (18) eap_peap: TLS_accept: before SSL initialization (18) eap_peap: TLS_accept: before SSL initialization (18) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 009d] (18) eap_peap: TLS_accept: SSLv3/TLS read client hello (18) eap_peap: >>> send TLS 1.2 [length 003d] (18) eap_peap: TLS_accept: SSLv3/TLS write server hello (18) eap_peap: >>> send TLS 1.2 [length 02ed] (18) eap_peap: TLS_accept: SSLv3/TLS write certificate (18) eap_peap: >>> send TLS 1.2 [length 014d] (18) eap_peap: TLS_accept: SSLv3/TLS write key exchange (18) eap_peap: >>> send TLS 1.2 [length 0004] (18) eap_peap: TLS_accept: SSLv3/TLS write server done (18) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (18) eap_peap: In SSL Handshake Phase (18) eap_peap: In SSL Accept mode (18) eap_peap: [eaptls process] = handled (18) eap: Sending EAP Request (code 1) ID 4 length 1004 (18) eap: EAP session adding &reply:State = 0x735d7f17725966c6 (18) [eap] = handled (18) } # authenticate = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) Sent Access-Challenge Id 6 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (18) EAP-Message = 0x010403ec19c00000048f160303003d020000390303cb62284a7188ef72f890ca8edff8ba19c759c47607fe6b34444f574e4752440100c030000011ff01000100000b0004030001020017000016030302ed0b0002e90002e60002e3308202df308201c7a00302010202144332d5c60c9f4d943c5616923e (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x735d7f17725966c6a880ae3bd9d49d0e (18) Finished request Waking up in 4.9 seconds. (19) Received Access-Request Id 7 from 10.225.251.10:56766 to 172.16.2.4:1812 length 196 (19) User-Name = "testing" (19) NAS-IP-Address = 10.225.251.10 (19) NAS-Port = 0 (19) NAS-Identifier = "172.16.6.63" (19) NAS-Port-Type = Wireless-802.11 (19) Calling-Station-Id = "f894c2addb53" (19) Called-Station-Id = "removed" (19) Service-Type = Login-User (19) Framed-MTU = 1100 (19) EAP-Message = 0x020400061900 (19) State = 0x735d7f17725966c6a880ae3bd9d49d0e (19) Aruba-Essid-Name = "wtf" (19) Aruba-Location-Id = "Building-A" (19) Aruba-AP-Group = "Cluster" (19) Message-Authenticator = 0xad236167427d138b918fee7d9e1602bd (19) session-state: No cached attributes (19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) [chap] = noop (19) [mschap] = noop (19) [digest] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "testing", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) eap: Peer sent EAP Response (code 2) ID 4 length 6 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) authenticate { (19) eap: Expiring EAP session with state 0x735d7f17725966c6 (19) eap: Finished EAP session with state 0x735d7f17725966c6 (19) eap: Previous EAP request found for state 0x735d7f17725966c6, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: Continuing EAP-TLS (19) eap_peap: Peer ACKed our handshake fragment (19) eap_peap: [eaptls verify] = request (19) eap_peap: [eaptls process] = handled (19) eap: Sending EAP Request (code 1) ID 5 length 179 (19) eap: EAP session adding &reply:State = 0x735d7f17715866c6 (19) [eap] = handled (19) } # authenticate = handled (19) Using Post-Auth-Type Challenge (19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (19) Challenge { ... } # empty sub-section is ignored (19) Sent Access-Challenge Id 7 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (19) EAP-Message = 0x010500b31900da3145a6f9eecf76845fb83242f5aadd813424fce1c90e8b12600da59dde36fdaf1d7bf5fa62e7423780336ab99ab603af42f2074076fde75e9540e506163484354d638af9269b1c3ca911c400886a443197ae1b7f67cec1ab2354b9dd9ef9691bcabfbc4b17be8750cdc934028e8228ce (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0x735d7f17715866c6a880ae3bd9d49d0e (19) Finished request Waking up in 4.9 seconds. (20) Received Access-Request Id 8 from 10.225.251.10:56766 to 172.16.2.4:1812 length 326 (20) User-Name = "testing" (20) NAS-IP-Address = 10.225.251.10 (20) NAS-Port = 0 (20) NAS-Identifier = "172.16.6.63" (20) NAS-Port-Type = Wireless-802.11 (20) Calling-Station-Id = "f894c2addb53" (20) Called-Station-Id = "removed" (20) Service-Type = Login-User (20) Framed-MTU = 1100 (20) EAP-Message = 0x0205008819800000007e16030300461000004241044e9e061bc42f5cee3b1c557f06e3dec5721a615dd2f79ca82ce3e7038da4006571019eeb6c12895e0e38c65c1ce9771b723011ba85fff25e0ffed61b7cbc448114030300010116030300280000000000000000f9b65095f49b130430f1568b453bdb (20) State = 0x735d7f17715866c6a880ae3bd9d49d0e (20) Aruba-Essid-Name = "wtf" (20) Aruba-Location-Id = "Building-A" (20) Aruba-AP-Group = "Cluster" (20) Message-Authenticator = 0x840d1e263f5c62c55398933cbacd6a37 (20) session-state: No cached attributes (20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [preprocess] = ok (20) [chap] = noop (20) [mschap] = noop (20) [digest] = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "testing", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) eap: Peer sent EAP Response (code 2) ID 5 length 136 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # authorize = ok (20) Found Auth-Type = eap (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) authenticate { (20) eap: Expiring EAP session with state 0x735d7f17715866c6 (20) eap: Finished EAP session with state 0x735d7f17715866c6 (20) eap: Previous EAP request found for state 0x735d7f17715866c6, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: Continuing EAP-TLS (20) eap_peap: Peer indicated complete TLS record size will be 126 bytes (20) eap_peap: Got complete TLS record (126 bytes) (20) eap_peap: [eaptls verify] = length included (20) eap_peap: TLS_accept: SSLv3/TLS write server done (20) eap_peap: <<< recv TLS 1.2 [length 0046] (20) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (20) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (20) eap_peap: <<< recv TLS 1.2 [length 0010] (20) eap_peap: TLS_accept: SSLv3/TLS read finished (20) eap_peap: >>> send TLS 1.2 [length 0001] (20) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (20) eap_peap: >>> send TLS 1.2 [length 0010] (20) eap_peap: TLS_accept: SSLv3/TLS write finished (20) eap_peap: (other): SSL negotiation finished successfully (20) eap_peap: SSL Connection Established (20) eap_peap: [eaptls process] = handled (20) eap: Sending EAP Request (code 1) ID 6 length 57 (20) eap: EAP session adding &reply:State = 0x735d7f17705b66c6 (20) [eap] = handled (20) } # authenticate = handled (20) Using Post-Auth-Type Challenge (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) Challenge { ... } # empty sub-section is ignored (20) Sent Access-Challenge Id 8 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (20) EAP-Message = 0x010600391900140303000101160303002806d33c56b068f0a1972df6aa137cc47d7b1a80a3ad56963b9608cb6d86532b0aca677b843c484752 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0x735d7f17705b66c6a880ae3bd9d49d0e (20) Finished request Waking up in 4.9 seconds. detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.087135 sec (21) Received Access-Request Id 9 from 10.225.251.10:56766 to 172.16.2.4:1812 length 196 (21) User-Name = "testing" (21) NAS-IP-Address = 10.225.251.10 (21) NAS-Port = 0 (21) NAS-Identifier = "172.16.6.63" (21) NAS-Port-Type = Wireless-802.11 (21) Calling-Station-Id = "f894c2addb53" (21) Called-Station-Id = "removed" (21) Service-Type = Login-User (21) Framed-MTU = 1100 (21) EAP-Message = 0x020600061900 (21) State = 0x735d7f17705b66c6a880ae3bd9d49d0e (21) Aruba-Essid-Name = "wtf" (21) Aruba-Location-Id = "Building-A" (21) Aruba-AP-Group = "Cluster" (21) Message-Authenticator = 0x2583cd16db50296cdb698d43f7162083 (21) session-state: No cached attributes (21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (21) authorize { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = notfound (21) } # policy filter_username = notfound (21) [preprocess] = ok (21) [chap] = noop (21) [mschap] = noop (21) [digest] = noop (21) suffix: Checking for suffix after "@" (21) suffix: No '@' in User-Name = "testing", looking up realm NULL (21) suffix: No such realm "NULL" (21) [suffix] = noop (21) eap: Peer sent EAP Response (code 2) ID 6 length 6 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # authorize = ok (21) Found Auth-Type = eap (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) authenticate { (21) eap: Expiring EAP session with state 0x735d7f17705b66c6 (21) eap: Finished EAP session with state 0x735d7f17705b66c6 (21) eap: Previous EAP request found for state 0x735d7f17705b66c6, released from the list (21) eap: Peer sent packet with method EAP PEAP (25) (21) eap: Calling submodule eap_peap to process data (21) eap_peap: Continuing EAP-TLS (21) eap_peap: Peer ACKed our handshake fragment. handshake is finished (21) eap_peap: [eaptls verify] = success (21) eap_peap: [eaptls process] = success (21) eap_peap: Session established. Decoding tunneled attributes (21) eap_peap: PEAP state TUNNEL ESTABLISHED (21) eap: Sending EAP Request (code 1) ID 7 length 40 (21) eap: EAP session adding &reply:State = 0x735d7f17775a66c6 (21) [eap] = handled (21) } # authenticate = handled (21) Using Post-Auth-Type Challenge (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) Challenge { ... } # empty sub-section is ignored (21) Sent Access-Challenge Id 9 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (21) EAP-Message = 0x010700281900170303001d06d33c56b068f0a2a3812d5b58620e2fa7b76dbd9d21b511548082e319 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0x735d7f17775a66c6a880ae3bd9d49d0e (21) Finished request Waking up in 3.6 seconds. (22) Received Access-Request Id 10 from 10.225.251.10:56766 to 172.16.2.4:1812 length 233 (22) User-Name = "testing" (22) NAS-IP-Address = 10.225.251.10 (22) NAS-Port = 0 (22) NAS-Identifier = "172.16.6.63" (22) NAS-Port-Type = Wireless-802.11 (22) Calling-Station-Id = "f894c2addb53" (22) Called-Station-Id = "removed" (22) Service-Type = Login-User (22) Framed-MTU = 1100 (22) EAP-Message = 0x0207002b190017030300200000000000000001b938010a38000c8411e999e607c654e50f81975d795f502a (22) State = 0x735d7f17775a66c6a880ae3bd9d49d0e (22) Aruba-Essid-Name = "wtf" (22) Aruba-Location-Id = "Building-A" (22) Aruba-AP-Group = "Cluster" (22) Message-Authenticator = 0x1cbbe970e0da43786de14a129aaf8233 (22) session-state: No cached attributes (22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [preprocess] = ok (22) [chap] = noop (22) [mschap] = noop (22) [digest] = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "testing", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) eap: Peer sent EAP Response (code 2) ID 7 length 43 (22) eap: Continuing tunnel setup (22) [eap] = ok (22) } # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) authenticate { (22) eap: Expiring EAP session with state 0x735d7f17775a66c6 (22) eap: Finished EAP session with state 0x735d7f17775a66c6 (22) eap: Previous EAP request found for state 0x735d7f17775a66c6, released from the list (22) eap: Peer sent packet with method EAP PEAP (25) (22) eap: Calling submodule eap_peap to process data (22) eap_peap: Continuing EAP-TLS (22) eap_peap: [eaptls verify] = ok (22) eap_peap: Done initial handshake (22) eap_peap: [eaptls process] = ok (22) eap_peap: Session established. Decoding tunneled attributes (22) eap_peap: PEAP state WAITING FOR INNER IDENTITY (22) eap_peap: Identity - testing (22) eap_peap: Got inner identity 'testing' (22) eap_peap: Setting default EAP type for tunneled EAP session (22) eap_peap: Got tunneled request (22) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (22) eap_peap: Setting User-Name to testing (22) eap_peap: Sending tunneled request to inner-tunnel (22) eap_peap: EAP-Message = 0x0207000c0174657374696e67 (22) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (22) eap_peap: User-Name = "testing" (22) eap_peap: NAS-IP-Address = 10.225.251.10 (22) eap_peap: NAS-Port = 0 (22) eap_peap: NAS-Identifier = "172.16.6.63" (22) eap_peap: NAS-Port-Type = Wireless-802.11 (22) eap_peap: Calling-Station-Id = "f894c2addb53" (22) eap_peap: Called-Station-Id = "removed" (22) eap_peap: Service-Type = Login-User (22) eap_peap: Framed-MTU = 1100 (22) eap_peap: Aruba-Essid-Name = "wtf" (22) eap_peap: Aruba-Location-Id = "Building-A" (22) eap_peap: Aruba-AP-Group = "Cluster" (22) eap_peap: Event-Timestamp = "Apr 4 2023 13:55:58 IST" (22) Virtual server inner-tunnel received request (22) EAP-Message = 0x0207000c0174657374696e67 (22) FreeRADIUS-Proxied-To = 127.0.0.1 (22) User-Name = "testing" (22) NAS-IP-Address = 10.225.251.10 (22) NAS-Port = 0 (22) NAS-Identifier = "172.16.6.63" (22) NAS-Port-Type = Wireless-802.11 (22) Calling-Station-Id = "f894c2addb53" (22) Called-Station-Id = "removed" (22) Service-Type = Login-User (22) Framed-MTU = 1100 (22) Aruba-Essid-Name = "wtf" (22) Aruba-Location-Id = "Building-A" (22) Aruba-AP-Group = "Cluster" (22) Event-Timestamp = "Apr 4 2023 13:55:58 IST" (22) WARNING: Outer and inner identities are the same. User privacy is compromised. (22) server inner-tunnel { (22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [chap] = noop (22) [mschap] = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "testing", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) update control { (22) &Proxy-To-Realm := LOCAL (22) } # update control = noop (22) eap: Peer sent EAP Response (code 2) ID 7 length 12 (22) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (22) [eap] = ok (22) } # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (22) authenticate { (22) eap: Peer sent packet with method EAP Identity (1) (22) eap: Calling submodule eap_mschapv2 to process data (22) eap_mschapv2: Issuing Challenge (22) eap: Sending EAP Request (code 1) ID 8 length 43 (22) eap: EAP session adding &reply:State = 0xd7f01aa1d7f80035 (22) [eap] = handled (22) } # authenticate = handled (22) } # server inner-tunnel (22) Virtual server sending reply (22) EAP-Message = 0x0108002b1a0108002610cbd17d90df71474e7d5e8b5bbf06ed71667265657261646975732d332e302e3136 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (22) eap_peap: Got tunneled reply code 11 (22) eap_peap: EAP-Message = 0x0108002b1a0108002610cbd17d90df71474e7d5e8b5bbf06ed71667265657261646975732d332e302e3136 (22) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (22) eap_peap: State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (22) eap_peap: Got tunneled reply RADIUS code 11 (22) eap_peap: EAP-Message = 0x0108002b1a0108002610cbd17d90df71474e7d5e8b5bbf06ed71667265657261646975732d332e302e3136 (22) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (22) eap_peap: State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (22) eap_peap: Got tunneled Access-Challenge (22) eap: Sending EAP Request (code 1) ID 8 length 74 (22) eap: EAP session adding &reply:State = 0x735d7f17765566c6 (22) [eap] = handled (22) } # authenticate = handled (22) Using Post-Auth-Type Challenge (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) Challenge { ... } # empty sub-section is ignored (22) Sent Access-Challenge Id 10 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (22) EAP-Message = 0x0108004a1900170303003f06d33c56b068f0a3ecc1d3f5acb003ba8437eefefbad68f6ac6df379a757d2dd7acaf62aa3d766d59e2a42d6977997a88d1fe5fc5eced657eae7281da1b925 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0x735d7f17765566c6a880ae3bd9d49d0e (22) Finished request Waking up in 3.5 seconds. (23) Received Access-Request Id 11 from 10.225.251.10:56766 to 172.16.2.4:1812 length 287 (23) User-Name = "testing" (23) NAS-IP-Address = 10.225.251.10 (23) NAS-Port = 0 (23) NAS-Identifier = "172.16.6.63" (23) NAS-Port-Type = Wireless-802.11 (23) Calling-Station-Id = "f894c2addb53" (23) Called-Station-Id = "removed" (23) Service-Type = Login-User (23) Framed-MTU = 1100 (23) EAP-Message = 0x02080061190017030300560000000000000002f67a35ebc3b7ad310d98bdf6cf074035404cd137adc04c29c54705daabe0543d231628833f03d43a3c94fb544bce6c975b3bffbdd4be9989a6766cea342a3969a0b1ccb7d614a0c997d1da0bc543 (23) State = 0x735d7f17765566c6a880ae3bd9d49d0e (23) Aruba-Essid-Name = "wtf" (23) Aruba-Location-Id = "Building-A" (23) Aruba-AP-Group = "Cluster" (23) Message-Authenticator = 0xd3638e2d2a956e562ef28fdd6e96048c (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) [chap] = noop (23) [mschap] = noop (23) [digest] = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "testing", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) eap: Peer sent EAP Response (code 2) ID 8 length 97 (23) eap: Continuing tunnel setup (23) [eap] = ok (23) } # authorize = ok (23) Found Auth-Type = eap (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) authenticate { (23) eap: Expiring EAP session with state 0xd7f01aa1d7f80035 (23) eap: Finished EAP session with state 0x735d7f17765566c6 (23) eap: Previous EAP request found for state 0x735d7f17765566c6, released from the list (23) eap: Peer sent packet with method EAP PEAP (25) (23) eap: Calling submodule eap_peap to process data (23) eap_peap: Continuing EAP-TLS (23) eap_peap: [eaptls verify] = ok (23) eap_peap: Done initial handshake (23) eap_peap: [eaptls process] = ok (23) eap_peap: Session established. Decoding tunneled attributes (23) eap_peap: PEAP state phase2 (23) eap_peap: EAP method MSCHAPv2 (26) (23) eap_peap: Got tunneled request (23) eap_peap: EAP-Message = 0x020800421a0208003d3117e01e43f7d4bd928573267e76d4d87d0000000000000000200d9d030b1520e53a1034429bdf782af348f5f025188bd50074657374696e67 (23) eap_peap: Setting User-Name to testing (23) eap_peap: Sending tunneled request to inner-tunnel (23) eap_peap: EAP-Message = 0x020800421a0208003d3117e01e43f7d4bd928573267e76d4d87d0000000000000000200d9d030b1520e53a1034429bdf782af348f5f025188bd50074657374696e67 (23) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (23) eap_peap: User-Name = "testing" (23) eap_peap: State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (23) eap_peap: NAS-IP-Address = 10.225.251.10 (23) eap_peap: NAS-Port = 0 (23) eap_peap: NAS-Identifier = "172.16.6.63" (23) eap_peap: NAS-Port-Type = Wireless-802.11 (23) eap_peap: Calling-Station-Id = "f894c2addb53" (23) eap_peap: Called-Station-Id = "removed" (23) eap_peap: Service-Type = Login-User (23) eap_peap: Framed-MTU = 1100 (23) eap_peap: Aruba-Essid-Name = "wtf" (23) eap_peap: Aruba-Location-Id = "Building-A" (23) eap_peap: Aruba-AP-Group = "Cluster" (23) eap_peap: Event-Timestamp = "Apr 4 2023 13:55:58 IST" (23) Virtual server inner-tunnel received request (23) EAP-Message = 0x020800421a0208003d3117e01e43f7d4bd928573267e76d4d87d0000000000000000200d9d030b1520e53a1034429bdf782af348f5f025188bd50074657374696e67 (23) FreeRADIUS-Proxied-To = 127.0.0.1 (23) User-Name = "testing" (23) State = 0xd7f01aa1d7f8003560e7eeb4345077d1 (23) NAS-IP-Address = 10.225.251.10 (23) NAS-Port = 0 (23) NAS-Identifier = "172.16.6.63" (23) NAS-Port-Type = Wireless-802.11 (23) Calling-Station-Id = "f894c2addb53" (23) Called-Station-Id = "removed" (23) Service-Type = Login-User (23) Framed-MTU = 1100 (23) Aruba-Essid-Name = "wtf" (23) Aruba-Location-Id = "Building-A" (23) Aruba-AP-Group = "Cluster" (23) Event-Timestamp = "Apr 4 2023 13:55:58 IST" (23) WARNING: Outer and inner identities are the same. User privacy is compromised. (23) server inner-tunnel { (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [chap] = noop (23) [mschap] = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "testing", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) update control { (23) &Proxy-To-Realm := LOCAL (23) } # update control = noop (23) eap: Peer sent EAP Response (code 2) ID 8 length 66 (23) eap: No EAP Start, assuming it's an on-going EAP conversation (23) [eap] = updated (23) [files] = noop (23) sql: EXPAND %{User-Name} (23) sql: --> testing (23) sql: SQL-User-Name set to 'testing' rlm_sql (sql): Reserved connection (12) (23) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (23) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (23) sql: User found in radcheck table (23) sql: Conditional check items matched, merging assignment check items (23) sql: Cleartext-Password := "password" (23) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (23) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id (23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id (23) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (23) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (23) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (23) sql: User found in the group table (23) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (23) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id (23) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id (23) sql: Group "Low_Access": Conditional check items matched (23) sql: Group "Low_Access": Merging assignment check items (23) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (23) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id (23) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id (23) sql: Group "Low_Access": Merging reply items (23) sql: Class = 0x6c6f775f616363657373 rlm_sql (sql): Released connection (12) Need 7 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (15), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10 (23) [sql] = ok (23) [expiration] = noop (23) [logintime] = noop (23) pap: WARNING: Auth-Type already set. Not setting to PAP (23) [pap] = noop (23) } # authorize = updated (23) Found Auth-Type = eap (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (23) authenticate { (23) eap: Expiring EAP session with state 0xd7f01aa1d7f80035 (23) eap: Finished EAP session with state 0xd7f01aa1d7f80035 (23) eap: Previous EAP request found for state 0xd7f01aa1d7f80035, released from the list (23) eap: Peer sent packet with method EAP MSCHAPv2 (26) (23) eap: Calling submodule eap_mschapv2 to process data (23) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (23) eap_mschapv2: authenticate { (23) mschap: Found Cleartext-Password, hashing to create NT-Password (23) mschap: Found Cleartext-Password, hashing to create LM-Password (23) mschap: Creating challenge hash with username: testing (23) mschap: Client is using MS-CHAPv2 (23) mschap: Adding MS-CHAPv2 MPPE keys (23) [mschap] = ok (23) } # authenticate = ok (23) MSCHAP Success (23) eap: Sending EAP Request (code 1) ID 9 length 51 (23) eap: EAP session adding &reply:State = 0xd7f01aa1d6f90035 (23) [eap] = handled (23) } # authenticate = handled (23) } # server inner-tunnel (23) Virtual server sending reply (23) Class = 0x6c6f775f616363657373 (23) EAP-Message = 0x010900331a0308002e533d31434533453246424232393134423330334345363142393732323431414345433032333541463438 (23) Message-Authenticator = 0x00000000000000000000000000000000 (23) State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (23) eap_peap: Got tunneled reply code 11 (23) eap_peap: Class = 0x6c6f775f616363657373 (23) eap_peap: EAP-Message = 0x010900331a0308002e533d31434533453246424232393134423330334345363142393732323431414345433032333541463438 (23) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (23) eap_peap: State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (23) eap_peap: Got tunneled reply RADIUS code 11 (23) eap_peap: Class = 0x6c6f775f616363657373 (23) eap_peap: EAP-Message = 0x010900331a0308002e533d31434533453246424232393134423330334345363142393732323431414345433032333541463438 (23) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (23) eap_peap: State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (23) eap_peap: Got tunneled Access-Challenge (23) eap: Sending EAP Request (code 1) ID 9 length 82 (23) eap: EAP session adding &reply:State = 0x735d7f17755466c6 (23) [eap] = handled (23) } # authenticate = handled (23) Using Post-Auth-Type Challenge (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Challenge { ... } # empty sub-section is ignored (23) Sent Access-Challenge Id 11 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (23) EAP-Message = 0x010900521900170303004706d33c56b068f0a48a90632e83818189836884d7619ce09535f33ad67f220c4165c88520856f26b9ac072beb94f7b4240467b4cd9ee012c265dc6bc981c202aad513d7fb082d4a (23) Message-Authenticator = 0x00000000000000000000000000000000 (23) State = 0x735d7f17755466c6a880ae3bd9d49d0e (23) Finished request Waking up in 3.5 seconds. (24) Received Access-Request Id 12 from 10.225.251.10:56766 to 172.16.2.4:1812 length 227 (24) User-Name = "testing" (24) NAS-IP-Address = 10.225.251.10 (24) NAS-Port = 0 (24) NAS-Identifier = "172.16.6.63" (24) NAS-Port-Type = Wireless-802.11 (24) Calling-Station-Id = "f894c2addb53" (24) Called-Station-Id = "removed" (24) Service-Type = Login-User (24) Framed-MTU = 1100 (24) EAP-Message = 0x020900251900170303001a0000000000000003d2de70e52a1738dba84235714d303de39473 (24) State = 0x735d7f17755466c6a880ae3bd9d49d0e (24) Aruba-Essid-Name = "wtf" (24) Aruba-Location-Id = "Building-A" (24) Aruba-AP-Group = "Cluster" (24) Message-Authenticator = 0xa4b05d75d7d707c345231bb97de889cf (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (24) authorize { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = notfound (24) } # policy filter_username = notfound (24) [preprocess] = ok (24) [chap] = noop (24) [mschap] = noop (24) [digest] = noop (24) suffix: Checking for suffix after "@" (24) suffix: No '@' in User-Name = "testing", looking up realm NULL (24) suffix: No such realm "NULL" (24) [suffix] = noop (24) eap: Peer sent EAP Response (code 2) ID 9 length 37 (24) eap: Continuing tunnel setup (24) [eap] = ok (24) } # authorize = ok (24) Found Auth-Type = eap (24) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (24) authenticate { (24) eap: Expiring EAP session with state 0xd7f01aa1d6f90035 (24) eap: Finished EAP session with state 0x735d7f17755466c6 (24) eap: Previous EAP request found for state 0x735d7f17755466c6, released from the list (24) eap: Peer sent packet with method EAP PEAP (25) (24) eap: Calling submodule eap_peap to process data (24) eap_peap: Continuing EAP-TLS (24) eap_peap: [eaptls verify] = ok (24) eap_peap: Done initial handshake (24) eap_peap: [eaptls process] = ok (24) eap_peap: Session established. Decoding tunneled attributes (24) eap_peap: PEAP state phase2 (24) eap_peap: EAP method MSCHAPv2 (26) (24) eap_peap: Got tunneled request (24) eap_peap: EAP-Message = 0x020900061a03 (24) eap_peap: Setting User-Name to testing (24) eap_peap: Sending tunneled request to inner-tunnel (24) eap_peap: EAP-Message = 0x020900061a03 (24) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (24) eap_peap: User-Name = "testing" (24) eap_peap: State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (24) eap_peap: NAS-IP-Address = 10.225.251.10 (24) eap_peap: NAS-Port = 0 (24) eap_peap: NAS-Identifier = "172.16.6.63" (24) eap_peap: NAS-Port-Type = Wireless-802.11 (24) eap_peap: Calling-Station-Id = "f894c2addb53" (24) eap_peap: Called-Station-Id = "removed" (24) eap_peap: Service-Type = Login-User (24) eap_peap: Framed-MTU = 1100 (24) eap_peap: Aruba-Essid-Name = "wtf" (24) eap_peap: Aruba-Location-Id = "Building-A" (24) eap_peap: Aruba-AP-Group = "Cluster" (24) eap_peap: Event-Timestamp = "Apr 4 2023 13:55:58 IST" (24) Virtual server inner-tunnel received request (24) EAP-Message = 0x020900061a03 (24) FreeRADIUS-Proxied-To = 127.0.0.1 (24) User-Name = "testing" (24) State = 0xd7f01aa1d6f9003560e7eeb4345077d1 (24) NAS-IP-Address = 10.225.251.10 (24) NAS-Port = 0 (24) NAS-Identifier = "172.16.6.63" (24) NAS-Port-Type = Wireless-802.11 (24) Calling-Station-Id = "f894c2addb53" (24) Called-Station-Id = "removed" (24) Service-Type = Login-User (24) Framed-MTU = 1100 (24) Aruba-Essid-Name = "wtf" (24) Aruba-Location-Id = "Building-A" (24) Aruba-AP-Group = "Cluster" (24) Event-Timestamp = "Apr 4 2023 13:55:58 IST" (24) WARNING: Outer and inner identities are the same. User privacy is compromised. (24) server inner-tunnel { (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (24) authorize { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = notfound (24) } # policy filter_username = notfound (24) [chap] = noop (24) [mschap] = noop (24) suffix: Checking for suffix after "@" (24) suffix: No '@' in User-Name = "testing", looking up realm NULL (24) suffix: No such realm "NULL" (24) [suffix] = noop (24) update control { (24) &Proxy-To-Realm := LOCAL (24) } # update control = noop (24) eap: Peer sent EAP Response (code 2) ID 9 length 6 (24) eap: No EAP Start, assuming it's an on-going EAP conversation (24) [eap] = updated (24) [files] = noop (24) sql: EXPAND %{User-Name} (24) sql: --> testing (24) sql: SQL-User-Name set to 'testing' rlm_sql (sql): Reserved connection (13) (24) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (24) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (24) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (24) sql: User found in radcheck table (24) sql: Conditional check items matched, merging assignment check items (24) sql: Cleartext-Password := "password" (24) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (24) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id (24) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id (24) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (24) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (24) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (24) sql: User found in the group table (24) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (24) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id (24) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id (24) sql: Group "Low_Access": Conditional check items matched (24) sql: Group "Low_Access": Merging assignment check items (24) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (24) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id (24) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id (24) sql: Group "Low_Access": Merging reply items (24) sql: Class = 0x6c6f775f616363657373 rlm_sql (sql): Released connection (13) (24) [sql] = ok (24) [expiration] = noop (24) [logintime] = noop (24) pap: WARNING: Auth-Type already set. Not setting to PAP (24) [pap] = noop (24) } # authorize = updated (24) Found Auth-Type = eap (24) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (24) authenticate { (24) eap: Expiring EAP session with state 0xd7f01aa1d6f90035 (24) eap: Finished EAP session with state 0xd7f01aa1d6f90035 (24) eap: Previous EAP request found for state 0xd7f01aa1d6f90035, released from the list (24) eap: Peer sent packet with method EAP MSCHAPv2 (26) (24) eap: Calling submodule eap_mschapv2 to process data (24) eap: Sending EAP Success (code 3) ID 9 length 4 (24) eap: Freeing handler (24) [eap] = ok (24) } # authenticate = ok (24) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (24) post-auth { (24) sql: EXPAND .query (24) sql: --> .query (24) sql: Using query template 'query' rlm_sql (sql): Reserved connection (14) (24) sql: EXPAND %{User-Name} (24) sql: --> testing (24) sql: SQL-User-Name set to 'testing' (24) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (24) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58') (24) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58') (24) sql: SQL query returned: success (24) sql: 1 record(s) updated rlm_sql (sql): Released connection (14) (24) [sql] = ok (24) if (1) { (24) if (1) -> TRUE (24) if (1) { (24) update reply { (24) User-Name !* ANY (24) Message-Authenticator !* ANY (24) EAP-Message !* ANY (24) Proxy-State !* ANY (24) MS-MPPE-Encryption-Types !* ANY (24) MS-MPPE-Encryption-Policy !* ANY (24) MS-MPPE-Send-Key !* ANY (24) MS-MPPE-Recv-Key !* ANY (24) } # update reply = noop (24) update { (24) &outer.session-state::Class += &reply:Class[*] -> 0x6c6f775f616363657373 (24) } # update = noop (24) } # if (1) = noop (24) } # post-auth = ok (24) } # server inner-tunnel (24) Virtual server sending reply (24) Class = 0x6c6f775f616363657373 (24) eap_peap: Got tunneled reply code 2 (24) eap_peap: Class = 0x6c6f775f616363657373 (24) eap_peap: Got tunneled reply RADIUS code 2 (24) eap_peap: Class = 0x6c6f775f616363657373 (24) eap_peap: Tunneled authentication was successful (24) eap_peap: SUCCESS (24) eap_peap: Saving tunneled attributes for later (24) eap: Sending EAP Request (code 1) ID 10 length 46 (24) eap: EAP session adding &reply:State = 0x735d7f17745766c6 (24) [eap] = handled (24) } # authenticate = handled (24) Using Post-Auth-Type Challenge (24) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (24) Challenge { ... } # empty sub-section is ignored (24) session-state: Saving cached attributes (24) Class += 0x6c6f775f616363657373 (24) Sent Access-Challenge Id 12 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (24) EAP-Message = 0x010a002e1900170303002306d33c56b068f0a5ff5724e4971e20cb7fe2cf9f068b66fb14fcd7892634f657f8bf51 (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) State = 0x735d7f17745766c6a880ae3bd9d49d0e (24) Finished request Waking up in 3.4 seconds. (25) Received Access-Request Id 13 from 10.225.251.10:56766 to 172.16.2.4:1812 length 236 (25) User-Name = "testing" (25) NAS-IP-Address = 10.225.251.10 (25) NAS-Port = 0 (25) NAS-Identifier = "172.16.6.63" (25) NAS-Port-Type = Wireless-802.11 (25) Calling-Station-Id = "f894c2addb53" (25) Called-Station-Id = "removed" (25) Service-Type = Login-User (25) Framed-MTU = 1100 (25) EAP-Message = 0x020a002e190017030300230000000000000004e9eef28e29c4b401eadf07a8810dcfb57ef2afa013eba59fe7a695 (25) State = 0x735d7f17745766c6a880ae3bd9d49d0e (25) Aruba-Essid-Name = "wtf" (25) Aruba-Location-Id = "Building-A" (25) Aruba-AP-Group = "Cluster" (25) Message-Authenticator = 0x5171d1f2ada81cca1aceb3fe0b8a7500 (25) Restoring &session-state (25) &session-state:Class += 0x6c6f775f616363657373 (25) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (25) authorize { (25) policy filter_username { (25) if (&User-Name) { (25) if (&User-Name) -> TRUE (25) if (&User-Name) { (25) if (&User-Name =~ / /) { (25) if (&User-Name =~ / /) -> FALSE (25) if (&User-Name =~ /@[^@]*@/ ) { (25) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (25) if (&User-Name =~ /\.\./ ) { (25) if (&User-Name =~ /\.\./ ) -> FALSE (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (25) if (&User-Name =~ /\.$/) { (25) if (&User-Name =~ /\.$/) -> FALSE (25) if (&User-Name =~ /@\./) { (25) if (&User-Name =~ /@\./) -> FALSE (25) } # if (&User-Name) = notfound (25) } # policy filter_username = notfound (25) [preprocess] = ok (25) [chap] = noop (25) [mschap] = noop (25) [digest] = noop (25) suffix: Checking for suffix after "@" (25) suffix: No '@' in User-Name = "testing", looking up realm NULL (25) suffix: No such realm "NULL" (25) [suffix] = noop (25) eap: Peer sent EAP Response (code 2) ID 10 length 46 (25) eap: Continuing tunnel setup (25) [eap] = ok (25) } # authorize = ok (25) Found Auth-Type = eap (25) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (25) authenticate { (25) eap: Expiring EAP session with state 0x735d7f17745766c6 (25) eap: Finished EAP session with state 0x735d7f17745766c6 (25) eap: Previous EAP request found for state 0x735d7f17745766c6, released from the list (25) eap: Peer sent packet with method EAP PEAP (25) (25) eap: Calling submodule eap_peap to process data (25) eap_peap: Continuing EAP-TLS (25) eap_peap: [eaptls verify] = ok (25) eap_peap: Done initial handshake (25) eap_peap: [eaptls process] = ok (25) eap_peap: Session established. Decoding tunneled attributes (25) eap_peap: PEAP state send tlv success (25) eap_peap: Received EAP-TLV response (25) eap_peap: Success (25) eap_peap: Using saved attributes from the original Access-Accept (25) eap_peap: Class = 0x6c6f775f616363657373 (25) eap: Sending EAP Success (code 3) ID 10 length 4 (25) eap: Freeing handler (25) [eap] = ok (25) } # authenticate = ok (25) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (25) post-auth { (25) update { (25) &reply::Class += &session-state:Class[*] -> 0x6c6f775f616363657373 (25) } # update = noop (25) sql: EXPAND .query (25) sql: --> .query (25) sql: Using query template 'query' rlm_sql (sql): Reserved connection (12) (25) sql: EXPAND %{User-Name} (25) sql: --> testing (25) sql: SQL-User-Name set to 'testing' (25) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (25) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58') (25) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58') (25) sql: SQL query returned: success (25) sql: 1 record(s) updated rlm_sql (sql): Released connection (12) (25) [sql] = ok (25) [exec] = noop (25) policy remove_reply_message_if_eap { (25) if (&reply:EAP-Message && &reply:Reply-Message) { (25) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (25) else { (25) [noop] = noop (25) } # else = noop (25) } # policy remove_reply_message_if_eap = noop (25) } # post-auth = ok (25) Sent Access-Accept Id 13 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0 (25) Class = 0x6c6f775f616363657373 (25) MS-MPPE-Recv-Key = 0xcc45ee952a3ff5f4b509a0d3c77ca487b6b86fbecfc91e8f7a4594ca3057a3c8 (25) MS-MPPE-Send-Key = 0x201b8d504ad2e64f9f8498c6b8187edbaf3221f7681eca7b12d0c885fb1c7782 (25) EAP-Message = 0x030a0004 (25) Message-Authenticator = 0x00000000000000000000000000000000 (25) User-Name = "testing" (25) Class += 0x6c6f775f616363657373 (25) Finished request Waking up in 3.4 seconds. detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.784712 sec detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.975185 sec (26) Received Accounting-Request Id 14 from 10.225.251.10:56766 to 172.16.2.4:1813 length 227 (26) Acct-Status-Type = Start (26) NAS-IP-Address = 10.225.251.10 (26) User-Name = "testing" (26) NAS-Port = 0 (26) NAS-Port-Type = Wireless-802.11 (26) Calling-Station-Id = "f894c2addb53" (26) Called-Station-Id = "removed" (26) Framed-IP-Address = 10.225.251.21 (26) Acct-Multi-Session-Id = "F894C2ADDB53-1680596739" (26) Acct-Session-Id = "F05C1986E787-F894C2ADDB53-642BDF17-BE9CA" (26) Acct-Delay-Time = 0 (26) Aruba-Essid-Name = "wtf" (26) Aruba-Location-Id = "Building-A" (26) Aruba-User-Vlan = 51 (26) Class = 0x6c6f775f616363657373 (26) Acct-Authentic = 0 (26) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (26) preacct { (26) [preprocess] = ok (26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (26) EXPAND %{User-Name} (26) --> testing (26) SQL-User-Name set to 'testing' rlm_sql (sql): Reserved connection (15) (26) Executing select query: SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='testing' AND (macaddrlist.macaddr1='f894c2addb53' OR macaddrlist.macaddr2='f894c2addb53') rlm_sql (sql): Released connection (15) Need 6 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (16), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10 (26) EXPAND %{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') } (26) --> 0 (26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) -> TRUE (26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (26) [ok] = ok (26) } # if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) = ok (26) ... skipping else: Preceding "if" was taken (26) policy acct_unique { (26) update request { (26) &Tmp-String-9 := "ai:" (26) } # update request = noop (26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (26) EXPAND %{hex:&Class} (26) --> 6c6f775f616363657373 (26) EXPAND ^%{hex:&Tmp-String-9} (26) --> ^61693a (26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (26) else { (26) update request { (26) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (26) --> cdbb232bc69b751f19684df63248fe05 (26) &Acct-Unique-Session-Id := cdbb232bc69b751f19684df63248fe05 (26) } # update request = noop (26) } # else = noop (26) } # policy acct_unique = noop (26) suffix: Checking for suffix after "@" (26) suffix: No '@' in User-Name = "testing", looking up realm NULL (26) suffix: No such realm "NULL" (26) [suffix] = noop (26) [files] = noop (26) } # preacct = ok (26) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (26) accounting { (26) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (26) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230404 (26) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230404 (26) detail: EXPAND %t (26) detail: --> Tue Apr 4 13:55:59 2023 (26) [detail] = ok (26) [unix] = ok (26) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (26) sql: --> type.start.query (26) sql: Using query template 'query' rlm_sql (sql): Reserved connection (13) (26) sql: EXPAND %{User-Name} (26) sql: --> testing (26) sql: SQL-User-Name set to 'testing' (26) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}') (26) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('F05C1986E787-F894C2ADDB53-642BDF17-BE9CA', 'cdbb232bc69b751f19684df63248fe05', 'testing', '', '10.225.251.10', '0', 'Wireless-802.11', FROM_UNIXTIME(1680596759), FROM_UNIXTIME(1680596759), NULL, '0', '0', '', '', '0', '0', 'removed', 'f894c2addb53', '', '', '', '10.225.251.21') (26) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('F05C1986E787-F894C2ADDB53-642BDF17-BE9CA', 'cdbb232bc69b751f19684df63248fe05', 'testing', '', '10.225.251.10', '0', 'Wireless-802.11', FROM_UNIXTIME(1680596759), FROM_UNIXTIME(1680596759), NULL, '0', '0', '', '', '0', '0', 'removed', 'f894c2addb53', '', '', '', '10.225.251.21') (26) sql: SQL query returned: success (26) sql: 1 record(s) updated rlm_sql (sql): Released connection (13) (26) [sql] = ok (26) [exec] = noop (26) attr_filter.accounting_response: EXPAND %{User-Name} (26) attr_filter.accounting_response: --> testing (26) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (26) [attr_filter.accounting_response] = updated (26) } # accounting = updated (26) Sent Accounting-Response Id 14 from 172.16.2.4:1813 to 10.225.251.10:56766 length 0 (26) Finished request (26) Cleaning up request packet ID 14 with timestamp +529 Waking up in 2.0 seconds. detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.118670 sec detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.834735 sec (17) Cleaning up request packet ID 5 with timestamp +526 (18) Cleaning up request packet ID 6 with timestamp +526 (19) Cleaning up request packet ID 7 with timestamp +526 (20) Cleaning up request packet ID 8 with timestamp +526 Waking up in 1.2 seconds. detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.084496 sec (21) Cleaning up request packet ID 9 with timestamp +528 (22) Cleaning up request packet ID 10 with timestamp +528 (23) Cleaning up request packet ID 11 with timestamp +528 (24) Cleaning up request packet ID 12 with timestamp +528 (25) Cleaning up request packet ID 13 with timestamp +528 Ready to process requests detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.996618 sec detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.833356 sec detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.774564 sec (27) Received Accounting-Request Id 15 from 10.225.251.10:56766 to 172.16.2.4:1813 length 257 (27) Acct-Status-Type = Stop (27) NAS-IP-Address = 10.225.251.10 (27) User-Name = "testing" (27) NAS-Port = 0 (27) NAS-Port-Type = Wireless-802.11 (27) Calling-Station-Id = "f894c2addb53" (27) Called-Station-Id = "removed" (27) Framed-IP-Address = 10.225.251.21 (27) Acct-Multi-Session-Id = "F894C2ADDB53-1680596739" (27) Acct-Session-Id = "F05C1986E787-F894C2ADDB53-642BDF17-BE9CA" (27) Acct-Delay-Time = 0 (27) Aruba-Essid-Name = "wtf" (27) Aruba-Location-Id = "Building-A" (27) Aruba-User-Vlan = 51 (27) Class = 0x6c6f775f616363657373 (27) Acct-Input-Octets = 186004 (27) Acct-Output-Octets = 97394 (27) Acct-Input-Packets = 1019 (27) Acct-Output-Packets = 430 (27) Acct-Terminate-Cause = Idle-Timeout (27) Acct-Session-Time = 35 (27) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (27) preacct { (27) [preprocess] = ok (27) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (27) EXPAND %{User-Name} (27) --> testing (27) SQL-User-Name set to 'testing' rlm_sql (sql): Reserved connection (14) (27) Executing select query: SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='testing' AND (macaddrlist.macaddr1='f894c2addb53' OR macaddrlist.macaddr2='f894c2addb53') rlm_sql (sql): Released connection (14) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (17), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10 (27) EXPAND %{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') } (27) --> 0 (27) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) -> TRUE (27) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (27) [ok] = ok (27) } # if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) = ok (27) ... skipping else: Preceding "if" was taken (27) policy acct_unique { (27) update request { (27) &Tmp-String-9 := "ai:" (27) } # update request = noop (27) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (27) EXPAND %{hex:&Class} (27) --> 6c6f775f616363657373 (27) EXPAND ^%{hex:&Tmp-String-9} (27) --> ^61693a (27) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (27) else { (27) update request { (27) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (27) --> cdbb232bc69b751f19684df63248fe05 (27) &Acct-Unique-Session-Id := cdbb232bc69b751f19684df63248fe05 (27) } # update request = noop (27) } # else = noop (27) } # policy acct_unique = noop (27) suffix: Checking for suffix after "@" (27) suffix: No '@' in User-Name = "testing", looking up realm NULL (27) suffix: No such realm "NULL" (27) [suffix] = noop (27) [files] = noop (27) } # preacct = ok (27) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (27) accounting { (27) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (27) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230404 (27) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230404 (27) detail: EXPAND %t (27) detail: --> Tue Apr 4 13:56:34 2023 (27) [detail] = ok (27) [unix] = ok (27) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (27) sql: --> type.stop.query (27) sql: Using query template 'query' rlm_sql (sql): Reserved connection (12) (27) sql: EXPAND %{User-Name} (27) sql: --> testing (27) sql: SQL-User-Name set to 'testing' (27) sql: EXPAND UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' (27) sql: --> UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1680596794), acctsessiontime = 35, acctinputoctets = '0' << 32 | '186004', acctoutputoctets = '0' << 32 | '97394', acctterminatecause = 'Idle-Timeout', connectinfo_stop = '' WHERE AcctUniqueId = 'cdbb232bc69b751f19684df63248fe05' (27) sql: Executing query: UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1680596794), acctsessiontime = 35, acctinputoctets = '0' << 32 | '186004', acctoutputoctets = '0' << 32 | '97394', acctterminatecause = 'Idle-Timeout', connectinfo_stop = '' WHERE AcctUniqueId = 'cdbb232bc69b751f19684df63248fe05' rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0 (27) sql: SQL query returned: success (27) sql: 1 record(s) updated rlm_sql (sql): Released connection (12) (27) [sql] = ok (27) [exec] = noop (27) attr_filter.accounting_response: EXPAND %{User-Name} (27) attr_filter.accounting_response: --> testing (27) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (27) [attr_filter.accounting_response] = updated (27) } # accounting = updated (27) Sent Accounting-Response Id 15 from 172.16.2.4:1813 to 10.225.251.10:56766 length 0 (27) Finished request (27) Cleaning up request packet ID 15 with timestamp +564 Ready to process requests detail (/var/log/freeradius/radacct/detail): Polling for detail file detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.212151 sec Thanks, On Tuesday, 4 April, 2023, 12:39:51 am IST, Alan DeKok <aland@deployingradius.com> wrote: On Apr 3, 2023, at 1:10 PM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
My bad, have used "==" operator with "users" file.
That's good.
The following in radcheck is working, is it possible to add multiple mac-addr values ?. I tried adding 3rd row with different mac-addr, it did not work.
Please read the SQL module documentation. See the wiki for "rlm_sql". The documentation describes how the module works, and what needs to go into SQL. You can't just add things to SQL and expect FreeRADIUS to understand what you mean.
What you want is s policy which says:
if user is X and MAC is not Y reject
Where to add this query ?.
In sites-enabled/default, under authenticate {} or authorize {} section or somewhere else ?.
You can add some "unlang" to the "authorize" section. If you see the sample configuration for sites-available/default, for the difference between "authorize" and "authentication", the location for the rules should be fairly clear. You can't just put the SQL query into a virtual server, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
O
Have tried adding the following in /sites-enabled/default bottom of "authoriztion { } section", inside "preacct { preprocess } section" and inside "post-auth { } section", any device can connect.
if("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { ok } else { reject }
I'd write that as: if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" == "" ) { reject } Just a little simpler. But I don't see that line in the debug output. So it's not being run, and therefore it's not working. Make sure that the server is using that configuration, and it should work. Alan DeKok.
Thanks Alan,
But I don't see that line in the debug output. So it's not being run, and therefore it's not working. I'd write that as:
It is there, but allowing mac-addr not in the table, it is not running when called under authorize { }. Pasted your exact code to the bottom of /sites-enabled/default bottom section of "authorize { }, now it's not being run. If required, will paste /sites-enabled/default configuration. Previous Debug, when the my code pasted to preacct { } section. ################################################################# (26) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (26) preacct { (26) [preprocess] = ok (26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (26) EXPAND %{User-Name} (26) --> testing (26) SQL-User-Name set to 'testing' rlm_sql (sql): Reserved connection (15) (26) Executing select query: SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='testing' AND (macaddrlist.macaddr1='f894c2addb53' OR macaddrlist.macaddr2='f894c2addb53') rlm_sql (sql): Released connection (15) Need 6 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (16), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10 (26) EXPAND %{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') } (26) --> 0 (26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) -> TRUE (26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { (26) [ok] = ok (26) } # if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) = ok (26) ... skipping else: Preceding "if" was taken (26) policy acct_unique { (26) update request { (26) &Tmp-String-9 := "ai:" (26) } # update request = noop (26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (26) EXPAND %{hex:&Class} (26) --> 6c6f775f616363657373 (26) EXPAND ^%{hex:&Tmp-String-9} (26) --> ^61693a (26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (26) else { (26) update request { (26) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (26) --> cdbb232bc69b751f19684df63248fe05 (26) &Acct-Unique-Session-Id := cdbb232bc69b751f19684df63248fe05 (26) } # update request = noop (26) } # else = noop (26) } # policy acct_unique = noop (26) suffix: Checking for suffix after "@" (26) suffix: No '@' in User-Name = "testing", looking up realm NULL (26) suffix: No such realm "NULL" (26) [suffix] = noop (26) [files] = noop (26) } # preacct = ok Thanks, On Tuesday, 4 April, 2023, 08:03:16 pm IST, Alan DeKok <aland@deployingradius.com> wrote: O
Have tried adding the following in /sites-enabled/default bottom of "authoriztion { } section", inside "preacct { preprocess } section" and inside "post-auth { } section", any device can connect.
if("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) { ok } else { reject }
I'd write that as: if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" == "" ) { reject } Just a little simpler. But I don't see that line in the debug output. So it's not being run, and therefore it's not working. Make sure that the server is using that configuration, and it should work. Alan DeKok.
participants (2)
-
Alan DeKok -
Eby Mani