Question / Copy inner to outer identity
Hi guys I know there is already some information out there about this topic, for example in this post from back in 2018: https://lists.freeradius.org/pipermail/freeradius-users/2018-November/093770... And there are also examples in the FreeRADIUS inner-proxy configuration file: # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. # # Note that the last packet of the inner-tunnel authentication # MAY NOT BE the last packet of the outer session. So updating # the outer reply MIGHT work, and sometimes MIGHT NOT. The # exact functionality depends on both the inner and outer # authentication methods. # # If you need to send a reply attribute in the outer session, # the ONLY safe way is to set "use_tunneled_reply = yes", and # then update the inner-tunnel reply. post-auth { # If you want privacy to remain, see the # Chargeable-User-Identity attribute from RFC 4372. # If you want to use it just uncomment the line below. # cui-inner # # If you want the Access-Accept to contain the inner # User-Name, uncomment the following lines. # # update outer.session-state { # User-Name := &User-Name # } We use PEAP/MS-CHAPv2 on our eduroam SSID. Goal: copy the inner identity to the Access-Accept RADIUS packet, if possible at all (?!) à our Cisco WLAN infrastructure could «see» the real username instead of a bunch of anonymous@unibe.ch accounts, this will be used for further processing in a cloud service. But based on the debug output (see below), the inner-proxy configuration is not hit at all; I think this is based on how our FreeRADIUS proxing is done, but here I am not 100% sure about this. But maybe you can help me out and point me into the right direction; in short: is there a way (for us) to achieve the copying of the inner to the outer identity for the Access-Accept packet (only)? Thanks and best regards Dominic *** Debug output: (14) Received Access-Request Id 161 from 1.2.3.4:63606 to 130.92.10.33:1812 length 461 (14) User-Name = anonymous@unibe.ch (14) Service-Type = Framed-User (14) Cisco-AVPair = "service-type=Framed" (14) Framed-MTU = 1485 (14) EAP-Message = 0x0201001701616e6f6e796d6f757340756e6962652e6368 (14) Message-Authenticator = 0xcda0dbee35c44f95af0a726f08995386 (14) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (14) Cisco-AVPair = "method=dot1x" (14) Cisco-AVPair = "client-iif-id=2818574557" (14) Cisco-AVPair = "vlan-id=1000" (14) NAS-IP-Address = 1.2.3.4 (14) NAS-Port-Id = "capwap_9000000c" (14) NAS-Port-Type = Wireless-802.11 (14) NAS-Port = 4211 (14) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (14) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (14) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (14) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (14) Airespace-Wlan-Id = 97 (14) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (14) WLAN-Group-Cipher = 1027076 (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027075 (14) WLAN-Group-Mgmt-Cipher = 1027078 (14) # Executing section authorize from file /etc/freeradius/sites-enabled/default (14) authorize { (14) policy rewrite_called_station_id { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> 2C-E3-8E-ED-31-E0 (14) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (14) } # update request = noop (14) if ("%{8}") { (14) EXPAND %{8} (14) --> eduroam (14) if ("%{8}") -> TRUE (14) if ("%{8}") { (14) update request { (14) EXPAND %{8} (14) --> eduroam (14) &Called-Station-SSID := eduroam (14) EXPAND %{Called-Station-Id}:%{8} (14) --> 2C-E3-8E-ED-31-E0:eduroam (14) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (14) } # update request = noop (14) } # if ("%{8}") = noop (14) [updated] = updated (14) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_called_station_id = updated (14) policy rewrite_calling_station_id { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> AC-DF-A1-B1-F1-5A (14) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (14) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (14) --> AC:DF:A1:B1:F1:5A (14) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (14) } # update request = noop (14) [updated] = updated (14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_calling_station_id = updated (14) if (Service-Type == Call-Check) { (14) if (Service-Type == Call-Check) -> FALSE (14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (14) EXPAND Packet-Src-IP-Address (14) --> 1.2.3.4 (14) EXPAND Packet-Src-IP-Address (14) --> 1.2.3.4 (14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (14) if (EAP-Message) { (14) if (EAP-Message) -> TRUE (14) if (EAP-Message) { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = updated (14) } # policy filter_username = updated (14) suffix: Checking for suffix after "@" (14) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (14) suffix: Found realm "UNIBE.CH" (14) suffix: Adding Realm = "UNIBE.CH" (14) suffix: Authentication realm is LOCAL (14) [suffix] = ok (14) policy deny_no_realm { (14) if (User-Name && (User-Name !~ /@/)) { (14) if (User-Name && (User-Name !~ /@/)) -> FALSE (14) } # policy deny_no_realm = updated (14) update request { (14) EXPAND %{toupper:%{Realm}} (14) --> UNIBE.CH (14) Realm := UNIBE.CH (14) } # update request = noop (14) eap: Peer sent EAP Response (code 2) ID 1 length 23 (14) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (14) [eap] = ok (14) } # if (EAP-Message) = ok (14) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (14) } # authorize = updated (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) Auth-Type eap { (14) eap: Peer sent packet with method EAP Identity (1) (14) eap: Using default_eap_type = PEAP (14) eap: Calling submodule eap_peap to process data (14) eap_peap: (TLS) PEAP -Initiating new session (14) eap: Sending EAP Request (code 1) ID 2 length 6 (14) eap: EAP session adding &reply:State = 0x1a0c7e771a0e6752 (14) [eap] = handled (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) EXPAND Response-Packet-Type (14) --> Access-Challenge (14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) attr_filter.access_challenge: EXPAND %{User-Name} (14) attr_filter.access_challenge: --> anonymous@unibe.ch (14) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (14) [attr_filter.access_challenge.post-auth] = updated (14) [handled] = handled (14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (14) } # Auth-Type eap = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) session-state: Saving cached attributes (14) Framed-MTU = 1014 (14) Sent Access-Challenge Id 161 from 130.92.10.33:1812 to 1.2.3.4:63606 length 64 (14) EAP-Message = 0x010200061920 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x1a0c7e771a0e675279b57cf47df95d07 (14) Finished request (15) Received Access-Request Id 162 from 1.2.3.4:63606 to 130.92.10.33:1812 length 617 (15) User-Name = anonymous@unibe.ch (15) Service-Type = Framed-User (15) Cisco-AVPair = "service-type=Framed" (15) Framed-MTU = 1485 (15) EAP-Message = 0x020200a119800000009716030100920100008e03036909999b25b7e27b2e2e231f9c546c4a37d3b858ee2635bdaf836b8c39d42d6800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306010005000501000000000012000000170000 (15) Message-Authenticator = 0xdf959aef8b75ae98ed4dda59508b7a60 (15) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (15) Cisco-AVPair = "method=dot1x" (15) Cisco-AVPair = "client-iif-id=2818574557" (15) Cisco-AVPair = "vlan-id=1000" (15) NAS-IP-Address = 1.2.3.4 (15) NAS-Port-Id = "capwap_9000000c" (15) NAS-Port-Type = Wireless-802.11 (15) NAS-Port = 4211 (15) State = 0x1a0c7e771a0e675279b57cf47df95d07 (15) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (15) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (15) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (15) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (15) Airespace-Wlan-Id = 97 (15) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (15) WLAN-Group-Cipher = 1027076 (15) WLAN-Pairwise-Cipher = 1027076 (15) WLAN-AKM-Suite = 1027075 (15) WLAN-Group-Mgmt-Cipher = 1027078 (15) Restoring &session-state (15) &session-state:Framed-MTU = 1014 (15) # Executing section authorize from file /etc/freeradius/sites-enabled/default (15) authorize { (15) policy rewrite_called_station_id { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> 2C-E3-8E-ED-31-E0 (15) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (15) } # update request = noop (15) if ("%{8}") { (15) EXPAND %{8} (15) --> eduroam (15) if ("%{8}") -> TRUE (15) if ("%{8}") { (15) update request { (15) EXPAND %{8} (15) --> eduroam (15) &Called-Station-SSID := eduroam (15) EXPAND %{Called-Station-Id}:%{8} (15) --> 2C-E3-8E-ED-31-E0:eduroam (15) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (15) } # update request = noop (15) } # if ("%{8}") = noop (15) [updated] = updated (15) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_called_station_id = updated (15) policy rewrite_calling_station_id { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> AC-DF-A1-B1-F1-5A (15) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (15) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (15) --> AC:DF:A1:B1:F1:5A (15) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (15) } # update request = noop (15) [updated] = updated (15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_calling_station_id = updated (15) if (Service-Type == Call-Check) { (15) if (Service-Type == Call-Check) -> FALSE (15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (15) EXPAND Packet-Src-IP-Address (15) --> 1.2.3.4 (15) EXPAND Packet-Src-IP-Address (15) --> 1.2.3.4 (15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (15) if (EAP-Message) { (15) if (EAP-Message) -> TRUE (15) if (EAP-Message) { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = updated (15) } # policy filter_username = updated (15) suffix: Checking for suffix after "@" (15) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (15) suffix: Found realm "UNIBE.CH" (15) suffix: Adding Realm = "UNIBE.CH" (15) suffix: Authentication realm is LOCAL (15) [suffix] = ok (15) policy deny_no_realm { (15) if (User-Name && (User-Name !~ /@/)) { (15) if (User-Name && (User-Name !~ /@/)) -> FALSE (15) } # policy deny_no_realm = updated (15) update request { (15) EXPAND %{toupper:%{Realm}} (15) --> UNIBE.CH (15) Realm := UNIBE.CH (15) } # update request = noop (15) eap: Peer sent EAP Response (code 2) ID 2 length 161 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # if (EAP-Message) = ok (15) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (15) } # authorize = updated (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/sites-enabled/default (15) Auth-Type eap { (15) eap: Removing EAP session with state 0x1a0c7e771a0e6752 (15) eap: Previous EAP request found for state 0x1a0c7e771a0e6752, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (15) eap_peap: (TLS) EAP Got all data (151 bytes) (15) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (15) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (15) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (15) eap_peap: (TLS) PEAP - In Handshake Phase (15) eap: Sending EAP Request (code 1) ID 3 length 1024 (15) eap: EAP session adding &reply:State = 0x1a0c7e771b0f6752 (15) [eap] = handled (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) EXPAND Response-Packet-Type (15) --> Access-Challenge (15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) attr_filter.access_challenge: EXPAND %{User-Name} (15) attr_filter.access_challenge: --> anonymous@unibe.ch (15) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (15) [attr_filter.access_challenge.post-auth] = updated (15) [handled] = handled (15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (15) } # Auth-Type eap = handled (15) Using Post-Auth-Type Challenge (15) Post-Auth-Type sub-section not found. Ignoring. (15) # Executing group from file /etc/freeradius/sites-enabled/default (15) session-state: Saving cached attributes (15) Framed-MTU = 1014 (15) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (15) Sent Access-Challenge Id 162 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1090 (15) EAP-Message = 0x0103040019c000001135160303003d020000390303f0334014735b9a350f95ccc549063d3e99ba127b1d030030444f574e4752440100c010000011ff01000100000b000401000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x1a0c7e771b0f675279b57cf47df95d07 (15) Finished request (16) Received Access-Request Id 163 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (16) User-Name = anonymous@unibe.ch (16) Service-Type = Framed-User (16) Cisco-AVPair = "service-type=Framed" (16) Framed-MTU = 1485 (16) EAP-Message = 0x020100061900 (16) Message-Authenticator = 0x256013f8a4cd33b09aea930439831655 (16) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (16) Cisco-AVPair = "method=dot1x" (16) Cisco-AVPair = "client-iif-id=2818574557" (16) Cisco-AVPair = "vlan-id=1000" (16) NAS-IP-Address = 1.2.3.4 (16) NAS-Port-Id = "capwap_9000000c" (16) NAS-Port-Type = Wireless-802.11 (16) NAS-Port = 4211 (16) State = 0x1a0c7e771b0f675279b57cf47df95d07 (16) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (16) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (16) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (16) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (16) Airespace-Wlan-Id = 97 (16) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (16) WLAN-Group-Cipher = 1027076 (16) WLAN-Pairwise-Cipher = 1027076 (16) WLAN-AKM-Suite = 1027075 (16) WLAN-Group-Mgmt-Cipher = 1027078 (16) Restoring &session-state (16) &session-state:Framed-MTU = 1014 (16) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (16) # Executing section authorize from file /etc/freeradius/sites-enabled/default (16) authorize { (16) policy rewrite_called_station_id { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> 2C-E3-8E-ED-31-E0 (16) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (16) } # update request = noop (16) if ("%{8}") { (16) EXPAND %{8} (16) --> eduroam (16) if ("%{8}") -> TRUE (16) if ("%{8}") { (16) update request { (16) EXPAND %{8} (16) --> eduroam (16) &Called-Station-SSID := eduroam (16) EXPAND %{Called-Station-Id}:%{8} (16) --> 2C-E3-8E-ED-31-E0:eduroam (16) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (16) } # update request = noop (16) } # if ("%{8}") = noop (16) [updated] = updated (16) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_called_station_id = updated (16) policy rewrite_calling_station_id { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> AC-DF-A1-B1-F1-5A (16) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (16) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (16) --> AC:DF:A1:B1:F1:5A (16) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (16) } # update request = noop (16) [updated] = updated (16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_calling_station_id = updated (16) if (Service-Type == Call-Check) { (16) if (Service-Type == Call-Check) -> FALSE (16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (16) EXPAND Packet-Src-IP-Address (16) --> 1.2.3.4 (16) EXPAND Packet-Src-IP-Address (16) --> 1.2.3.4 (16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (16) if (EAP-Message) { (16) if (EAP-Message) -> TRUE (16) if (EAP-Message) { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = updated (16) } # policy filter_username = updated (16) suffix: Checking for suffix after "@" (16) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (16) suffix: Found realm "UNIBE.CH" (16) suffix: Adding Realm = "UNIBE.CH" (16) suffix: Authentication realm is LOCAL (16) [suffix] = ok (16) policy deny_no_realm { (16) if (User-Name && (User-Name !~ /@/)) { (16) if (User-Name && (User-Name !~ /@/)) -> FALSE (16) } # policy deny_no_realm = updated (16) update request { (16) EXPAND %{toupper:%{Realm}} (16) --> UNIBE.CH (16) Realm := UNIBE.CH (16) } # update request = noop (16) eap: Peer sent EAP Response (code 2) ID 3 length 6 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # if (EAP-Message) = ok (16) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (16) } # authorize = updated (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) Auth-Type eap { (16) eap: Removing EAP session with state 0x1a0c7e771b0f6752 (16) eap: Previous EAP request found for state 0x1a0c7e771b0f6752, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: (TLS) Peer ACKed our handshake fragment (16) eap: Sending EAP Request (code 1) ID 4 length 1020 (16) eap: EAP session adding &reply:State = 0x1a0c7e7718086752 (16) [eap] = handled (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) EXPAND Response-Packet-Type (16) --> Access-Challenge (16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) attr_filter.access_challenge: EXPAND %{User-Name} (16) attr_filter.access_challenge: --> anonymous@unibe.ch (16) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (16) [attr_filter.access_challenge.post-auth] = updated (16) [handled] = handled (16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (16) } # Auth-Type eap = handled (16) Using Post-Auth-Type Challenge (16) Post-Auth-Type sub-section not found. Ignoring. (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) session-state: Saving cached attributes (16) Framed-MTU = 1014 (16) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (16) Sent Access-Challenge Id 163 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086 (16) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040210003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x1a0c7e771808675279b57cf47df95d07 (16) Finished request (17) Received Access-Request Id 164 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (17) User-Name = anonymous@unibe.ch (17) Service-Type = Framed-User (17) Cisco-AVPair = "service-type=Framed" (17) Framed-MTU = 1485 (17) EAP-Message = 0x020400061900 (17) Message-Authenticator = 0x6f9b085346287fdd22fc589a3c0b70f2 (17) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (17) Cisco-AVPair = "method=dot1x" (17) Cisco-AVPair = "client-iif-id=2818574557" (17) Cisco-AVPair = "vlan-id=1000" (17) NAS-IP-Address = 1.2.3.4 (17) NAS-Port-Id = "capwap_9000000c" (17) NAS-Port-Type = Wireless-802.11 (17) NAS-Port = 4211 (17) State = 0x1a0c7e771808675279b57cf47df95d07 (17) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (17) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (17) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (17) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (17) Airespace-Wlan-Id = 97 (17) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (17) WLAN-Group-Cipher = 1027076 (17) WLAN-Pairwise-Cipher = 1027076 (17) WLAN-AKM-Suite = 1027075 (17) WLAN-Group-Mgmt-Cipher = 1027078 (17) Restoring &session-state (17) &session-state:Framed-MTU = 1014 (17) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (17) # Executing section authorize from file /etc/freeradius/sites-enabled/default (17) authorize { (17) policy rewrite_called_station_id { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> 2C-E3-8E-ED-31-E0 (17) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (17) } # update request = noop (17) if ("%{8}") { (17) EXPAND %{8} (17) --> eduroam (17) if ("%{8}") -> TRUE (17) if ("%{8}") { (17) update request { (17) EXPAND %{8} (17) --> eduroam (17) &Called-Station-SSID := eduroam (17) EXPAND %{Called-Station-Id}:%{8} (17) --> 2C-E3-8E-ED-31-E0:eduroam (17) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (17) } # update request = noop (17) } # if ("%{8}") = noop (17) [updated] = updated (17) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_called_station_id = updated (17) policy rewrite_calling_station_id { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> AC-DF-A1-B1-F1-5A (17) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (17) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (17) --> AC:DF:A1:B1:F1:5A (17) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (17) } # update request = noop (17) [updated] = updated (17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_calling_station_id = updated (17) if (Service-Type == Call-Check) { (17) if (Service-Type == Call-Check) -> FALSE (17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (17) EXPAND Packet-Src-IP-Address (17) --> 1.2.3.4 (17) EXPAND Packet-Src-IP-Address (17) --> 1.2.3.4 (17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (17) if (EAP-Message) { (17) if (EAP-Message) -> TRUE (17) if (EAP-Message) { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = updated (17) } # policy filter_username = updated (17) suffix: Checking for suffix after "@" (17) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (17) suffix: Found realm "UNIBE.CH" (17) suffix: Adding Realm = "UNIBE.CH" (17) suffix: Authentication realm is LOCAL (17) [suffix] = ok (17) policy deny_no_realm { (17) if (User-Name && (User-Name !~ /@/)) { (17) if (User-Name && (User-Name !~ /@/)) -> FALSE (17) } # policy deny_no_realm = updated (17) update request { (17) EXPAND %{toupper:%{Realm}} (17) --> UNIBE.CH (17) Realm := UNIBE.CH (17) } # update request = noop (17) eap: Peer sent EAP Response (code 2) ID 4 length 6 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # if (EAP-Message) = ok (17) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (17) } # authorize = updated (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) Auth-Type eap { (17) eap: Removing EAP session with state 0x1a0c7e7718086752 (17) eap: Previous EAP request found for state 0x1a0c7e7718086752, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: (TLS) Peer ACKed our handshake fragment (17) eap: Sending EAP Request (code 1) ID 5 length 1020 (17) eap: EAP session adding &reply:State = 0x1a0c7e7719096752 (17) [eap] = handled (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) EXPAND Response-Packet-Type (17) --> Access-Challenge (17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) attr_filter.access_challenge: EXPAND %{User-Name} (17) attr_filter.access_challenge: --> anonymous@unibe.ch (17) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (17) [attr_filter.access_challenge.post-auth] = updated (17) [handled] = handled (17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (17) } # Auth-Type eap = handled (17) Using Post-Auth-Type Challenge (17) Post-Auth-Type sub-section not found. Ignoring. (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) session-state: Saving cached attributes (17) Framed-MTU = 1014 (17) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (17) Sent Access-Challenge Id 164 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086 (17) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x1a0c7e771909675279b57cf47df95d07 (17) Finished request (18) Received Access-Request Id 165 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (18) User-Name = anonymous@unibe.ch (18) Service-Type = Framed-User (18) Cisco-AVPair = "service-type=Framed" (18) Framed-MTU = 1485 (18) EAP-Message = 0x020500061900 (18) Message-Authenticator = 0xc196c62add7f8f693998f8856485d83b (18) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (18) Cisco-AVPair = "method=dot1x" (18) Cisco-AVPair = "client-iif-id=2818574557" (18) Cisco-AVPair = "vlan-id=1000" (18) NAS-IP-Address = 1.2.3.4 (18) NAS-Port-Id = "capwap_9000000c" (18) NAS-Port-Type = Wireless-802.11 (18) NAS-Port = 4211 (18) State = 0x1a0c7e771909675279b57cf47df95d07 (18) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (18) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (18) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (18) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (18) Airespace-Wlan-Id = 97 (18) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (18) WLAN-Group-Cipher = 1027076 (18) WLAN-Pairwise-Cipher = 1027076 (18) WLAN-AKM-Suite = 1027075 (18) WLAN-Group-Mgmt-Cipher = 1027078 (18) Restoring &session-state (18) &session-state:Framed-MTU = 1014 (18) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (18) # Executing section authorize from file /etc/freeradius/sites-enabled/default (18) authorize { (18) policy rewrite_called_station_id { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) update request { Waking up in 0.2 seconds. (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> 2C-E3-8E-ED-31-E0 (18) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (18) } # update request = noop (18) if ("%{8}") { (18) EXPAND %{8} (18) --> eduroam (18) if ("%{8}") -> TRUE (18) if ("%{8}") { (18) update request { (18) EXPAND %{8} (18) --> eduroam (18) &Called-Station-SSID := eduroam (18) EXPAND %{Called-Station-Id}:%{8} (18) --> 2C-E3-8E-ED-31-E0:eduroam (18) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (18) } # update request = noop (18) } # if ("%{8}") = noop (18) [updated] = updated (18) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_called_station_id = updated (18) policy rewrite_calling_station_id { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) update request { (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> AC-DF-A1-B1-F1-5A (18) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (18) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (18) --> AC:DF:A1:B1:F1:5A (18) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (18) } # update request = noop (18) [updated] = updated (18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_calling_station_id = updated (18) if (Service-Type == Call-Check) { (18) if (Service-Type == Call-Check) -> FALSE (18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (18) EXPAND Packet-Src-IP-Address (18) --> 1.2.3.4 (18) EXPAND Packet-Src-IP-Address (18) --> 1.2.3.4 (18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (18) if (EAP-Message) { (18) if (EAP-Message) -> TRUE (18) if (EAP-Message) { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = updated (18) } # policy filter_username = updated (18) suffix: Checking for suffix after "@" (18) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (18) suffix: Found realm "UNIBE.CH" (18) suffix: Adding Realm = "UNIBE.CH" (18) suffix: Authentication realm is LOCAL (18) [suffix] = ok (18) policy deny_no_realm { (18) if (User-Name && (User-Name !~ /@/)) { (18) if (User-Name && (User-Name !~ /@/)) -> FALSE (18) } # policy deny_no_realm = updated (18) update request { (18) EXPAND %{toupper:%{Realm}} (18) --> UNIBE.CH (18) Realm := UNIBE.CH (18) } # update request = noop (18) eap: Peer sent EAP Response (code 2) ID 5 length 6 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # if (EAP-Message) = ok (18) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (18) } # authorize = updated (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/sites-enabled/default (18) Auth-Type eap { (18) eap: Removing EAP session with state 0x1a0c7e7719096752 (18) eap: Previous EAP request found for state 0x1a0c7e7719096752, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: (TLS) Peer ACKed our handshake fragment (18) eap: Sending EAP Request (code 1) ID 6 length 1020 (18) eap: EAP session adding &reply:State = 0x1a0c7e771e0a6752 (18) [eap] = handled (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) EXPAND Response-Packet-Type (18) --> Access-Challenge (18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) attr_filter.access_challenge: EXPAND %{User-Name} (18) attr_filter.access_challenge: --> anonymous@unibe.ch (18) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (18) [attr_filter.access_challenge.post-auth] = updated (18) [handled] = handled (18) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (18) } # Auth-Type eap = handled (18) Using Post-Auth-Type Challenge (18) Post-Auth-Type sub-section not found. Ignoring. (18) # Executing group from file /etc/freeradius/sites-enabled/default (18) session-state: Saving cached attributes (18) Framed-MTU = 1014 (18) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (18) Sent Access-Challenge Id 165 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086 (18) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x1a0c7e771e0a675279b57cf47df95d07 (18) Finished request (19) Received Access-Request Id 166 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (19) User-Name = anonymous@unibe.ch (19) Service-Type = Framed-User (19) Cisco-AVPair = "service-type=Framed" (19) Framed-MTU = 1485 (19) EAP-Message = 0x020600061900 (19) Message-Authenticator = 0x572ab59ccb8ceac06d4c053497b4dad6 (19) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (19) Cisco-AVPair = "method=dot1x" (19) Cisco-AVPair = "client-iif-id=2818574557" (19) Cisco-AVPair = "vlan-id=1000" (19) NAS-IP-Address = 1.2.3.4 (19) NAS-Port-Id = "capwap_9000000c" (19) NAS-Port-Type = Wireless-802.11 (19) NAS-Port = 4211 (19) State = 0x1a0c7e771e0a675279b57cf47df95d07 (19) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (19) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (19) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (19) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (19) Airespace-Wlan-Id = 97 (19) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (19) WLAN-Group-Cipher = 1027076 (19) WLAN-Pairwise-Cipher = 1027076 (19) WLAN-AKM-Suite = 1027075 (19) WLAN-Group-Mgmt-Cipher = 1027078 (19) Restoring &session-state (19) &session-state:Framed-MTU = 1014 (19) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (19) # Executing section authorize from file /etc/freeradius/sites-enabled/default (19) authorize { (19) policy rewrite_called_station_id { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> 2C-E3-8E-ED-31-E0 (19) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (19) } # update request = noop (19) if ("%{8}") { (19) EXPAND %{8} (19) --> eduroam (19) if ("%{8}") -> TRUE (19) if ("%{8}") { (19) update request { (19) EXPAND %{8} (19) --> eduroam (19) &Called-Station-SSID := eduroam (19) EXPAND %{Called-Station-Id}:%{8} (19) --> 2C-E3-8E-ED-31-E0:eduroam (19) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (19) } # update request = noop (19) } # if ("%{8}") = noop (19) [updated] = updated (19) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_called_station_id = updated (19) policy rewrite_calling_station_id { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> AC-DF-A1-B1-F1-5A (19) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (19) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (19) --> AC:DF:A1:B1:F1:5A (19) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (19) } # update request = noop (19) [updated] = updated (19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_calling_station_id = updated (19) if (Service-Type == Call-Check) { (19) if (Service-Type == Call-Check) -> FALSE (19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (19) EXPAND Packet-Src-IP-Address (19) --> 1.2.3.4 (19) EXPAND Packet-Src-IP-Address (19) --> 1.2.3.4 (19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (19) if (EAP-Message) { (19) if (EAP-Message) -> TRUE (19) if (EAP-Message) { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = updated (19) } # policy filter_username = updated (19) suffix: Checking for suffix after "@" (19) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (19) suffix: Found realm "UNIBE.CH" (19) suffix: Adding Realm = "UNIBE.CH" (19) suffix: Authentication realm is LOCAL (19) [suffix] = ok (19) policy deny_no_realm { (19) if (User-Name && (User-Name !~ /@/)) { (19) if (User-Name && (User-Name !~ /@/)) -> FALSE (19) } # policy deny_no_realm = updated (19) update request { (19) EXPAND %{toupper:%{Realm}} (19) --> UNIBE.CH (19) Realm := UNIBE.CH (19) } # update request = noop (19) eap: Peer sent EAP Response (code 2) ID 6 length 6 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # if (EAP-Message) = ok (19) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (19) } # authorize = updated (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/sites-enabled/default (19) Auth-Type eap { (19) eap: Removing EAP session with state 0x1a0c7e771e0a6752 (19) eap: Previous EAP request found for state 0x1a0c7e771e0a6752, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: (TLS) Peer ACKed our handshake fragment (19) eap: Sending EAP Request (code 1) ID 7 length 355 (19) eap: EAP session adding &reply:State = 0x1a0c7e771f0b6752 (19) [eap] = handled (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) EXPAND Response-Packet-Type (19) --> Access-Challenge (19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) attr_filter.access_challenge: EXPAND %{User-Name} (19) attr_filter.access_challenge: --> anonymous@unibe.ch (19) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (19) [attr_filter.access_challenge.post-auth] = updated (19) [handled] = handled (19) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (19) } # Auth-Type eap = handled (19) Using Post-Auth-Type Challenge (19) Post-Auth-Type sub-section not found. Ignoring. (19) # Executing group from file /etc/freeradius/sites-enabled/default (19) session-state: Saving cached attributes (19) Framed-MTU = 1014 (19) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (19) Sent Access-Challenge Id 166 from 130.92.10.33:1812 to 1.2.3.4:63606 length 415 (19) EAP-Message = 0x01070163190032b6160303014d0c0001490300174104b201a57bca112447dfce17a89ba625c372e0c009eea006a95c79ba5b83514cfc4abe5c00673d4584a35b11ecef0ee23a6e2a18d0c95f8a48f744f685b7bfb054040101001e420d428e4df3bafadfc43614f7e02a46b54eb352afdd238fbe58786c1286d9f48726ae0f45415d47bfb81a54ebf3ac667c828dea5428d65f8c0a1634fc04cd2fddd88809d833251f68c1b85caea91c7c135b8d87ee7b5c91c3fec8e93d09ae2157a548d07e80f8a8ba9cc9267bef2fc1e9433312e89e45d1dbf9650fa7c0f5eb555b12ebf51e2575fe325de4871702c00041a05bf89a779a12f8b0eba2fe702054fb0fc16ec288b6861c55fd6d9a853a574516dbb5684d8b61318e526bc7328643edc25ee4692ac13c9843aba9a028992b5befa9331b65a63b890e5432d66d27e4fc6eae4f0aa2625394096c5e7e469992c9e8003b3af457be9e8309fac01116030100040e000000 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0x1a0c7e771f0b675279b57cf47df95d07 (19) Finished request (20) Received Access-Request Id 167 from 1.2.3.4:63606 to 130.92.10.33:1812 length 592 (20) User-Name = anonymous@unibe.ch (20) Service-Type = Framed-User (20) Cisco-AVPair = "service-type=Framed" (20) Framed-MTU = 1485 (20) EAP-Message = 0x0207008819800000007e16030300461000004241044bdd335d8636b35b96f838a591e11c19c257fa1853f19b291dd5e25fc57342414c3f644fb0abbd7078454afdc6a47d7f15433d807ebbb5d30efaeb9bc509783f14030100010116030300283667ef69fc720083fa52d1f339bce71060104b344322cb0514ad95532ba10a78d425cd99eb1ea915 (20) Message-Authenticator = 0xfa3c07c12db0b8ddfacd1df94f1e5aff (20) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (20) Cisco-AVPair = "method=dot1x" (20) Cisco-AVPair = "client-iif-id=2818574557" (20) Cisco-AVPair = "vlan-id=1000" (20) NAS-IP-Address = 1.2.3.4 (20) NAS-Port-Id = "capwap_9000000c" (20) NAS-Port-Type = Wireless-802.11 (20) NAS-Port = 4211 (20) State = 0x1a0c7e771f0b675279b57cf47df95d07 (20) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (20) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (20) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (20) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (20) Airespace-Wlan-Id = 97 (20) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (20) WLAN-Group-Cipher = 1027076 (20) WLAN-Pairwise-Cipher = 1027076 (20) WLAN-AKM-Suite = 1027075 (20) WLAN-Group-Mgmt-Cipher = 1027078 (20) Restoring &session-state (20) &session-state:Framed-MTU = 1014 (20) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (20) # Executing section authorize from file /etc/freeradius/sites-enabled/default (20) authorize { (20) policy rewrite_called_station_id { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> 2C-E3-8E-ED-31-E0 (20) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (20) } # update request = noop (20) if ("%{8}") { (20) EXPAND %{8} (20) --> eduroam (20) if ("%{8}") -> TRUE (20) if ("%{8}") { (20) update request { (20) EXPAND %{8} (20) --> eduroam (20) &Called-Station-SSID := eduroam (20) EXPAND %{Called-Station-Id}:%{8} (20) --> 2C-E3-8E-ED-31-E0:eduroam (20) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (20) } # update request = noop (20) } # if ("%{8}") = noop (20) [updated] = updated (20) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_called_station_id = updated (20) policy rewrite_calling_station_id { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> AC-DF-A1-B1-F1-5A (20) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (20) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (20) --> AC:DF:A1:B1:F1:5A (20) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (20) } # update request = noop (20) [updated] = updated (20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_calling_station_id = updated (20) if (Service-Type == Call-Check) { (20) if (Service-Type == Call-Check) -> FALSE (20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (20) EXPAND Packet-Src-IP-Address (20) --> 1.2.3.4 (20) EXPAND Packet-Src-IP-Address (20) --> 1.2.3.4 (20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (20) if (EAP-Message) { (20) if (EAP-Message) -> TRUE (20) if (EAP-Message) { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = updated (20) } # policy filter_username = updated (20) suffix: Checking for suffix after "@" (20) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (20) suffix: Found realm "UNIBE.CH" (20) suffix: Adding Realm = "UNIBE.CH" (20) suffix: Authentication realm is LOCAL (20) [suffix] = ok (20) policy deny_no_realm { (20) if (User-Name && (User-Name !~ /@/)) { (20) if (User-Name && (User-Name !~ /@/)) -> FALSE (20) } # policy deny_no_realm = updated (20) update request { (20) EXPAND %{toupper:%{Realm}} (20) --> UNIBE.CH (20) Realm := UNIBE.CH (20) } # update request = noop (20) eap: Peer sent EAP Response (code 2) ID 7 length 136 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # if (EAP-Message) = ok (20) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (20) } # authorize = updated (20) Found Auth-Type = eap (20) # Executing group from file /etc/freeradius/sites-enabled/default (20) Auth-Type eap { (20) eap: Removing EAP session with state 0x1a0c7e771f0b6752 (20) eap: Previous EAP request found for state 0x1a0c7e771f0b6752, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (20) eap_peap: (TLS) EAP Got all data (126 bytes) (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (20) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (20) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (20) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (20) eap_peap: (TLS) PEAP - Connection Established (20) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) eap_peap: TLS-Session-Version = "TLS 1.2" (20) eap: Sending EAP Request (code 1) ID 8 length 57 (20) eap: EAP session adding &reply:State = 0x1a0c7e771c046752 (20) [eap] = handled (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) EXPAND Response-Packet-Type (20) --> Access-Challenge (20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) attr_filter.access_challenge: EXPAND %{User-Name} (20) attr_filter.access_challenge: --> anonymous@unibe.ch (20) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (20) [attr_filter.access_challenge.post-auth] = updated (20) [handled] = handled (20) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (20) } # Auth-Type eap = handled (20) Using Post-Auth-Type Challenge (20) Post-Auth-Type sub-section not found. Ignoring. (20) # Executing group from file /etc/freeradius/sites-enabled/default (20) session-state: Saving cached attributes (20) Framed-MTU = 1014 (20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) TLS-Session-Version = "TLS 1.2" (20) Sent Access-Challenge Id 167 from 130.92.10.33:1812 to 1.2.3.4:63606 length 115 (20) EAP-Message = 0x010800391900140301000101160303002869cd9549766a5c057197e758662301e6fe3808b412033491c980bcc9560e2fe6e86f4e532b875f92 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0x1a0c7e771c04675279b57cf47df95d07 (20) Finished request (21) Received Access-Request Id 168 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (21) User-Name = anonymous@unibe.ch (21) Service-Type = Framed-User (21) Cisco-AVPair = "service-type=Framed" (21) Framed-MTU = 1485 (21) EAP-Message = 0x020800061900 (21) Message-Authenticator = 0x9c7f30b1e78bb9f5274c566d1a73f367 (21) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (21) Cisco-AVPair = "method=dot1x" (21) Cisco-AVPair = "client-iif-id=2818574557" (21) Cisco-AVPair = "vlan-id=1000" (21) NAS-IP-Address = 1.2.3.4 (21) NAS-Port-Id = "capwap_9000000c" (21) NAS-Port-Type = Wireless-802.11 (21) NAS-Port = 4211 (21) State = 0x1a0c7e771c04675279b57cf47df95d07 (21) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (21) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (21) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (21) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (21) Airespace-Wlan-Id = 97 (21) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (21) WLAN-Group-Cipher = 1027076 (21) WLAN-Pairwise-Cipher = 1027076 (21) WLAN-AKM-Suite = 1027075 (21) WLAN-Group-Mgmt-Cipher = 1027078 (21) Restoring &session-state (21) &session-state:Framed-MTU = 1014 (21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" Waking up in 0.2 seconds. (21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) &session-state:TLS-Session-Version = "TLS 1.2" (21) # Executing section authorize from file /etc/freeradius/sites-enabled/default (21) authorize { (21) policy rewrite_called_station_id { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> 2C-E3-8E-ED-31-E0 (21) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (21) } # update request = noop (21) if ("%{8}") { (21) EXPAND %{8} (21) --> eduroam (21) if ("%{8}") -> TRUE (21) if ("%{8}") { (21) update request { (21) EXPAND %{8} (21) --> eduroam (21) &Called-Station-SSID := eduroam (21) EXPAND %{Called-Station-Id}:%{8} (21) --> 2C-E3-8E-ED-31-E0:eduroam (21) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (21) } # update request = noop (21) } # if ("%{8}") = noop (21) [updated] = updated (21) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_called_station_id = updated (21) policy rewrite_calling_station_id { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> AC-DF-A1-B1-F1-5A (21) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (21) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (21) --> AC:DF:A1:B1:F1:5A (21) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (21) } # update request = noop (21) [updated] = updated (21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_calling_station_id = updated (21) if (Service-Type == Call-Check) { (21) if (Service-Type == Call-Check) -> FALSE (21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (21) EXPAND Packet-Src-IP-Address (21) --> 1.2.3.4 (21) EXPAND Packet-Src-IP-Address (21) --> 1.2.3.4 (21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (21) if (EAP-Message) { (21) if (EAP-Message) -> TRUE (21) if (EAP-Message) { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = updated (21) } # policy filter_username = updated (21) suffix: Checking for suffix after "@" (21) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (21) suffix: Found realm "UNIBE.CH" (21) suffix: Adding Realm = "UNIBE.CH" (21) suffix: Authentication realm is LOCAL (21) [suffix] = ok (21) policy deny_no_realm { (21) if (User-Name && (User-Name !~ /@/)) { (21) if (User-Name && (User-Name !~ /@/)) -> FALSE (21) } # policy deny_no_realm = updated (21) update request { (21) EXPAND %{toupper:%{Realm}} (21) --> UNIBE.CH (21) Realm := UNIBE.CH (21) } # update request = noop (21) eap: Peer sent EAP Response (code 2) ID 8 length 6 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # if (EAP-Message) = ok (21) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (21) } # authorize = updated (21) Found Auth-Type = eap (21) # Executing group from file /etc/freeradius/sites-enabled/default (21) Auth-Type eap { (21) eap: Removing EAP session with state 0x1a0c7e771c046752 (21) eap: Previous EAP request found for state 0x1a0c7e771c046752, released from the list (21) eap: Peer sent packet with method EAP PEAP (25) (21) eap: Calling submodule eap_peap to process data (21) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (21) eap_peap: Session established. Decoding tunneled attributes (21) eap_peap: PEAP state TUNNEL ESTABLISHED (21) eap: Sending EAP Request (code 1) ID 9 length 40 (21) eap: EAP session adding &reply:State = 0x1a0c7e771d056752 (21) [eap] = handled (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) EXPAND Response-Packet-Type (21) --> Access-Challenge (21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) attr_filter.access_challenge: EXPAND %{User-Name} (21) attr_filter.access_challenge: --> anonymous@unibe.ch (21) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (21) [attr_filter.access_challenge.post-auth] = updated (21) [handled] = handled (21) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (21) } # Auth-Type eap = handled (21) Using Post-Auth-Type Challenge (21) Post-Auth-Type sub-section not found. Ignoring. (21) # Executing group from file /etc/freeradius/sites-enabled/default (21) session-state: Saving cached attributes (21) Framed-MTU = 1014 (21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) TLS-Session-Version = "TLS 1.2" (21) Sent Access-Challenge Id 168 from 130.92.10.33:1812 to 1.2.3.4:63606 length 98 (21) EAP-Message = 0x010900281900170303001d69cd9549766a5c065b771e1e6ad4419bc5deec9aca8c6dc933d69e4320 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0x1a0c7e771d05675279b57cf47df95d07 (21) Finished request (22) Received Access-Request Id 169 from 1.2.3.4:63606 to 130.92.10.33:1812 length 516 (22) User-Name = anonymous@unibe.ch (22) Service-Type = Framed-User (22) Cisco-AVPair = "service-type=Framed" (22) Framed-MTU = 1485 (22) EAP-Message = 0x0209003c190017030300313667ef69fc720084f72dcb9c5d07674afc517dc2cee1604014c42f78dd87c1fc4dd53bf9579819c736546b1d6568257d75 (22) Message-Authenticator = 0x06ac4226a9e15764f25be4a011e74e0d (22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (22) Cisco-AVPair = "method=dot1x" (22) Cisco-AVPair = "client-iif-id=2818574557" (22) Cisco-AVPair = "vlan-id=1000" (22) NAS-IP-Address = 1.2.3.4 (22) NAS-Port-Id = "capwap_9000000c" (22) NAS-Port-Type = Wireless-802.11 (22) NAS-Port = 4211 (22) State = 0x1a0c7e771d05675279b57cf47df95d07 (22) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (22) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (22) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (22) Airespace-Wlan-Id = 97 (22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) WLAN-Group-Cipher = 1027076 (22) WLAN-Pairwise-Cipher = 1027076 (22) WLAN-AKM-Suite = 1027075 (22) WLAN-Group-Mgmt-Cipher = 1027078 (22) Restoring &session-state (22) &session-state:Framed-MTU = 1014 (22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (22) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (22) &session-state:TLS-Session-Version = "TLS 1.2" (22) # Executing section authorize from file /etc/freeradius/sites-enabled/default (22) authorize { (22) policy rewrite_called_station_id { (22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (22) update request { (22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (22) --> 2C-E3-8E-ED-31-E0 (22) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (22) } # update request = noop (22) if ("%{8}") { (22) EXPAND %{8} (22) --> eduroam (22) if ("%{8}") -> TRUE (22) if ("%{8}") { (22) update request { (22) EXPAND %{8} (22) --> eduroam (22) &Called-Station-SSID := eduroam (22) EXPAND %{Called-Station-Id}:%{8} (22) --> 2C-E3-8E-ED-31-E0:eduroam (22) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (22) } # update request = noop (22) } # if ("%{8}") = noop (22) [updated] = updated (22) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (22) ... skipping else: Preceding "if" was taken (22) } # policy rewrite_called_station_id = updated (22) policy rewrite_calling_station_id { (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (22) update request { (22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (22) --> AC-DF-A1-B1-F1-5A (22) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (22) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (22) --> AC:DF:A1:B1:F1:5A (22) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (22) } # update request = noop (22) [updated] = updated (22) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (22) ... skipping else: Preceding "if" was taken (22) } # policy rewrite_calling_station_id = updated (22) if (Service-Type == Call-Check) { (22) if (Service-Type == Call-Check) -> FALSE (22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (22) EXPAND Packet-Src-IP-Address (22) --> 1.2.3.4 (22) EXPAND Packet-Src-IP-Address (22) --> 1.2.3.4 (22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (22) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (22) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (22) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (22) if (EAP-Message) { (22) if (EAP-Message) -> TRUE (22) if (EAP-Message) { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = updated (22) } # policy filter_username = updated (22) suffix: Checking for suffix after "@" (22) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (22) suffix: Found realm "UNIBE.CH" (22) suffix: Adding Realm = "UNIBE.CH" (22) suffix: Authentication realm is LOCAL (22) [suffix] = ok (22) policy deny_no_realm { (22) if (User-Name && (User-Name !~ /@/)) { (22) if (User-Name && (User-Name !~ /@/)) -> FALSE (22) } # policy deny_no_realm = updated (22) update request { (22) EXPAND %{toupper:%{Realm}} (22) --> UNIBE.CH (22) Realm := UNIBE.CH (22) } # update request = noop (22) eap: Peer sent EAP Response (code 2) ID 9 length 60 (22) eap: Continuing tunnel setup (22) [eap] = ok (22) } # if (EAP-Message) = ok (22) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (22) } # authorize = updated (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/sites-enabled/default (22) Auth-Type eap { (22) eap: Removing EAP session with state 0x1a0c7e771d056752 (22) eap: Previous EAP request found for state 0x1a0c7e771d056752, released from the list (22) eap: Peer sent packet with method EAP PEAP (25) (22) eap: Calling submodule eap_peap to process data (22) eap_peap: (TLS) EAP Done initial handshake (22) eap_peap: Session established. Decoding tunneled attributes (22) eap_peap: PEAP state WAITING FOR INNER IDENTITY (22) eap_peap: Identity - jon.doe@unibe.ch (22) eap_peap: Got inner identity 'jon.doe@unibe.ch' (22) eap_peap: Setting default EAP type for tunneled EAP session (22) eap_peap: Got tunneled request (22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) eap_peap: Setting User-Name to jon.doe@unibe.ch (22) eap_peap: Sending tunneled request to proxy-inner-tunnel (22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (22) eap_peap: User-Name = jon.doe@unibe.ch (22) eap_peap: Service-Type = Framed-User (22) eap_peap: Cisco-AVPair = "service-type=Framed" (22) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (22) eap_peap: Cisco-AVPair = "method=dot1x" (22) eap_peap: Cisco-AVPair = "client-iif-id=2818574557" (22) eap_peap: Cisco-AVPair = "vlan-id=1000" (22) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (22) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (22) eap_peap: Framed-MTU = 1485 (22) eap_peap: NAS-IP-Address = 1.2.3.4 (22) eap_peap: NAS-Port-Id = "capwap_9000000c" (22) eap_peap: NAS-Port-Type = Wireless-802.11 (22) eap_peap: NAS-Port = 4211 (22) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (22) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (22) eap_peap: Airespace-Wlan-Id = 97 (22) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) eap_peap: WLAN-Group-Cipher = 1027076 (22) eap_peap: WLAN-Pairwise-Cipher = 1027076 (22) eap_peap: WLAN-AKM-Suite = 1027075 (22) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078 (22) Virtual server proxy-inner-tunnel received request (22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) FreeRADIUS-Proxied-To = 127.0.0.1 (22) User-Name = jon.doe@unibe.ch (22) Service-Type = Framed-User (22) Cisco-AVPair = "service-type=Framed" (22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (22) Cisco-AVPair = "method=dot1x" (22) Cisco-AVPair = "client-iif-id=2818574557" (22) Cisco-AVPair = "vlan-id=1000" (22) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (22) Framed-MTU = 1485 (22) NAS-IP-Address = 1.2.3.4 (22) NAS-Port-Id = "capwap_9000000c" (22) NAS-Port-Type = Wireless-802.11 (22) NAS-Port = 4211 (22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (22) Airespace-Wlan-Id = 97 (22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) WLAN-Group-Cipher = 1027076 (22) WLAN-Pairwise-Cipher = 1027076 (22) WLAN-AKM-Suite = 1027075 (22) WLAN-Group-Mgmt-Cipher = 1027078 (22) server proxy-inner-tunnel { (22) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (22) authorize { (22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (22) if (!NAS-Port-Type){ (22) if (!NAS-Port-Type) -> FALSE (22) update control { (22) &Proxy-To-Realm := REALM-NPS-DEV (22) } # update control = noop (22) } # authorize = noop (22) } # server proxy-inner-tunnel (22) Virtual server sending reply (22) eap_peap: Got tunneled reply code 0 (22) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (22) eap: WARNING: Tunneled session will be proxied. Not doing EAP (22) [eap] = handled (22) if (handled && (Response-Packet-Type == Access-Challenge)) { (22) EXPAND Response-Packet-Type (22) --> (22) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (22) } # Auth-Type eap = handled (22) Starting proxy to home server 9.9.9.9 port 1812 (22) server default { (22) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (22) pre-proxy { (22) attr_filter.pre-proxy: EXPAND %{Realm} (22) attr_filter.pre-proxy: --> UNIBE.CH (22) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (22) [attr_filter.pre-proxy] = updated (22) } # pre-proxy = updated (22) } (22) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000 (22) Sent Access-Request Id 22 from 0.0.0.0:57225 to 9.9.9.9:1812 length 196 (22) Operator-Name := "1unibe.ch" (22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) User-Name = jon.doe@unibe.ch (22) NAS-IP-Address = 1.2.3.4 (22) NAS-Port-Type = Wireless-802.11 (22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) Message-Authenticator = 0x (22) Proxy-State = 0x313639 (22) Clearing existing &reply: attributes (22) Received Access-Challenge Id 22 from 9.9.9.9:1812 to 130.92.10.33:57225 length 128 (22) Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3 (22) Proxy-State = 0x313639 (22) Session-Timeout = 60 (22) EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632 (22) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (22) server default { Waking up in 0.2 seconds. (22) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (22) post-proxy { (22) attr_filter.post-proxy: EXPAND %{Realm} (22) attr_filter.post-proxy: --> UNIBE.CH (22) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (22) [attr_filter.post-proxy] = updated (22) eap: Doing post-proxy callback (22) eap: Passing reply from proxy back into the tunnel (22) eap: Got tunneled reply RADIUS code 11 (22) eap: Tunnel-Type := VLAN (22) eap: Tunnel-Medium-Type := IEEE-802 (22) eap: Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3 (22) eap: Proxy-State = 0x313639 (22) eap: EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632 (22) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (22) eap: Got tunneled Access-Challenge (22) eap: Reply was handled (22) eap: Sending EAP Request (code 1) ID 10 length 70 (22) eap: EAP session adding &reply:State = 0x1a0c7e7712066752 (22) [eap] = ok (22) } # post-proxy = updated (22) } (22) session-state: Saving cached attributes (22) Framed-MTU = 1014 (22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (22) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (22) TLS-Session-Version = "TLS 1.2" (22) Using Post-Auth-Type Challenge (22) Post-Auth-Type sub-section not found. Ignoring. (22) # Executing group from file /etc/freeradius/sites-enabled/default (22) Sent Access-Challenge Id 169 from 130.92.10.33:1812 to 1.2.3.4:63606 length 128 (22) EAP-Message = 0x010a00461900170303003b69cd9549766a5c07e7a533b4954f2b8a2f7d523485391d6347a7c8b129d5f82e531ee88bad59bbd4d844e6ca0cdcd6368cc58ada378c7aa1d5fb65 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0x1a0c7e771206675279b57cf47df95d07 (22) Finished request (23) Received Access-Request Id 170 from 1.2.3.4:63606 to 130.92.10.33:1812 length 570 (23) User-Name = anonymous@unibe.ch (23) Service-Type = Framed-User (23) Cisco-AVPair = "service-type=Framed" (23) Framed-MTU = 1485 (23) EAP-Message = 0x020a0072190017030300673667ef69fc7200855481c10f1f4a4302825d6e8e053a95b0043c86a557ab14b7cff518ef0e171c44cf1611aa60a6c005975617ce937379fa7458eb80d9295d9eec138d40cce24f5c736bc8763e2ef3ed83500c10663e2db0027b9bccb0657050e251766881076a (23) Message-Authenticator = 0xbae882ea47144349739d08cdc2273497 (23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (23) Cisco-AVPair = "method=dot1x" (23) Cisco-AVPair = "client-iif-id=2818574557" (23) Cisco-AVPair = "vlan-id=1000" (23) NAS-IP-Address = 1.2.3.4 (23) NAS-Port-Id = "capwap_9000000c" (23) NAS-Port-Type = Wireless-802.11 (23) NAS-Port = 4211 (23) State = 0x1a0c7e771206675279b57cf47df95d07 (23) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (23) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (23) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (23) Airespace-Wlan-Id = 97 (23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) WLAN-Group-Cipher = 1027076 (23) WLAN-Pairwise-Cipher = 1027076 (23) WLAN-AKM-Suite = 1027075 (23) WLAN-Group-Mgmt-Cipher = 1027078 (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/sites-enabled/default (23) authorize { (23) policy rewrite_called_station_id { (23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (23) update request { (23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (23) --> 2C-E3-8E-ED-31-E0 (23) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (23) } # update request = noop (23) if ("%{8}") { (23) EXPAND %{8} (23) --> eduroam (23) if ("%{8}") -> TRUE (23) if ("%{8}") { (23) update request { (23) EXPAND %{8} (23) --> eduroam (23) &Called-Station-SSID := eduroam (23) EXPAND %{Called-Station-Id}:%{8} (23) --> 2C-E3-8E-ED-31-E0:eduroam (23) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (23) } # update request = noop (23) } # if ("%{8}") = noop (23) [updated] = updated (23) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (23) ... skipping else: Preceding "if" was taken (23) } # policy rewrite_called_station_id = updated (23) policy rewrite_calling_station_id { (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (23) update request { (23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (23) --> AC-DF-A1-B1-F1-5A (23) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (23) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (23) --> AC:DF:A1:B1:F1:5A (23) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (23) } # update request = noop (23) [updated] = updated (23) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (23) ... skipping else: Preceding "if" was taken (23) } # policy rewrite_calling_station_id = updated (23) if (Service-Type == Call-Check) { (23) if (Service-Type == Call-Check) -> FALSE (23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (23) EXPAND Packet-Src-IP-Address (23) --> 1.2.3.4 (23) EXPAND Packet-Src-IP-Address (23) --> 1.2.3.4 (23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (23) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (23) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (23) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (23) if (EAP-Message) { (23) if (EAP-Message) -> TRUE (23) if (EAP-Message) { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = updated (23) } # policy filter_username = updated (23) suffix: Checking for suffix after "@" (23) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (23) suffix: Found realm "UNIBE.CH" (23) suffix: Adding Realm = "UNIBE.CH" (23) suffix: Authentication realm is LOCAL (23) [suffix] = ok (23) policy deny_no_realm { (23) if (User-Name && (User-Name !~ /@/)) { (23) if (User-Name && (User-Name !~ /@/)) -> FALSE (23) } # policy deny_no_realm = updated (23) update request { (23) EXPAND %{toupper:%{Realm}} (23) --> UNIBE.CH (23) Realm := UNIBE.CH (23) } # update request = noop (23) eap: Peer sent EAP Response (code 2) ID 10 length 114 (23) eap: Continuing tunnel setup (23) [eap] = ok (23) } # if (EAP-Message) = ok (23) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (23) } # authorize = updated (23) Found Auth-Type = eap (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Auth-Type eap { (23) eap: Removing EAP session with state 0x1a0c7e7712066752 (23) eap: Previous EAP request found for state 0x1a0c7e7712066752, released from the list (23) eap: Peer sent packet with method EAP PEAP (25) (23) eap: Calling submodule eap_peap to process data (23) eap_peap: (TLS) EAP Done initial handshake (23) eap_peap: Session established. Decoding tunneled attributes (23) eap_peap: PEAP state phase2 (23) eap_peap: EAP method MSCHAPv2 (26) (23) eap_peap: Got tunneled request (23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) eap_peap: Setting User-Name to jon.doe@unibe.ch (23) eap_peap: Sending tunneled request to proxy-inner-tunnel (23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (23) eap_peap: User-Name = jon.doe@unibe.ch (23) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) eap_peap: Service-Type = Framed-User (23) eap_peap: Cisco-AVPair = "service-type=Framed" (23) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (23) eap_peap: Cisco-AVPair = "method=dot1x" (23) eap_peap: Cisco-AVPair = "client-iif-id=2818574557" (23) eap_peap: Cisco-AVPair = "vlan-id=1000" (23) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (23) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (23) eap_peap: Framed-MTU = 1485 (23) eap_peap: NAS-IP-Address = 1.2.3.4 (23) eap_peap: NAS-Port-Id = "capwap_9000000c" (23) eap_peap: NAS-Port-Type = Wireless-802.11 (23) eap_peap: NAS-Port = 4211 (23) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (23) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (23) eap_peap: Airespace-Wlan-Id = 97 (23) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) eap_peap: WLAN-Group-Cipher = 1027076 (23) eap_peap: WLAN-Pairwise-Cipher = 1027076 (23) eap_peap: WLAN-AKM-Suite = 1027075 (23) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078 (23) Virtual server proxy-inner-tunnel received request (23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) FreeRADIUS-Proxied-To = 127.0.0.1 (23) User-Name = jon.doe@unibe.ch (23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) Service-Type = Framed-User (23) Cisco-AVPair = "service-type=Framed" (23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (23) Cisco-AVPair = "method=dot1x" (23) Cisco-AVPair = "client-iif-id=2818574557" (23) Cisco-AVPair = "vlan-id=1000" (23) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (23) Framed-MTU = 1485 (23) NAS-IP-Address = 1.2.3.4 (23) NAS-Port-Id = "capwap_9000000c" (23) NAS-Port-Type = Wireless-802.11 (23) NAS-Port = 4211 (23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (23) Airespace-Wlan-Id = 97 (23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) WLAN-Group-Cipher = 1027076 (23) WLAN-Pairwise-Cipher = 1027076 (23) WLAN-AKM-Suite = 1027075 (23) WLAN-Group-Mgmt-Cipher = 1027078 (23) server proxy-inner-tunnel { (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (23) authorize { (23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (23) if (!NAS-Port-Type){ (23) if (!NAS-Port-Type) -> FALSE (23) update control { (23) &Proxy-To-Realm := REALM-NPS-DEV (23) } # update control = noop (23) } # authorize = noop (23) } # server proxy-inner-tunnel (23) Virtual server sending reply (23) eap_peap: Got tunneled reply code 0 (23) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (23) eap: WARNING: Tunneled session will be proxied. Not doing EAP (23) [eap] = handled (23) if (handled && (Response-Packet-Type == Access-Challenge)) { (23) EXPAND Response-Packet-Type (23) --> (23) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (23) } # Auth-Type eap = handled (23) Starting proxy to home server 9.9.9.9 port 1812 (23) server default { (23) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (23) pre-proxy { (23) attr_filter.pre-proxy: EXPAND %{Realm} (23) attr_filter.pre-proxy: --> UNIBE.CH (23) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (23) [attr_filter.pre-proxy] = updated (23) } # pre-proxy = updated (23) } (23) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000 (23) Sent Access-Request Id 23 from 0.0.0.0:57225 to 9.9.9.9:1812 length 288 (23) Operator-Name := "1unibe.ch" (23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) User-Name = jon.doe@unibe.ch (23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) NAS-IP-Address = 1.2.3.4 (23) NAS-Port-Type = Wireless-802.11 (23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) Message-Authenticator = 0x (23) Proxy-State = 0x313730 (23) Clearing existing &reply: attributes (23) Received Access-Challenge Id 23 from 9.9.9.9:1812 to 130.92.10.33:57225 length 140 (23) Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a (23) Proxy-State = 0x313730 (23) Session-Timeout = 60 (23) EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943 (23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) server default { (23) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (23) post-proxy { (23) attr_filter.post-proxy: EXPAND %{Realm} (23) attr_filter.post-proxy: --> UNIBE.CH (23) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (23) [attr_filter.post-proxy] = updated (23) eap: Doing post-proxy callback (23) eap: Passing reply from proxy back into the tunnel (23) eap: Got tunneled reply RADIUS code 11 (23) eap: Tunnel-Type := VLAN (23) eap: Tunnel-Medium-Type := IEEE-802 (23) eap: Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a (23) eap: Proxy-State = 0x313730 (23) eap: EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943 (23) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) eap: Got tunneled Access-Challenge (23) eap: Reply was handled (23) eap: Sending EAP Request (code 1) ID 11 length 82 (23) eap: EAP session adding &reply:State = 0x1a0c7e7713076752 (23) [eap] = ok (23) } # post-proxy = updated (23) } (23) Using Post-Auth-Type Challenge (23) Post-Auth-Type sub-section not found. Ignoring. (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Sent Access-Challenge Id 170 from 130.92.10.33:1812 to 1.2.3.4:63606 length 140 (23) EAP-Message = 0x010b00521900170303004769cd9549766a5c08877f9dcc3d5bbb0c7718563cf3286f690c07a08da31ea6540f21eb3c1933d7d92dbe22551b18a7d5e2cbf116856b2a68d3fff389ebdb8926e8d42e50522ca4 (23) Message-Authenticator = 0x00000000000000000000000000000000 (23) State = 0x1a0c7e771307675279b57cf47df95d07 (23) Finished request (24) Received Access-Request Id 171 from 1.2.3.4:63606 to 130.92.10.33:1812 length 493 (24) User-Name = anonymous@unibe.ch (24) Service-Type = Framed-User (24) Cisco-AVPair = "service-type=Framed" (24) Framed-MTU = 1485 (24) EAP-Message = 0x020b00251900170303001a3667ef69fc7200864f7f9410f449a59651d6a1975df235030608 (24) Message-Authenticator = 0x9b70bdd088abd8b737cf77c71d3ba2c0 (24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (24) Cisco-AVPair = "method=dot1x" (24) Cisco-AVPair = "client-iif-id=2818574557" (24) Cisco-AVPair = "vlan-id=1000" (24) NAS-IP-Address = 1.2.3.4 (24) NAS-Port-Id = "capwap_9000000c" (24) NAS-Port-Type = Wireless-802.11 (24) NAS-Port = 4211 (24) State = 0x1a0c7e771307675279b57cf47df95d07 (24) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (24) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (24) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (24) Airespace-Wlan-Id = 97 (24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) WLAN-Group-Cipher = 1027076 (24) WLAN-Pairwise-Cipher = 1027076 (24) WLAN-AKM-Suite = 1027075 (24) WLAN-Group-Mgmt-Cipher = 1027078 (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/sites-enabled/default (24) authorize { (24) policy rewrite_called_station_id { (24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (24) update request { (24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (24) --> 2C-E3-8E-ED-31-E0 (24) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (24) } # update request = noop (24) if ("%{8}") { (24) EXPAND %{8} (24) --> eduroam (24) if ("%{8}") -> TRUE (24) if ("%{8}") { (24) update request { (24) EXPAND %{8} (24) --> eduroam (24) &Called-Station-SSID := eduroam (24) EXPAND %{Called-Station-Id}:%{8} (24) --> 2C-E3-8E-ED-31-E0:eduroam (24) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (24) } # update request = noop (24) } # if ("%{8}") = noop (24) [updated] = updated (24) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (24) ... skipping else: Preceding "if" was taken (24) } # policy rewrite_called_station_id = updated (24) policy rewrite_calling_station_id { (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (24) update request { (24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (24) --> AC-DF-A1-B1-F1-5A (24) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (24) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (24) --> AC:DF:A1:B1:F1:5A (24) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (24) } # update request = noop (24) [updated] = updated (24) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (24) ... skipping else: Preceding "if" was taken (24) } # policy rewrite_calling_station_id = updated (24) if (Service-Type == Call-Check) { (24) if (Service-Type == Call-Check) -> FALSE (24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (24) EXPAND Packet-Src-IP-Address (24) --> 1.2.3.4 (24) EXPAND Packet-Src-IP-Address (24) --> 1.2.3.4 (24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (24) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (24) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (24) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (24) if (EAP-Message) { (24) if (EAP-Message) -> TRUE (24) if (EAP-Message) { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = updated (24) } # policy filter_username = updated (24) suffix: Checking for suffix after "@" (24) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (24) suffix: Found realm "UNIBE.CH" (24) suffix: Adding Realm = "UNIBE.CH" (24) suffix: Authentication realm is LOCAL (24) [suffix] = ok (24) policy deny_no_realm { (24) if (User-Name && (User-Name !~ /@/)) { (24) if (User-Name && (User-Name !~ /@/)) -> FALSE (24) } # policy deny_no_realm = updated (24) update request { (24) EXPAND %{toupper:%{Realm}} (24) --> UNIBE.CH (24) Realm := UNIBE.CH (24) } # update request = noop (24) eap: Peer sent EAP Response (code 2) ID 11 length 37 (24) eap: Continuing tunnel setup (24) [eap] = ok (24) } # if (EAP-Message) = ok (24) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (24) } # authorize = updated (24) Found Auth-Type = eap (24) # Executing group from file /etc/freeradius/sites-enabled/default (24) Auth-Type eap { (24) eap: Removing EAP session with state 0x1a0c7e7713076752 (24) eap: Previous EAP request found for state 0x1a0c7e7713076752, released from the list (24) eap: Peer sent packet with method EAP PEAP (25) (24) eap: Calling submodule eap_peap to process data (24) eap_peap: (TLS) EAP Done initial handshake (24) eap_peap: Session established. Decoding tunneled attributes (24) eap_peap: PEAP state phase2 (24) eap_peap: EAP method MSCHAPv2 (26) (24) eap_peap: Got tunneled request (24) eap_peap: EAP-Message = 0x020b00061a03 (24) eap_peap: Setting User-Name to jon.doe@unibe.ch (24) eap_peap: Sending tunneled request to proxy-inner-tunnel (24) eap_peap: EAP-Message = 0x020b00061a03 (24) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (24) eap_peap: User-Name = jon.doe@unibe.ch (24) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (24) eap_peap: Service-Type = Framed-User (24) eap_peap: Cisco-AVPair = "service-type=Framed" (24) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (24) eap_peap: Cisco-AVPair = "method=dot1x" (24) eap_peap: Cisco-AVPair = "client-iif-id=2818574557" (24) eap_peap: Cisco-AVPair = "vlan-id=1000" (24) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (24) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (24) eap_peap: Framed-MTU = 1485 (24) eap_peap: NAS-IP-Address = 1.2.3.4 (24) eap_peap: NAS-Port-Id = "capwap_9000000c" (24) eap_peap: NAS-Port-Type = Wireless-802.11 (24) eap_peap: NAS-Port = 4211 (24) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (24) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (24) eap_peap: Airespace-Wlan-Id = 97 (24) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) eap_peap: WLAN-Group-Cipher = 1027076 (24) eap_peap: WLAN-Pairwise-Cipher = 1027076 (24) eap_peap: WLAN-AKM-Suite = 1027075 (24) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078 (24) Virtual server proxy-inner-tunnel received request (24) EAP-Message = 0x020b00061a03 (24) FreeRADIUS-Proxied-To = 127.0.0.1 (24) User-Name = jon.doe@unibe.ch (24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (24) Service-Type = Framed-User (24) Cisco-AVPair = "service-type=Framed" (24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (24) Cisco-AVPair = "method=dot1x" (24) Cisco-AVPair = "client-iif-id=2818574557" (24) Cisco-AVPair = "vlan-id=1000" (24) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (24) Framed-MTU = 1485 (24) NAS-IP-Address = 1.2.3.4 (24) NAS-Port-Id = "capwap_9000000c" (24) NAS-Port-Type = Wireless-802.11 (24) NAS-Port = 4211 (24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (24) Airespace-Wlan-Id = 97 (24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) WLAN-Group-Cipher = 1027076 (24) WLAN-Pairwise-Cipher = 1027076 (24) WLAN-AKM-Suite = 1027075 (24) WLAN-Group-Mgmt-Cipher = 1027078 (24) server proxy-inner-tunnel { (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (24) authorize { (24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (24) if (!NAS-Port-Type){ (24) if (!NAS-Port-Type) -> FALSE (24) update control { (24) &Proxy-To-Realm := REALM-NPS-DEV (24) } # update control = noop (24) } # authorize = noop (24) } # server proxy-inner-tunnel (24) Virtual server sending reply (24) eap_peap: Got tunneled reply code 0 (24) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (24) eap: WARNING: Tunneled session will be proxied. Not doing EAP (24) [eap] = handled (24) if (handled && (Response-Packet-Type == Access-Challenge)) { (24) EXPAND Response-Packet-Type (24) --> (24) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (24) } # Auth-Type eap = handled (24) Starting proxy to home server 9.9.9.9 port 1812 (24) server default { (24) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (24) pre-proxy { (24) attr_filter.pre-proxy: EXPAND %{Realm} (24) attr_filter.pre-proxy: --> UNIBE.CH (24) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (24) [attr_filter.pre-proxy] = updated (24) } # pre-proxy = updated (24) } (24) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000 (24) Sent Access-Request Id 24 from 0.0.0.0:57225 to 9.9.9.9:1812 length 211 (24) Operator-Name := "1unibe.ch" (24) EAP-Message = 0x020b00061a03 (24) User-Name = jon.doe@unibe.ch (24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (24) NAS-IP-Address = 1.2.3.4 (24) NAS-Port-Type = Wireless-802.11 (24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) Message-Authenticator = 0x (24) Proxy-State = 0x313731 Thread 3 waiting to be assigned a request Waking up in 0.1 seconds. Thread 5 got semaphore Thread 5 handling request 24, (7 handled so far) (24) Clearing existing &reply: attributes (24) Received Access-Accept Id 24 from 9.9.9.9:1812 to 130.92.10.33:57225 length 289 (24) Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56 (24) Proxy-State = 0x313731 (24) Class = 0x7374616666 (24) Filter-Id = "staff" (24) Framed-Protocol = PPP (24) Service-Type = Framed-User (24) Tunnel-Medium-Type:0 = IEEE-802 (24) Tunnel-Private-Group-Id:0 = "2000" (24) Tunnel-Type:0 = VLAN (24) EAP-Message = 0x030b0004 (24) Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe (24) MS-CHAP-Domain = "\001CAMPUS" (24) MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f (24) MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0 (24) MS-CHAP2-Success = 0x01533d42374430413432353333434331463134413332324334454333354443333837434632353343383943 (24) server default { (24) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (24) post-proxy { (24) attr_filter.post-proxy: EXPAND %{Realm} (24) attr_filter.post-proxy: --> UNIBE.CH (24) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (24) [attr_filter.post-proxy] = updated (24) eap: Doing post-proxy callback (24) eap: Passing reply from proxy back into the tunnel (24) eap: Got tunneled reply RADIUS code 2 (24) eap: Tunnel-Type := VLAN (24) eap: Tunnel-Medium-Type := IEEE-802 (24) eap: Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56 (24) eap: Proxy-State = 0x313731 (24) eap: Class = 0x7374616666 (24) eap: Filter-Id = "staff" (24) eap: Tunnel-Private-Group-Id:0 = "2000" (24) eap: EAP-Message = 0x030b0004 (24) eap: Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe (24) eap: MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f (24) eap: MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0 (24) eap: Tunneled authentication was successful (24) eap: SUCCESS (24) eap: Saving tunneled attributes for later (24) eap: Reply was handled (24) eap: Sending EAP Request (code 1) ID 12 length 46 (24) eap: EAP session adding &reply:State = 0x1a0c7e7710006752 (24) [eap] = ok (24) } # post-proxy = updated (24) } (24) Using Post-Auth-Type Challenge (24) Post-Auth-Type sub-section not found. Ignoring. (24) # Executing group from file /etc/freeradius/sites-enabled/default (24) Sent Access-Challenge Id 171 from 130.92.10.33:1812 to 1.2.3.4:63606 length 104 (24) EAP-Message = 0x010c002e1900170303002369cd9549766a5c096f1e1c66977ad4a91fd857608710d39bf55e09ca568c703d98ec8f (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) State = 0x1a0c7e771000675279b57cf47df95d07 (24) Finished request
On Nov 4, 2025, at 3:54 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
I know there is already some information out there about this topic, for example in this post from back in 2018: https://lists.freeradius.org/pipermail/freeradius-users/2018-November/093770...
And there are also examples in the FreeRADIUS inner-proxy configuration file:
Do not post the configuration files to the list. We know what's in them. We don't need to see them posted to the list.
We use PEAP/MS-CHAPv2 on our eduroam SSID.
Goal: copy the inner identity to the Access-Accept RADIUS packet, if possible at all (?!) à our Cisco WLAN infrastructure could «see» the real username instead of a bunch of anonymous@unibe.ch accounts, this will be used for further processing in a cloud service.
But based on the debug output (see below), the inner-proxy configuration is not hit at all; I think this is based on how our FreeRADIUS proxing is done, but here I am not 100% sure about this.
Reading the debug output, the inner-tunnel virtual server is being run. But the lnner-tunnel "Post-Auth-Type" isn't being run.
But maybe you can help me out and point me into the right direction; in short: is there a way (for us) to achieve the copying of the inner to the outer identity for the Access-Accept packet (only)?
Just copy it in another section in the inner-tunnel. if (!&outer.config:User-Name) { update { &outer.config:User-Name := &User-Name } } Alan DeKok.
Hi Alan
Do not post the configuration files to the list. We know what's in them. We don't need to see them posted to the list.
Got it.
Reading the debug output, the inner-tunnel virtual server is being run. But the lnner-tunnel "Post-Auth-Type" isn't being run.
I really looked / searched for the corresponding part in the debug, I only found the virtual server proxy-inner-tunnel getting hit. Just for training / future purposes, could you please highlight the corresponding line in the debug output? And I will try to put the corresponding configuration in another section in the inner-tunnel. Regards Dominic
Am 04.11.2025 um 14:22 schrieb Alan DeKok via Freeradius-Users <freeradius-users@lists.freeradius.org>:
On Nov 4, 2025, at 3:54 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
I know there is already some information out there about this topic, for example in this post from back in 2018: https://lists.freeradius.org/pipermail/freeradius-users/2018-November/093770...
And there are also examples in the FreeRADIUS inner-proxy configuration file:
Do not post the configuration files to the list. We know what's in them. We don't need to see them posted to the list.
We use PEAP/MS-CHAPv2 on our eduroam SSID.
Goal: copy the inner identity to the Access-Accept RADIUS packet, if possible at all (?!) à our Cisco WLAN infrastructure could «see» the real username instead of a bunch of anonymous@unibe.ch accounts, this will be used for further processing in a cloud service.
But based on the debug output (see below), the inner-proxy configuration is not hit at all; I think this is based on how our FreeRADIUS proxing is done, but here I am not 100% sure about this.
Reading the debug output, the inner-tunnel virtual server is being run. But the lnner-tunnel "Post-Auth-Type" isn't being run.
But maybe you can help me out and point me into the right direction; in short: is there a way (for us) to achieve the copying of the inner to the outer identity for the Access-Accept packet (only)?
Just copy it in another section in the inner-tunnel.
if (!&outer.config:User-Name) { update { &outer.config:User-Name := &User-Name } }
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 4, 2025, at 8:34 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
Reading the debug output, the inner-tunnel virtual server is being run. But the lnner-tunnel "Post-Auth-Type" isn't being run.
I really looked / searched for the corresponding part in the debug, I only found the virtual server proxy-inner-tunnel getting hit. Just for training / future purposes, could you please highlight the corresponding line in the debug output?
As I said, the Post-Auth section isn't being run, so I can't highlight it in the debug output. Alan DeKok.
Hi Alan I meant the part where „the inner-tunnel virtual server is being run“ per se? Regards Dominic
Am 04.11.2025 um 15:32 schrieb Alan DeKok via Freeradius-Users <freeradius-users@lists.freeradius.org>:
On Nov 4, 2025, at 8:34 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
Reading the debug output, the inner-tunnel virtual server is being run. But the lnner-tunnel "Post-Auth-Type" isn't being run.
I really looked / searched for the corresponding part in the debug, I only found the virtual server proxy-inner-tunnel getting hit. Just for training / future purposes, could you please highlight the corresponding line in the debug output?
As I said, the Post-Auth section isn't being run, so I can't highlight it in the debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 4, 2025, at 10:19 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
I meant the part where „the inner-tunnel virtual server is being run“ per se?
Look for "inner-tunnel"? I'm very sorry, but I really don't know what else to say here. The information you need to know is in front of you. All you need to do is a text search. And no, I'm not going to cut & paste specific bits of the debug output. It's not appropriate for you to ask me to do that, when you can just do a simple text search yourself. Alan DeKok.
As I said, I searched for "inner-tunnel“ in the below output and can find "proxy-inner-tunnel“, indeed. But this is another virtual server, or am I wrong? Or please correct me on this, if this is not true: (14) Received Access-Request Id 161 from 1.2.3.4:63606 to 130.92.10.33:1812 length 461 (14) User-Name = anonymous@unibe.ch (14) Service-Type = Framed-User (14) Cisco-AVPair = "service-type=Framed" (14) Framed-MTU = 1485 (14) EAP-Message = 0x0201001701616e6f6e796d6f757340756e6962652e6368 (14) Message-Authenticator = 0xcda0dbee35c44f95af0a726f08995386 (14) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (14) Cisco-AVPair = "method=dot1x" (14) Cisco-AVPair = "client-iif-id=2818574557" (14) Cisco-AVPair = "vlan-id=1000" (14) NAS-IP-Address = 1.2.3.4 (14) NAS-Port-Id = "capwap_9000000c" (14) NAS-Port-Type = Wireless-802.11 (14) NAS-Port = 4211 (14) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (14) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (14) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (14) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (14) Airespace-Wlan-Id = 97 (14) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (14) WLAN-Group-Cipher = 1027076 (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027075 (14) WLAN-Group-Mgmt-Cipher = 1027078 (14) # Executing section authorize from file /etc/freeradius/sites-enabled/default (14) authorize { (14) policy rewrite_called_station_id { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> 2C-E3-8E-ED-31-E0 (14) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (14) } # update request = noop (14) if ("%{8}") { (14) EXPAND %{8} (14) --> eduroam (14) if ("%{8}") -> TRUE (14) if ("%{8}") { (14) update request { (14) EXPAND %{8} (14) --> eduroam (14) &Called-Station-SSID := eduroam (14) EXPAND %{Called-Station-Id}:%{8} (14) --> 2C-E3-8E-ED-31-E0:eduroam (14) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (14) } # update request = noop (14) } # if ("%{8}") = noop (14) [updated] = updated (14) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_called_station_id = updated (14) policy rewrite_calling_station_id { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (14) update request { (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (14) --> AC-DF-A1-B1-F1-5A (14) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (14) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (14) --> AC:DF:A1:B1:F1:5A (14) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (14) } # update request = noop (14) [updated] = updated (14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (14) ... skipping else: Preceding "if" was taken (14) } # policy rewrite_calling_station_id = updated (14) if (Service-Type == Call-Check) { (14) if (Service-Type == Call-Check) -> FALSE (14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (14) EXPAND Packet-Src-IP-Address (14) --> 1.2.3.4 (14) EXPAND Packet-Src-IP-Address (14) --> 1.2.3.4 (14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (14) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (14) if (EAP-Message) { (14) if (EAP-Message) -> TRUE (14) if (EAP-Message) { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = updated (14) } # policy filter_username = updated (14) suffix: Checking for suffix after "@" (14) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (14) suffix: Found realm "UNIBE.CH" (14) suffix: Adding Realm = "UNIBE.CH" (14) suffix: Authentication realm is LOCAL (14) [suffix] = ok (14) policy deny_no_realm { (14) if (User-Name && (User-Name !~ /@/)) { (14) if (User-Name && (User-Name !~ /@/)) -> FALSE (14) } # policy deny_no_realm = updated (14) update request { (14) EXPAND %{toupper:%{Realm}} (14) --> UNIBE.CH (14) Realm := UNIBE.CH (14) } # update request = noop (14) eap: Peer sent EAP Response (code 2) ID 1 length 23 (14) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (14) [eap] = ok (14) } # if (EAP-Message) = ok (14) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (14) } # authorize = updated (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) Auth-Type eap { (14) eap: Peer sent packet with method EAP Identity (1) (14) eap: Using default_eap_type = PEAP (14) eap: Calling submodule eap_peap to process data (14) eap_peap: (TLS) PEAP -Initiating new session (14) eap: Sending EAP Request (code 1) ID 2 length 6 (14) eap: EAP session adding &reply:State = 0x1a0c7e771a0e6752 (14) [eap] = handled (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) EXPAND Response-Packet-Type (14) --> Access-Challenge (14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (14) if (handled && (Response-Packet-Type == Access-Challenge)) { (14) attr_filter.access_challenge: EXPAND %{User-Name} (14) attr_filter.access_challenge: --> anonymous@unibe.ch (14) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (14) [attr_filter.access_challenge.post-auth] = updated (14) [handled] = handled (14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (14) } # Auth-Type eap = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) session-state: Saving cached attributes (14) Framed-MTU = 1014 (14) Sent Access-Challenge Id 161 from 130.92.10.33:1812 to 1.2.3.4:63606 length 64 (14) EAP-Message = 0x010200061920 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x1a0c7e771a0e675279b57cf47df95d07 (14) Finished request (15) Received Access-Request Id 162 from 1.2.3.4:63606 to 130.92.10.33:1812 length 617 (15) User-Name = anonymous@unibe.ch (15) Service-Type = Framed-User (15) Cisco-AVPair = "service-type=Framed" (15) Framed-MTU = 1485 (15) EAP-Message = 0x020200a119800000009716030100920100008e03036909999b25b7e27b2e2e231f9c546c4a37d3b858ee2635bdaf836b8c39d42d6800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306010005000501000000000012000000170000 (15) Message-Authenticator = 0xdf959aef8b75ae98ed4dda59508b7a60 (15) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (15) Cisco-AVPair = "method=dot1x" (15) Cisco-AVPair = "client-iif-id=2818574557" (15) Cisco-AVPair = "vlan-id=1000" (15) NAS-IP-Address = 1.2.3.4 (15) NAS-Port-Id = "capwap_9000000c" (15) NAS-Port-Type = Wireless-802.11 (15) NAS-Port = 4211 (15) State = 0x1a0c7e771a0e675279b57cf47df95d07 (15) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (15) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (15) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (15) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (15) Airespace-Wlan-Id = 97 (15) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (15) WLAN-Group-Cipher = 1027076 (15) WLAN-Pairwise-Cipher = 1027076 (15) WLAN-AKM-Suite = 1027075 (15) WLAN-Group-Mgmt-Cipher = 1027078 (15) Restoring &session-state (15) &session-state:Framed-MTU = 1014 (15) # Executing section authorize from file /etc/freeradius/sites-enabled/default (15) authorize { (15) policy rewrite_called_station_id { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> 2C-E3-8E-ED-31-E0 (15) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (15) } # update request = noop (15) if ("%{8}") { (15) EXPAND %{8} (15) --> eduroam (15) if ("%{8}") -> TRUE (15) if ("%{8}") { (15) update request { (15) EXPAND %{8} (15) --> eduroam (15) &Called-Station-SSID := eduroam (15) EXPAND %{Called-Station-Id}:%{8} (15) --> 2C-E3-8E-ED-31-E0:eduroam (15) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (15) } # update request = noop (15) } # if ("%{8}") = noop (15) [updated] = updated (15) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_called_station_id = updated (15) policy rewrite_calling_station_id { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (15) update request { (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (15) --> AC-DF-A1-B1-F1-5A (15) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (15) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (15) --> AC:DF:A1:B1:F1:5A (15) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (15) } # update request = noop (15) [updated] = updated (15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (15) ... skipping else: Preceding "if" was taken (15) } # policy rewrite_calling_station_id = updated (15) if (Service-Type == Call-Check) { (15) if (Service-Type == Call-Check) -> FALSE (15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (15) EXPAND Packet-Src-IP-Address (15) --> 1.2.3.4 (15) EXPAND Packet-Src-IP-Address (15) --> 1.2.3.4 (15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (15) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (15) if (EAP-Message) { (15) if (EAP-Message) -> TRUE (15) if (EAP-Message) { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = updated (15) } # policy filter_username = updated (15) suffix: Checking for suffix after "@" (15) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (15) suffix: Found realm "UNIBE.CH" (15) suffix: Adding Realm = "UNIBE.CH" (15) suffix: Authentication realm is LOCAL (15) [suffix] = ok (15) policy deny_no_realm { (15) if (User-Name && (User-Name !~ /@/)) { (15) if (User-Name && (User-Name !~ /@/)) -> FALSE (15) } # policy deny_no_realm = updated (15) update request { (15) EXPAND %{toupper:%{Realm}} (15) --> UNIBE.CH (15) Realm := UNIBE.CH (15) } # update request = noop (15) eap: Peer sent EAP Response (code 2) ID 2 length 161 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # if (EAP-Message) = ok (15) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (15) } # authorize = updated (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/sites-enabled/default (15) Auth-Type eap { (15) eap: Removing EAP session with state 0x1a0c7e771a0e6752 (15) eap: Previous EAP request found for state 0x1a0c7e771a0e6752, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (15) eap_peap: (TLS) EAP Got all data (151 bytes) (15) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (15) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (15) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (15) eap_peap: (TLS) PEAP - In Handshake Phase (15) eap: Sending EAP Request (code 1) ID 3 length 1024 (15) eap: EAP session adding &reply:State = 0x1a0c7e771b0f6752 (15) [eap] = handled (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) EXPAND Response-Packet-Type (15) --> Access-Challenge (15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (15) if (handled && (Response-Packet-Type == Access-Challenge)) { (15) attr_filter.access_challenge: EXPAND %{User-Name} (15) attr_filter.access_challenge: --> anonymous@unibe.ch (15) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (15) [attr_filter.access_challenge.post-auth] = updated (15) [handled] = handled (15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (15) } # Auth-Type eap = handled (15) Using Post-Auth-Type Challenge (15) Post-Auth-Type sub-section not found. Ignoring. (15) # Executing group from file /etc/freeradius/sites-enabled/default (15) session-state: Saving cached attributes (15) Framed-MTU = 1014 (15) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (15) Sent Access-Challenge Id 162 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1090 (15) EAP-Message = 0x0103040019c000001135160303003d020000390303f0334014735b9a350f95ccc549063d3e99ba127b1d030030444f574e4752440100c010000011ff01000100000b000401000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x1a0c7e771b0f675279b57cf47df95d07 (15) Finished request (16) Received Access-Request Id 163 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (16) User-Name = anonymous@unibe.ch (16) Service-Type = Framed-User (16) Cisco-AVPair = "service-type=Framed" (16) Framed-MTU = 1485 (16) EAP-Message = 0x020100061900 (16) Message-Authenticator = 0x256013f8a4cd33b09aea930439831655 (16) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (16) Cisco-AVPair = "method=dot1x" (16) Cisco-AVPair = "client-iif-id=2818574557" (16) Cisco-AVPair = "vlan-id=1000" (16) NAS-IP-Address = 1.2.3.4 (16) NAS-Port-Id = "capwap_9000000c" (16) NAS-Port-Type = Wireless-802.11 (16) NAS-Port = 4211 (16) State = 0x1a0c7e771b0f675279b57cf47df95d07 (16) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (16) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (16) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (16) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (16) Airespace-Wlan-Id = 97 (16) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (16) WLAN-Group-Cipher = 1027076 (16) WLAN-Pairwise-Cipher = 1027076 (16) WLAN-AKM-Suite = 1027075 (16) WLAN-Group-Mgmt-Cipher = 1027078 (16) Restoring &session-state (16) &session-state:Framed-MTU = 1014 (16) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (16) # Executing section authorize from file /etc/freeradius/sites-enabled/default (16) authorize { (16) policy rewrite_called_station_id { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> 2C-E3-8E-ED-31-E0 (16) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (16) } # update request = noop (16) if ("%{8}") { (16) EXPAND %{8} (16) --> eduroam (16) if ("%{8}") -> TRUE (16) if ("%{8}") { (16) update request { (16) EXPAND %{8} (16) --> eduroam (16) &Called-Station-SSID := eduroam (16) EXPAND %{Called-Station-Id}:%{8} (16) --> 2C-E3-8E-ED-31-E0:eduroam (16) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (16) } # update request = noop (16) } # if ("%{8}") = noop (16) [updated] = updated (16) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_called_station_id = updated (16) policy rewrite_calling_station_id { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (16) update request { (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (16) --> AC-DF-A1-B1-F1-5A (16) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (16) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (16) --> AC:DF:A1:B1:F1:5A (16) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (16) } # update request = noop (16) [updated] = updated (16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (16) ... skipping else: Preceding "if" was taken (16) } # policy rewrite_calling_station_id = updated (16) if (Service-Type == Call-Check) { (16) if (Service-Type == Call-Check) -> FALSE (16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (16) EXPAND Packet-Src-IP-Address (16) --> 1.2.3.4 (16) EXPAND Packet-Src-IP-Address (16) --> 1.2.3.4 (16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (16) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (16) if (EAP-Message) { (16) if (EAP-Message) -> TRUE (16) if (EAP-Message) { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = updated (16) } # policy filter_username = updated (16) suffix: Checking for suffix after "@" (16) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (16) suffix: Found realm "UNIBE.CH" (16) suffix: Adding Realm = "UNIBE.CH" (16) suffix: Authentication realm is LOCAL (16) [suffix] = ok (16) policy deny_no_realm { (16) if (User-Name && (User-Name !~ /@/)) { (16) if (User-Name && (User-Name !~ /@/)) -> FALSE (16) } # policy deny_no_realm = updated (16) update request { (16) EXPAND %{toupper:%{Realm}} (16) --> UNIBE.CH (16) Realm := UNIBE.CH (16) } # update request = noop (16) eap: Peer sent EAP Response (code 2) ID 3 length 6 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # if (EAP-Message) = ok (16) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (16) } # authorize = updated (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) Auth-Type eap { (16) eap: Removing EAP session with state 0x1a0c7e771b0f6752 (16) eap: Previous EAP request found for state 0x1a0c7e771b0f6752, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: (TLS) Peer ACKed our handshake fragment (16) eap: Sending EAP Request (code 1) ID 4 length 1020 (16) eap: EAP session adding &reply:State = 0x1a0c7e7718086752 (16) [eap] = handled (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) EXPAND Response-Packet-Type (16) --> Access-Challenge (16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (16) if (handled && (Response-Packet-Type == Access-Challenge)) { (16) attr_filter.access_challenge: EXPAND %{User-Name} (16) attr_filter.access_challenge: --> anonymous@unibe.ch (16) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (16) [attr_filter.access_challenge.post-auth] = updated (16) [handled] = handled (16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (16) } # Auth-Type eap = handled (16) Using Post-Auth-Type Challenge (16) Post-Auth-Type sub-section not found. Ignoring. (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) session-state: Saving cached attributes (16) Framed-MTU = 1014 (16) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (16) Sent Access-Challenge Id 163 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086 (16) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040210003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x1a0c7e771808675279b57cf47df95d07 (16) Finished request (17) Received Access-Request Id 164 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (17) User-Name = anonymous@unibe.ch (17) Service-Type = Framed-User (17) Cisco-AVPair = "service-type=Framed" (17) Framed-MTU = 1485 (17) EAP-Message = 0x020400061900 (17) Message-Authenticator = 0x6f9b085346287fdd22fc589a3c0b70f2 (17) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (17) Cisco-AVPair = "method=dot1x" (17) Cisco-AVPair = "client-iif-id=2818574557" (17) Cisco-AVPair = "vlan-id=1000" (17) NAS-IP-Address = 1.2.3.4 (17) NAS-Port-Id = "capwap_9000000c" (17) NAS-Port-Type = Wireless-802.11 (17) NAS-Port = 4211 (17) State = 0x1a0c7e771808675279b57cf47df95d07 (17) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (17) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (17) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (17) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (17) Airespace-Wlan-Id = 97 (17) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (17) WLAN-Group-Cipher = 1027076 (17) WLAN-Pairwise-Cipher = 1027076 (17) WLAN-AKM-Suite = 1027075 (17) WLAN-Group-Mgmt-Cipher = 1027078 (17) Restoring &session-state (17) &session-state:Framed-MTU = 1014 (17) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (17) # Executing section authorize from file /etc/freeradius/sites-enabled/default (17) authorize { (17) policy rewrite_called_station_id { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> 2C-E3-8E-ED-31-E0 (17) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (17) } # update request = noop (17) if ("%{8}") { (17) EXPAND %{8} (17) --> eduroam (17) if ("%{8}") -> TRUE (17) if ("%{8}") { (17) update request { (17) EXPAND %{8} (17) --> eduroam (17) &Called-Station-SSID := eduroam (17) EXPAND %{Called-Station-Id}:%{8} (17) --> 2C-E3-8E-ED-31-E0:eduroam (17) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (17) } # update request = noop (17) } # if ("%{8}") = noop (17) [updated] = updated (17) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_called_station_id = updated (17) policy rewrite_calling_station_id { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (17) update request { (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (17) --> AC-DF-A1-B1-F1-5A (17) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (17) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (17) --> AC:DF:A1:B1:F1:5A (17) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (17) } # update request = noop (17) [updated] = updated (17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (17) ... skipping else: Preceding "if" was taken (17) } # policy rewrite_calling_station_id = updated (17) if (Service-Type == Call-Check) { (17) if (Service-Type == Call-Check) -> FALSE (17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (17) EXPAND Packet-Src-IP-Address (17) --> 1.2.3.4 (17) EXPAND Packet-Src-IP-Address (17) --> 1.2.3.4 (17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (17) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (17) if (EAP-Message) { (17) if (EAP-Message) -> TRUE (17) if (EAP-Message) { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = updated (17) } # policy filter_username = updated (17) suffix: Checking for suffix after "@" (17) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (17) suffix: Found realm "UNIBE.CH" (17) suffix: Adding Realm = "UNIBE.CH" (17) suffix: Authentication realm is LOCAL (17) [suffix] = ok (17) policy deny_no_realm { (17) if (User-Name && (User-Name !~ /@/)) { (17) if (User-Name && (User-Name !~ /@/)) -> FALSE (17) } # policy deny_no_realm = updated (17) update request { (17) EXPAND %{toupper:%{Realm}} (17) --> UNIBE.CH (17) Realm := UNIBE.CH (17) } # update request = noop (17) eap: Peer sent EAP Response (code 2) ID 4 length 6 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # if (EAP-Message) = ok (17) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (17) } # authorize = updated (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) Auth-Type eap { (17) eap: Removing EAP session with state 0x1a0c7e7718086752 (17) eap: Previous EAP request found for state 0x1a0c7e7718086752, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: (TLS) Peer ACKed our handshake fragment (17) eap: Sending EAP Request (code 1) ID 5 length 1020 (17) eap: EAP session adding &reply:State = 0x1a0c7e7719096752 (17) [eap] = handled (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) EXPAND Response-Packet-Type (17) --> Access-Challenge (17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (17) if (handled && (Response-Packet-Type == Access-Challenge)) { (17) attr_filter.access_challenge: EXPAND %{User-Name} (17) attr_filter.access_challenge: --> anonymous@unibe.ch (17) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (17) [attr_filter.access_challenge.post-auth] = updated (17) [handled] = handled (17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (17) } # Auth-Type eap = handled (17) Using Post-Auth-Type Challenge (17) Post-Auth-Type sub-section not found. Ignoring. (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) session-state: Saving cached attributes (17) Framed-MTU = 1014 (17) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (17) Sent Access-Challenge Id 164 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086 (17) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x1a0c7e771909675279b57cf47df95d07 (17) Finished request (18) Received Access-Request Id 165 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (18) User-Name = anonymous@unibe.ch (18) Service-Type = Framed-User (18) Cisco-AVPair = "service-type=Framed" (18) Framed-MTU = 1485 (18) EAP-Message = 0x020500061900 (18) Message-Authenticator = 0xc196c62add7f8f693998f8856485d83b (18) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (18) Cisco-AVPair = "method=dot1x" (18) Cisco-AVPair = "client-iif-id=2818574557" (18) Cisco-AVPair = "vlan-id=1000" (18) NAS-IP-Address = 1.2.3.4 (18) NAS-Port-Id = "capwap_9000000c" (18) NAS-Port-Type = Wireless-802.11 (18) NAS-Port = 4211 (18) State = 0x1a0c7e771909675279b57cf47df95d07 (18) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (18) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (18) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (18) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (18) Airespace-Wlan-Id = 97 (18) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (18) WLAN-Group-Cipher = 1027076 (18) WLAN-Pairwise-Cipher = 1027076 (18) WLAN-AKM-Suite = 1027075 (18) WLAN-Group-Mgmt-Cipher = 1027078 (18) Restoring &session-state (18) &session-state:Framed-MTU = 1014 (18) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (18) # Executing section authorize from file /etc/freeradius/sites-enabled/default (18) authorize { (18) policy rewrite_called_station_id { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (18) update request { Waking up in 0.2 seconds. (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> 2C-E3-8E-ED-31-E0 (18) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (18) } # update request = noop (18) if ("%{8}") { (18) EXPAND %{8} (18) --> eduroam (18) if ("%{8}") -> TRUE (18) if ("%{8}") { (18) update request { (18) EXPAND %{8} (18) --> eduroam (18) &Called-Station-SSID := eduroam (18) EXPAND %{Called-Station-Id}:%{8} (18) --> 2C-E3-8E-ED-31-E0:eduroam (18) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (18) } # update request = noop (18) } # if ("%{8}") = noop (18) [updated] = updated (18) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_called_station_id = updated (18) policy rewrite_calling_station_id { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (18) update request { (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (18) --> AC-DF-A1-B1-F1-5A (18) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (18) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (18) --> AC:DF:A1:B1:F1:5A (18) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (18) } # update request = noop (18) [updated] = updated (18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (18) ... skipping else: Preceding "if" was taken (18) } # policy rewrite_calling_station_id = updated (18) if (Service-Type == Call-Check) { (18) if (Service-Type == Call-Check) -> FALSE (18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (18) EXPAND Packet-Src-IP-Address (18) --> 1.2.3.4 (18) EXPAND Packet-Src-IP-Address (18) --> 1.2.3.4 (18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (18) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (18) if (EAP-Message) { (18) if (EAP-Message) -> TRUE (18) if (EAP-Message) { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = updated (18) } # policy filter_username = updated (18) suffix: Checking for suffix after "@" (18) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (18) suffix: Found realm "UNIBE.CH" (18) suffix: Adding Realm = "UNIBE.CH" (18) suffix: Authentication realm is LOCAL (18) [suffix] = ok (18) policy deny_no_realm { (18) if (User-Name && (User-Name !~ /@/)) { (18) if (User-Name && (User-Name !~ /@/)) -> FALSE (18) } # policy deny_no_realm = updated (18) update request { (18) EXPAND %{toupper:%{Realm}} (18) --> UNIBE.CH (18) Realm := UNIBE.CH (18) } # update request = noop (18) eap: Peer sent EAP Response (code 2) ID 5 length 6 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # if (EAP-Message) = ok (18) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (18) } # authorize = updated (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/sites-enabled/default (18) Auth-Type eap { (18) eap: Removing EAP session with state 0x1a0c7e7719096752 (18) eap: Previous EAP request found for state 0x1a0c7e7719096752, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: (TLS) Peer ACKed our handshake fragment (18) eap: Sending EAP Request (code 1) ID 6 length 1020 (18) eap: EAP session adding &reply:State = 0x1a0c7e771e0a6752 (18) [eap] = handled (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) EXPAND Response-Packet-Type (18) --> Access-Challenge (18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (18) if (handled && (Response-Packet-Type == Access-Challenge)) { (18) attr_filter.access_challenge: EXPAND %{User-Name} (18) attr_filter.access_challenge: --> anonymous@unibe.ch (18) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (18) [attr_filter.access_challenge.post-auth] = updated (18) [handled] = handled (18) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (18) } # Auth-Type eap = handled (18) Using Post-Auth-Type Challenge (18) Post-Auth-Type sub-section not found. Ignoring. (18) # Executing group from file /etc/freeradius/sites-enabled/default (18) session-state: Saving cached attributes (18) Framed-MTU = 1014 (18) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (18) Sent Access-Challenge Id 165 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086 (18) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x1a0c7e771e0a675279b57cf47df95d07 (18) Finished request (19) Received Access-Request Id 166 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (19) User-Name = anonymous@unibe.ch (19) Service-Type = Framed-User (19) Cisco-AVPair = "service-type=Framed" (19) Framed-MTU = 1485 (19) EAP-Message = 0x020600061900 (19) Message-Authenticator = 0x572ab59ccb8ceac06d4c053497b4dad6 (19) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (19) Cisco-AVPair = "method=dot1x" (19) Cisco-AVPair = "client-iif-id=2818574557" (19) Cisco-AVPair = "vlan-id=1000" (19) NAS-IP-Address = 1.2.3.4 (19) NAS-Port-Id = "capwap_9000000c" (19) NAS-Port-Type = Wireless-802.11 (19) NAS-Port = 4211 (19) State = 0x1a0c7e771e0a675279b57cf47df95d07 (19) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (19) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (19) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (19) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (19) Airespace-Wlan-Id = 97 (19) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (19) WLAN-Group-Cipher = 1027076 (19) WLAN-Pairwise-Cipher = 1027076 (19) WLAN-AKM-Suite = 1027075 (19) WLAN-Group-Mgmt-Cipher = 1027078 (19) Restoring &session-state (19) &session-state:Framed-MTU = 1014 (19) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (19) # Executing section authorize from file /etc/freeradius/sites-enabled/default (19) authorize { (19) policy rewrite_called_station_id { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> 2C-E3-8E-ED-31-E0 (19) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (19) } # update request = noop (19) if ("%{8}") { (19) EXPAND %{8} (19) --> eduroam (19) if ("%{8}") -> TRUE (19) if ("%{8}") { (19) update request { (19) EXPAND %{8} (19) --> eduroam (19) &Called-Station-SSID := eduroam (19) EXPAND %{Called-Station-Id}:%{8} (19) --> 2C-E3-8E-ED-31-E0:eduroam (19) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (19) } # update request = noop (19) } # if ("%{8}") = noop (19) [updated] = updated (19) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_called_station_id = updated (19) policy rewrite_calling_station_id { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (19) update request { (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (19) --> AC-DF-A1-B1-F1-5A (19) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (19) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (19) --> AC:DF:A1:B1:F1:5A (19) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (19) } # update request = noop (19) [updated] = updated (19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (19) ... skipping else: Preceding "if" was taken (19) } # policy rewrite_calling_station_id = updated (19) if (Service-Type == Call-Check) { (19) if (Service-Type == Call-Check) -> FALSE (19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (19) EXPAND Packet-Src-IP-Address (19) --> 1.2.3.4 (19) EXPAND Packet-Src-IP-Address (19) --> 1.2.3.4 (19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (19) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (19) if (EAP-Message) { (19) if (EAP-Message) -> TRUE (19) if (EAP-Message) { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = updated (19) } # policy filter_username = updated (19) suffix: Checking for suffix after "@" (19) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (19) suffix: Found realm "UNIBE.CH" (19) suffix: Adding Realm = "UNIBE.CH" (19) suffix: Authentication realm is LOCAL (19) [suffix] = ok (19) policy deny_no_realm { (19) if (User-Name && (User-Name !~ /@/)) { (19) if (User-Name && (User-Name !~ /@/)) -> FALSE (19) } # policy deny_no_realm = updated (19) update request { (19) EXPAND %{toupper:%{Realm}} (19) --> UNIBE.CH (19) Realm := UNIBE.CH (19) } # update request = noop (19) eap: Peer sent EAP Response (code 2) ID 6 length 6 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # if (EAP-Message) = ok (19) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (19) } # authorize = updated (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/sites-enabled/default (19) Auth-Type eap { (19) eap: Removing EAP session with state 0x1a0c7e771e0a6752 (19) eap: Previous EAP request found for state 0x1a0c7e771e0a6752, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: (TLS) Peer ACKed our handshake fragment (19) eap: Sending EAP Request (code 1) ID 7 length 355 (19) eap: EAP session adding &reply:State = 0x1a0c7e771f0b6752 (19) [eap] = handled (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) EXPAND Response-Packet-Type (19) --> Access-Challenge (19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (19) if (handled && (Response-Packet-Type == Access-Challenge)) { (19) attr_filter.access_challenge: EXPAND %{User-Name} (19) attr_filter.access_challenge: --> anonymous@unibe.ch (19) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (19) [attr_filter.access_challenge.post-auth] = updated (19) [handled] = handled (19) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (19) } # Auth-Type eap = handled (19) Using Post-Auth-Type Challenge (19) Post-Auth-Type sub-section not found. Ignoring. (19) # Executing group from file /etc/freeradius/sites-enabled/default (19) session-state: Saving cached attributes (19) Framed-MTU = 1014 (19) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (19) Sent Access-Challenge Id 166 from 130.92.10.33:1812 to 1.2.3.4:63606 length 415 (19) EAP-Message = 0x01070163190032b6160303014d0c0001490300174104b201a57bca112447dfce17a89ba625c372e0c009eea006a95c79ba5b83514cfc4abe5c00673d4584a35b11ecef0ee23a6e2a18d0c95f8a48f744f685b7bfb054040101001e420d428e4df3bafadfc43614f7e02a46b54eb352afdd238fbe58786c1286d9f48726ae0f45415d47bfb81a54ebf3ac667c828dea5428d65f8c0a1634fc04cd2fddd88809d833251f68c1b85caea91c7c135b8d87ee7b5c91c3fec8e93d09ae2157a548d07e80f8a8ba9cc9267bef2fc1e9433312e89e45d1dbf9650fa7c0f5eb555b12ebf51e2575fe325de4871702c00041a05bf89a779a12f8b0eba2fe702054fb0fc16ec288b6861c55fd6d9a853a574516dbb5684d8b61318e526bc7328643edc25ee4692ac13c9843aba9a028992b5befa9331b65a63b890e5432d66d27e4fc6eae4f0aa2625394096c5e7e469992c9e8003b3af457be9e8309fac01116030100040e000000 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0x1a0c7e771f0b675279b57cf47df95d07 (19) Finished request (20) Received Access-Request Id 167 from 1.2.3.4:63606 to 130.92.10.33:1812 length 592 (20) User-Name = anonymous@unibe.ch (20) Service-Type = Framed-User (20) Cisco-AVPair = "service-type=Framed" (20) Framed-MTU = 1485 (20) EAP-Message = 0x0207008819800000007e16030300461000004241044bdd335d8636b35b96f838a591e11c19c257fa1853f19b291dd5e25fc57342414c3f644fb0abbd7078454afdc6a47d7f15433d807ebbb5d30efaeb9bc509783f14030100010116030300283667ef69fc720083fa52d1f339bce71060104b344322cb0514ad95532ba10a78d425cd99eb1ea915 (20) Message-Authenticator = 0xfa3c07c12db0b8ddfacd1df94f1e5aff (20) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (20) Cisco-AVPair = "method=dot1x" (20) Cisco-AVPair = "client-iif-id=2818574557" (20) Cisco-AVPair = "vlan-id=1000" (20) NAS-IP-Address = 1.2.3.4 (20) NAS-Port-Id = "capwap_9000000c" (20) NAS-Port-Type = Wireless-802.11 (20) NAS-Port = 4211 (20) State = 0x1a0c7e771f0b675279b57cf47df95d07 (20) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (20) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (20) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (20) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (20) Airespace-Wlan-Id = 97 (20) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (20) WLAN-Group-Cipher = 1027076 (20) WLAN-Pairwise-Cipher = 1027076 (20) WLAN-AKM-Suite = 1027075 (20) WLAN-Group-Mgmt-Cipher = 1027078 (20) Restoring &session-state (20) &session-state:Framed-MTU = 1014 (20) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (20) # Executing section authorize from file /etc/freeradius/sites-enabled/default (20) authorize { (20) policy rewrite_called_station_id { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> 2C-E3-8E-ED-31-E0 (20) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (20) } # update request = noop (20) if ("%{8}") { (20) EXPAND %{8} (20) --> eduroam (20) if ("%{8}") -> TRUE (20) if ("%{8}") { (20) update request { (20) EXPAND %{8} (20) --> eduroam (20) &Called-Station-SSID := eduroam (20) EXPAND %{Called-Station-Id}:%{8} (20) --> 2C-E3-8E-ED-31-E0:eduroam (20) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (20) } # update request = noop (20) } # if ("%{8}") = noop (20) [updated] = updated (20) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_called_station_id = updated (20) policy rewrite_calling_station_id { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (20) update request { (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (20) --> AC-DF-A1-B1-F1-5A (20) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (20) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (20) --> AC:DF:A1:B1:F1:5A (20) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (20) } # update request = noop (20) [updated] = updated (20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (20) ... skipping else: Preceding "if" was taken (20) } # policy rewrite_calling_station_id = updated (20) if (Service-Type == Call-Check) { (20) if (Service-Type == Call-Check) -> FALSE (20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (20) EXPAND Packet-Src-IP-Address (20) --> 1.2.3.4 (20) EXPAND Packet-Src-IP-Address (20) --> 1.2.3.4 (20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (20) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (20) if (EAP-Message) { (20) if (EAP-Message) -> TRUE (20) if (EAP-Message) { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = updated (20) } # policy filter_username = updated (20) suffix: Checking for suffix after "@" (20) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (20) suffix: Found realm "UNIBE.CH" (20) suffix: Adding Realm = "UNIBE.CH" (20) suffix: Authentication realm is LOCAL (20) [suffix] = ok (20) policy deny_no_realm { (20) if (User-Name && (User-Name !~ /@/)) { (20) if (User-Name && (User-Name !~ /@/)) -> FALSE (20) } # policy deny_no_realm = updated (20) update request { (20) EXPAND %{toupper:%{Realm}} (20) --> UNIBE.CH (20) Realm := UNIBE.CH (20) } # update request = noop (20) eap: Peer sent EAP Response (code 2) ID 7 length 136 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # if (EAP-Message) = ok (20) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (20) } # authorize = updated (20) Found Auth-Type = eap (20) # Executing group from file /etc/freeradius/sites-enabled/default (20) Auth-Type eap { (20) eap: Removing EAP session with state 0x1a0c7e771f0b6752 (20) eap: Previous EAP request found for state 0x1a0c7e771f0b6752, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (20) eap_peap: (TLS) EAP Got all data (126 bytes) (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (20) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (20) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (20) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (20) eap_peap: (TLS) PEAP - Connection Established (20) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) eap_peap: TLS-Session-Version = "TLS 1.2" (20) eap: Sending EAP Request (code 1) ID 8 length 57 (20) eap: EAP session adding &reply:State = 0x1a0c7e771c046752 (20) [eap] = handled (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) EXPAND Response-Packet-Type (20) --> Access-Challenge (20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (20) if (handled && (Response-Packet-Type == Access-Challenge)) { (20) attr_filter.access_challenge: EXPAND %{User-Name} (20) attr_filter.access_challenge: --> anonymous@unibe.ch (20) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (20) [attr_filter.access_challenge.post-auth] = updated (20) [handled] = handled (20) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (20) } # Auth-Type eap = handled (20) Using Post-Auth-Type Challenge (20) Post-Auth-Type sub-section not found. Ignoring. (20) # Executing group from file /etc/freeradius/sites-enabled/default (20) session-state: Saving cached attributes (20) Framed-MTU = 1014 (20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (20) TLS-Session-Version = "TLS 1.2" (20) Sent Access-Challenge Id 167 from 130.92.10.33:1812 to 1.2.3.4:63606 length 115 (20) EAP-Message = 0x010800391900140301000101160303002869cd9549766a5c057197e758662301e6fe3808b412033491c980bcc9560e2fe6e86f4e532b875f92 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0x1a0c7e771c04675279b57cf47df95d07 (20) Finished request (21) Received Access-Request Id 168 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462 (21) User-Name = anonymous@unibe.ch (21) Service-Type = Framed-User (21) Cisco-AVPair = "service-type=Framed" (21) Framed-MTU = 1485 (21) EAP-Message = 0x020800061900 (21) Message-Authenticator = 0x9c7f30b1e78bb9f5274c566d1a73f367 (21) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (21) Cisco-AVPair = "method=dot1x" (21) Cisco-AVPair = "client-iif-id=2818574557" (21) Cisco-AVPair = "vlan-id=1000" (21) NAS-IP-Address = 1.2.3.4 (21) NAS-Port-Id = "capwap_9000000c" (21) NAS-Port-Type = Wireless-802.11 (21) NAS-Port = 4211 (21) State = 0x1a0c7e771c04675279b57cf47df95d07 (21) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (21) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (21) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (21) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (21) Airespace-Wlan-Id = 97 (21) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (21) WLAN-Group-Cipher = 1027076 (21) WLAN-Pairwise-Cipher = 1027076 (21) WLAN-AKM-Suite = 1027075 (21) WLAN-Group-Mgmt-Cipher = 1027078 (21) Restoring &session-state (21) &session-state:Framed-MTU = 1014 (21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" Waking up in 0.2 seconds. (21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (21) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) &session-state:TLS-Session-Version = "TLS 1.2" (21) # Executing section authorize from file /etc/freeradius/sites-enabled/default (21) authorize { (21) policy rewrite_called_station_id { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> 2C-E3-8E-ED-31-E0 (21) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (21) } # update request = noop (21) if ("%{8}") { (21) EXPAND %{8} (21) --> eduroam (21) if ("%{8}") -> TRUE (21) if ("%{8}") { (21) update request { (21) EXPAND %{8} (21) --> eduroam (21) &Called-Station-SSID := eduroam (21) EXPAND %{Called-Station-Id}:%{8} (21) --> 2C-E3-8E-ED-31-E0:eduroam (21) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (21) } # update request = noop (21) } # if ("%{8}") = noop (21) [updated] = updated (21) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_called_station_id = updated (21) policy rewrite_calling_station_id { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (21) update request { (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (21) --> AC-DF-A1-B1-F1-5A (21) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (21) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (21) --> AC:DF:A1:B1:F1:5A (21) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (21) } # update request = noop (21) [updated] = updated (21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (21) ... skipping else: Preceding "if" was taken (21) } # policy rewrite_calling_station_id = updated (21) if (Service-Type == Call-Check) { (21) if (Service-Type == Call-Check) -> FALSE (21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (21) EXPAND Packet-Src-IP-Address (21) --> 1.2.3.4 (21) EXPAND Packet-Src-IP-Address (21) --> 1.2.3.4 (21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (21) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (21) if (EAP-Message) { (21) if (EAP-Message) -> TRUE (21) if (EAP-Message) { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = updated (21) } # policy filter_username = updated (21) suffix: Checking for suffix after "@" (21) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (21) suffix: Found realm "UNIBE.CH" (21) suffix: Adding Realm = "UNIBE.CH" (21) suffix: Authentication realm is LOCAL (21) [suffix] = ok (21) policy deny_no_realm { (21) if (User-Name && (User-Name !~ /@/)) { (21) if (User-Name && (User-Name !~ /@/)) -> FALSE (21) } # policy deny_no_realm = updated (21) update request { (21) EXPAND %{toupper:%{Realm}} (21) --> UNIBE.CH (21) Realm := UNIBE.CH (21) } # update request = noop (21) eap: Peer sent EAP Response (code 2) ID 8 length 6 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # if (EAP-Message) = ok (21) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (21) } # authorize = updated (21) Found Auth-Type = eap (21) # Executing group from file /etc/freeradius/sites-enabled/default (21) Auth-Type eap { (21) eap: Removing EAP session with state 0x1a0c7e771c046752 (21) eap: Previous EAP request found for state 0x1a0c7e771c046752, released from the list (21) eap: Peer sent packet with method EAP PEAP (25) (21) eap: Calling submodule eap_peap to process data (21) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (21) eap_peap: Session established. Decoding tunneled attributes (21) eap_peap: PEAP state TUNNEL ESTABLISHED (21) eap: Sending EAP Request (code 1) ID 9 length 40 (21) eap: EAP session adding &reply:State = 0x1a0c7e771d056752 (21) [eap] = handled (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) EXPAND Response-Packet-Type (21) --> Access-Challenge (21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) attr_filter.access_challenge: EXPAND %{User-Name} (21) attr_filter.access_challenge: --> anonymous@unibe.ch (21) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (21) [attr_filter.access_challenge.post-auth] = updated (21) [handled] = handled (21) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (21) } # Auth-Type eap = handled (21) Using Post-Auth-Type Challenge (21) Post-Auth-Type sub-section not found. Ignoring. (21) # Executing group from file /etc/freeradius/sites-enabled/default (21) session-state: Saving cached attributes (21) Framed-MTU = 1014 (21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (21) TLS-Session-Version = "TLS 1.2" (21) Sent Access-Challenge Id 168 from 130.92.10.33:1812 to 1.2.3.4:63606 length 98 (21) EAP-Message = 0x010900281900170303001d69cd9549766a5c065b771e1e6ad4419bc5deec9aca8c6dc933d69e4320 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0x1a0c7e771d05675279b57cf47df95d07 (21) Finished request (22) Received Access-Request Id 169 from 1.2.3.4:63606 to 130.92.10.33:1812 length 516 (22) User-Name = anonymous@unibe.ch (22) Service-Type = Framed-User (22) Cisco-AVPair = "service-type=Framed" (22) Framed-MTU = 1485 (22) EAP-Message = 0x0209003c190017030300313667ef69fc720084f72dcb9c5d07674afc517dc2cee1604014c42f78dd87c1fc4dd53bf9579819c736546b1d6568257d75 (22) Message-Authenticator = 0x06ac4226a9e15764f25be4a011e74e0d (22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (22) Cisco-AVPair = "method=dot1x" (22) Cisco-AVPair = "client-iif-id=2818574557" (22) Cisco-AVPair = "vlan-id=1000" (22) NAS-IP-Address = 1.2.3.4 (22) NAS-Port-Id = "capwap_9000000c" (22) NAS-Port-Type = Wireless-802.11 (22) NAS-Port = 4211 (22) State = 0x1a0c7e771d05675279b57cf47df95d07 (22) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (22) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (22) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (22) Airespace-Wlan-Id = 97 (22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) WLAN-Group-Cipher = 1027076 (22) WLAN-Pairwise-Cipher = 1027076 (22) WLAN-AKM-Suite = 1027075 (22) WLAN-Group-Mgmt-Cipher = 1027078 (22) Restoring &session-state (22) &session-state:Framed-MTU = 1014 (22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (22) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (22) &session-state:TLS-Session-Version = "TLS 1.2" (22) # Executing section authorize from file /etc/freeradius/sites-enabled/default (22) authorize { (22) policy rewrite_called_station_id { (22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (22) update request { (22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (22) --> 2C-E3-8E-ED-31-E0 (22) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (22) } # update request = noop (22) if ("%{8}") { (22) EXPAND %{8} (22) --> eduroam (22) if ("%{8}") -> TRUE (22) if ("%{8}") { (22) update request { (22) EXPAND %{8} (22) --> eduroam (22) &Called-Station-SSID := eduroam (22) EXPAND %{Called-Station-Id}:%{8} (22) --> 2C-E3-8E-ED-31-E0:eduroam (22) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (22) } # update request = noop (22) } # if ("%{8}") = noop (22) [updated] = updated (22) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (22) ... skipping else: Preceding "if" was taken (22) } # policy rewrite_called_station_id = updated (22) policy rewrite_calling_station_id { (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (22) update request { (22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (22) --> AC-DF-A1-B1-F1-5A (22) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (22) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (22) --> AC:DF:A1:B1:F1:5A (22) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (22) } # update request = noop (22) [updated] = updated (22) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (22) ... skipping else: Preceding "if" was taken (22) } # policy rewrite_calling_station_id = updated (22) if (Service-Type == Call-Check) { (22) if (Service-Type == Call-Check) -> FALSE (22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (22) EXPAND Packet-Src-IP-Address (22) --> 1.2.3.4 (22) EXPAND Packet-Src-IP-Address (22) --> 1.2.3.4 (22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (22) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (22) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (22) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (22) if (EAP-Message) { (22) if (EAP-Message) -> TRUE (22) if (EAP-Message) { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = updated (22) } # policy filter_username = updated (22) suffix: Checking for suffix after "@" (22) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (22) suffix: Found realm "UNIBE.CH" (22) suffix: Adding Realm = "UNIBE.CH" (22) suffix: Authentication realm is LOCAL (22) [suffix] = ok (22) policy deny_no_realm { (22) if (User-Name && (User-Name !~ /@/)) { (22) if (User-Name && (User-Name !~ /@/)) -> FALSE (22) } # policy deny_no_realm = updated (22) update request { (22) EXPAND %{toupper:%{Realm}} (22) --> UNIBE.CH (22) Realm := UNIBE.CH (22) } # update request = noop (22) eap: Peer sent EAP Response (code 2) ID 9 length 60 (22) eap: Continuing tunnel setup (22) [eap] = ok (22) } # if (EAP-Message) = ok (22) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (22) } # authorize = updated (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/sites-enabled/default (22) Auth-Type eap { (22) eap: Removing EAP session with state 0x1a0c7e771d056752 (22) eap: Previous EAP request found for state 0x1a0c7e771d056752, released from the list (22) eap: Peer sent packet with method EAP PEAP (25) (22) eap: Calling submodule eap_peap to process data (22) eap_peap: (TLS) EAP Done initial handshake (22) eap_peap: Session established. Decoding tunneled attributes (22) eap_peap: PEAP state WAITING FOR INNER IDENTITY (22) eap_peap: Identity - jon.doe@unibe.ch (22) eap_peap: Got inner identity 'jon.doe@unibe.ch' (22) eap_peap: Setting default EAP type for tunneled EAP session (22) eap_peap: Got tunneled request (22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) eap_peap: Setting User-Name to jon.doe@unibe.ch (22) eap_peap: Sending tunneled request to proxy-inner-tunnel (22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (22) eap_peap: User-Name = jon.doe@unibe.ch (22) eap_peap: Service-Type = Framed-User (22) eap_peap: Cisco-AVPair = "service-type=Framed" (22) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (22) eap_peap: Cisco-AVPair = "method=dot1x" (22) eap_peap: Cisco-AVPair = "client-iif-id=2818574557" (22) eap_peap: Cisco-AVPair = "vlan-id=1000" (22) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (22) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (22) eap_peap: Framed-MTU = 1485 (22) eap_peap: NAS-IP-Address = 1.2.3.4 (22) eap_peap: NAS-Port-Id = "capwap_9000000c" (22) eap_peap: NAS-Port-Type = Wireless-802.11 (22) eap_peap: NAS-Port = 4211 (22) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (22) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (22) eap_peap: Airespace-Wlan-Id = 97 (22) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) eap_peap: WLAN-Group-Cipher = 1027076 (22) eap_peap: WLAN-Pairwise-Cipher = 1027076 (22) eap_peap: WLAN-AKM-Suite = 1027075 (22) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078 (22) Virtual server proxy-inner-tunnel received request (22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) FreeRADIUS-Proxied-To = 127.0.0.1 (22) User-Name = jon.doe@unibe.ch (22) Service-Type = Framed-User (22) Cisco-AVPair = "service-type=Framed" (22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (22) Cisco-AVPair = "method=dot1x" (22) Cisco-AVPair = "client-iif-id=2818574557" (22) Cisco-AVPair = "vlan-id=1000" (22) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (22) Framed-MTU = 1485 (22) NAS-IP-Address = 1.2.3.4 (22) NAS-Port-Id = "capwap_9000000c" (22) NAS-Port-Type = Wireless-802.11 (22) NAS-Port = 4211 (22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (22) Airespace-Wlan-Id = 97 (22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) WLAN-Group-Cipher = 1027076 (22) WLAN-Pairwise-Cipher = 1027076 (22) WLAN-AKM-Suite = 1027075 (22) WLAN-Group-Mgmt-Cipher = 1027078 (22) server proxy-inner-tunnel { (22) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (22) authorize { (22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (22) if (!NAS-Port-Type){ (22) if (!NAS-Port-Type) -> FALSE (22) update control { (22) &Proxy-To-Realm := REALM-NPS-DEV (22) } # update control = noop (22) } # authorize = noop (22) } # server proxy-inner-tunnel (22) Virtual server sending reply (22) eap_peap: Got tunneled reply code 0 (22) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (22) eap: WARNING: Tunneled session will be proxied. Not doing EAP (22) [eap] = handled (22) if (handled && (Response-Packet-Type == Access-Challenge)) { (22) EXPAND Response-Packet-Type (22) --> (22) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (22) } # Auth-Type eap = handled (22) Starting proxy to home server 9.9.9.9 port 1812 (22) server default { (22) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (22) pre-proxy { (22) attr_filter.pre-proxy: EXPAND %{Realm} (22) attr_filter.pre-proxy: --> UNIBE.CH (22) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (22) [attr_filter.pre-proxy] = updated (22) } # pre-proxy = updated (22) } (22) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000 (22) Sent Access-Request Id 22 from 0.0.0.0:57225 to 9.9.9.9:1812 length 196 (22) Operator-Name := "1unibe.ch" (22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (22) User-Name = jon.doe@unibe.ch (22) NAS-IP-Address = 1.2.3.4 (22) NAS-Port-Type = Wireless-802.11 (22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (22) Message-Authenticator = 0x (22) Proxy-State = 0x313639 (22) Clearing existing &reply: attributes (22) Received Access-Challenge Id 22 from 9.9.9.9:1812 to 130.92.10.33:57225 length 128 (22) Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3 (22) Proxy-State = 0x313639 (22) Session-Timeout = 60 (22) EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632 (22) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (22) server default { Waking up in 0.2 seconds. (22) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (22) post-proxy { (22) attr_filter.post-proxy: EXPAND %{Realm} (22) attr_filter.post-proxy: --> UNIBE.CH (22) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (22) [attr_filter.post-proxy] = updated (22) eap: Doing post-proxy callback (22) eap: Passing reply from proxy back into the tunnel (22) eap: Got tunneled reply RADIUS code 11 (22) eap: Tunnel-Type := VLAN (22) eap: Tunnel-Medium-Type := IEEE-802 (22) eap: Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3 (22) eap: Proxy-State = 0x313639 (22) eap: EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632 (22) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (22) eap: Got tunneled Access-Challenge (22) eap: Reply was handled (22) eap: Sending EAP Request (code 1) ID 10 length 70 (22) eap: EAP session adding &reply:State = 0x1a0c7e7712066752 (22) [eap] = ok (22) } # post-proxy = updated (22) } (22) session-state: Saving cached attributes (22) Framed-MTU = 1014 (22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (22) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (22) TLS-Session-Version = "TLS 1.2" (22) Using Post-Auth-Type Challenge (22) Post-Auth-Type sub-section not found. Ignoring. (22) # Executing group from file /etc/freeradius/sites-enabled/default (22) Sent Access-Challenge Id 169 from 130.92.10.33:1812 to 1.2.3.4:63606 length 128 (22) EAP-Message = 0x010a00461900170303003b69cd9549766a5c07e7a533b4954f2b8a2f7d523485391d6347a7c8b129d5f82e531ee88bad59bbd4d844e6ca0cdcd6368cc58ada378c7aa1d5fb65 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0x1a0c7e771206675279b57cf47df95d07 (22) Finished request (23) Received Access-Request Id 170 from 1.2.3.4:63606 to 130.92.10.33:1812 length 570 (23) User-Name = anonymous@unibe.ch (23) Service-Type = Framed-User (23) Cisco-AVPair = "service-type=Framed" (23) Framed-MTU = 1485 (23) EAP-Message = 0x020a0072190017030300673667ef69fc7200855481c10f1f4a4302825d6e8e053a95b0043c86a557ab14b7cff518ef0e171c44cf1611aa60a6c005975617ce937379fa7458eb80d9295d9eec138d40cce24f5c736bc8763e2ef3ed83500c10663e2db0027b9bccb0657050e251766881076a (23) Message-Authenticator = 0xbae882ea47144349739d08cdc2273497 (23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (23) Cisco-AVPair = "method=dot1x" (23) Cisco-AVPair = "client-iif-id=2818574557" (23) Cisco-AVPair = "vlan-id=1000" (23) NAS-IP-Address = 1.2.3.4 (23) NAS-Port-Id = "capwap_9000000c" (23) NAS-Port-Type = Wireless-802.11 (23) NAS-Port = 4211 (23) State = 0x1a0c7e771206675279b57cf47df95d07 (23) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (23) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (23) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (23) Airespace-Wlan-Id = 97 (23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) WLAN-Group-Cipher = 1027076 (23) WLAN-Pairwise-Cipher = 1027076 (23) WLAN-AKM-Suite = 1027075 (23) WLAN-Group-Mgmt-Cipher = 1027078 (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/sites-enabled/default (23) authorize { (23) policy rewrite_called_station_id { (23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (23) update request { (23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (23) --> 2C-E3-8E-ED-31-E0 (23) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (23) } # update request = noop (23) if ("%{8}") { (23) EXPAND %{8} (23) --> eduroam (23) if ("%{8}") -> TRUE (23) if ("%{8}") { (23) update request { (23) EXPAND %{8} (23) --> eduroam (23) &Called-Station-SSID := eduroam (23) EXPAND %{Called-Station-Id}:%{8} (23) --> 2C-E3-8E-ED-31-E0:eduroam (23) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (23) } # update request = noop (23) } # if ("%{8}") = noop (23) [updated] = updated (23) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (23) ... skipping else: Preceding "if" was taken (23) } # policy rewrite_called_station_id = updated (23) policy rewrite_calling_station_id { (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (23) update request { (23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (23) --> AC-DF-A1-B1-F1-5A (23) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (23) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (23) --> AC:DF:A1:B1:F1:5A (23) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (23) } # update request = noop (23) [updated] = updated (23) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (23) ... skipping else: Preceding "if" was taken (23) } # policy rewrite_calling_station_id = updated (23) if (Service-Type == Call-Check) { (23) if (Service-Type == Call-Check) -> FALSE (23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (23) EXPAND Packet-Src-IP-Address (23) --> 1.2.3.4 (23) EXPAND Packet-Src-IP-Address (23) --> 1.2.3.4 (23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (23) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (23) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (23) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (23) if (EAP-Message) { (23) if (EAP-Message) -> TRUE (23) if (EAP-Message) { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = updated (23) } # policy filter_username = updated (23) suffix: Checking for suffix after "@" (23) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (23) suffix: Found realm "UNIBE.CH" (23) suffix: Adding Realm = "UNIBE.CH" (23) suffix: Authentication realm is LOCAL (23) [suffix] = ok (23) policy deny_no_realm { (23) if (User-Name && (User-Name !~ /@/)) { (23) if (User-Name && (User-Name !~ /@/)) -> FALSE (23) } # policy deny_no_realm = updated (23) update request { (23) EXPAND %{toupper:%{Realm}} (23) --> UNIBE.CH (23) Realm := UNIBE.CH (23) } # update request = noop (23) eap: Peer sent EAP Response (code 2) ID 10 length 114 (23) eap: Continuing tunnel setup (23) [eap] = ok (23) } # if (EAP-Message) = ok (23) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (23) } # authorize = updated (23) Found Auth-Type = eap (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Auth-Type eap { (23) eap: Removing EAP session with state 0x1a0c7e7712066752 (23) eap: Previous EAP request found for state 0x1a0c7e7712066752, released from the list (23) eap: Peer sent packet with method EAP PEAP (25) (23) eap: Calling submodule eap_peap to process data (23) eap_peap: (TLS) EAP Done initial handshake (23) eap_peap: Session established. Decoding tunneled attributes (23) eap_peap: PEAP state phase2 (23) eap_peap: EAP method MSCHAPv2 (26) (23) eap_peap: Got tunneled request (23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) eap_peap: Setting User-Name to jon.doe@unibe.ch (23) eap_peap: Sending tunneled request to proxy-inner-tunnel (23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (23) eap_peap: User-Name = jon.doe@unibe.ch (23) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) eap_peap: Service-Type = Framed-User (23) eap_peap: Cisco-AVPair = "service-type=Framed" (23) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (23) eap_peap: Cisco-AVPair = "method=dot1x" (23) eap_peap: Cisco-AVPair = "client-iif-id=2818574557" (23) eap_peap: Cisco-AVPair = "vlan-id=1000" (23) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (23) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (23) eap_peap: Framed-MTU = 1485 (23) eap_peap: NAS-IP-Address = 1.2.3.4 (23) eap_peap: NAS-Port-Id = "capwap_9000000c" (23) eap_peap: NAS-Port-Type = Wireless-802.11 (23) eap_peap: NAS-Port = 4211 (23) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (23) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (23) eap_peap: Airespace-Wlan-Id = 97 (23) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) eap_peap: WLAN-Group-Cipher = 1027076 (23) eap_peap: WLAN-Pairwise-Cipher = 1027076 (23) eap_peap: WLAN-AKM-Suite = 1027075 (23) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078 (23) Virtual server proxy-inner-tunnel received request (23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) FreeRADIUS-Proxied-To = 127.0.0.1 (23) User-Name = jon.doe@unibe.ch (23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) Service-Type = Framed-User (23) Cisco-AVPair = "service-type=Framed" (23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (23) Cisco-AVPair = "method=dot1x" (23) Cisco-AVPair = "client-iif-id=2818574557" (23) Cisco-AVPair = "vlan-id=1000" (23) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (23) Framed-MTU = 1485 (23) NAS-IP-Address = 1.2.3.4 (23) NAS-Port-Id = "capwap_9000000c" (23) NAS-Port-Type = Wireless-802.11 (23) NAS-Port = 4211 (23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (23) Airespace-Wlan-Id = 97 (23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) WLAN-Group-Cipher = 1027076 (23) WLAN-Pairwise-Cipher = 1027076 (23) WLAN-AKM-Suite = 1027075 (23) WLAN-Group-Mgmt-Cipher = 1027078 (23) server proxy-inner-tunnel { (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (23) authorize { (23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (23) if (!NAS-Port-Type){ (23) if (!NAS-Port-Type) -> FALSE (23) update control { (23) &Proxy-To-Realm := REALM-NPS-DEV (23) } # update control = noop (23) } # authorize = noop (23) } # server proxy-inner-tunnel (23) Virtual server sending reply (23) eap_peap: Got tunneled reply code 0 (23) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (23) eap: WARNING: Tunneled session will be proxied. Not doing EAP (23) [eap] = handled (23) if (handled && (Response-Packet-Type == Access-Challenge)) { (23) EXPAND Response-Packet-Type (23) --> (23) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (23) } # Auth-Type eap = handled (23) Starting proxy to home server 9.9.9.9 port 1812 (23) server default { (23) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (23) pre-proxy { (23) attr_filter.pre-proxy: EXPAND %{Realm} (23) attr_filter.pre-proxy: --> UNIBE.CH (23) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (23) [attr_filter.pre-proxy] = updated (23) } # pre-proxy = updated (23) } (23) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000 (23) Sent Access-Request Id 23 from 0.0.0.0:57225 to 9.9.9.9:1812 length 288 (23) Operator-Name := "1unibe.ch" (23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368 (23) User-Name = jon.doe@unibe.ch (23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) NAS-IP-Address = 1.2.3.4 (23) NAS-Port-Type = Wireless-802.11 (23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (23) Message-Authenticator = 0x (23) Proxy-State = 0x313730 (23) Clearing existing &reply: attributes (23) Received Access-Challenge Id 23 from 9.9.9.9:1812 to 130.92.10.33:57225 length 140 (23) Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a (23) Proxy-State = 0x313730 (23) Session-Timeout = 60 (23) EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943 (23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) server default { (23) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (23) post-proxy { (23) attr_filter.post-proxy: EXPAND %{Realm} (23) attr_filter.post-proxy: --> UNIBE.CH (23) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (23) [attr_filter.post-proxy] = updated (23) eap: Doing post-proxy callback (23) eap: Passing reply from proxy back into the tunnel (23) eap: Got tunneled reply RADIUS code 11 (23) eap: Tunnel-Type := VLAN (23) eap: Tunnel-Medium-Type := IEEE-802 (23) eap: Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a (23) eap: Proxy-State = 0x313730 (23) eap: EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943 (23) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (23) eap: Got tunneled Access-Challenge (23) eap: Reply was handled (23) eap: Sending EAP Request (code 1) ID 11 length 82 (23) eap: EAP session adding &reply:State = 0x1a0c7e7713076752 (23) [eap] = ok (23) } # post-proxy = updated (23) } (23) Using Post-Auth-Type Challenge (23) Post-Auth-Type sub-section not found. Ignoring. (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Sent Access-Challenge Id 170 from 130.92.10.33:1812 to 1.2.3.4:63606 length 140 (23) EAP-Message = 0x010b00521900170303004769cd9549766a5c08877f9dcc3d5bbb0c7718563cf3286f690c07a08da31ea6540f21eb3c1933d7d92dbe22551b18a7d5e2cbf116856b2a68d3fff389ebdb8926e8d42e50522ca4 (23) Message-Authenticator = 0x00000000000000000000000000000000 (23) State = 0x1a0c7e771307675279b57cf47df95d07 (23) Finished request (24) Received Access-Request Id 171 from 1.2.3.4:63606 to 130.92.10.33:1812 length 493 (24) User-Name = anonymous@unibe.ch (24) Service-Type = Framed-User (24) Cisco-AVPair = "service-type=Framed" (24) Framed-MTU = 1485 (24) EAP-Message = 0x020b00251900170303001a3667ef69fc7200864f7f9410f449a59651d6a1975df235030608 (24) Message-Authenticator = 0x9b70bdd088abd8b737cf77c71d3ba2c0 (24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (24) Cisco-AVPair = "method=dot1x" (24) Cisco-AVPair = "client-iif-id=2818574557" (24) Cisco-AVPair = "vlan-id=1000" (24) NAS-IP-Address = 1.2.3.4 (24) NAS-Port-Id = "capwap_9000000c" (24) NAS-Port-Type = Wireless-802.11 (24) NAS-Port = 4211 (24) State = 0x1a0c7e771307675279b57cf47df95d07 (24) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (24) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam" (24) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (24) Airespace-Wlan-Id = 97 (24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) WLAN-Group-Cipher = 1027076 (24) WLAN-Pairwise-Cipher = 1027076 (24) WLAN-AKM-Suite = 1027075 (24) WLAN-Group-Mgmt-Cipher = 1027078 (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/sites-enabled/default (24) authorize { (24) policy rewrite_called_station_id { (24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (24) update request { (24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (24) --> 2C-E3-8E-ED-31-E0 (24) &Called-Station-Id := 2C-E3-8E-ED-31-E0 (24) } # update request = noop (24) if ("%{8}") { (24) EXPAND %{8} (24) --> eduroam (24) if ("%{8}") -> TRUE (24) if ("%{8}") { (24) update request { (24) EXPAND %{8} (24) --> eduroam (24) &Called-Station-SSID := eduroam (24) EXPAND %{Called-Station-Id}:%{8} (24) --> 2C-E3-8E-ED-31-E0:eduroam (24) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam (24) } # update request = noop (24) } # if ("%{8}") = noop (24) [updated] = updated (24) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (24) ... skipping else: Preceding "if" was taken (24) } # policy rewrite_called_station_id = updated (24) policy rewrite_calling_station_id { (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (24) update request { (24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (24) --> AC-DF-A1-B1-F1-5A (24) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (24) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (24) --> AC:DF:A1:B1:F1:5A (24) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A (24) } # update request = noop (24) [updated] = updated (24) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (24) ... skipping else: Preceding "if" was taken (24) } # policy rewrite_calling_station_id = updated (24) if (Service-Type == Call-Check) { (24) if (Service-Type == Call-Check) -> FALSE (24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (24) EXPAND Packet-Src-IP-Address (24) --> 1.2.3.4 (24) EXPAND Packet-Src-IP-Address (24) --> 1.2.3.4 (24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (24) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (24) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (24) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (24) if (EAP-Message) { (24) if (EAP-Message) -> TRUE (24) if (EAP-Message) { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = updated (24) } # policy filter_username = updated (24) suffix: Checking for suffix after "@" (24) suffix: Looking up realm "unibe.ch" for User-Name = anonymous@unibe.ch (24) suffix: Found realm "UNIBE.CH" (24) suffix: Adding Realm = "UNIBE.CH" (24) suffix: Authentication realm is LOCAL (24) [suffix] = ok (24) policy deny_no_realm { (24) if (User-Name && (User-Name !~ /@/)) { (24) if (User-Name && (User-Name !~ /@/)) -> FALSE (24) } # policy deny_no_realm = updated (24) update request { (24) EXPAND %{toupper:%{Realm}} (24) --> UNIBE.CH (24) Realm := UNIBE.CH (24) } # update request = noop (24) eap: Peer sent EAP Response (code 2) ID 11 length 37 (24) eap: Continuing tunnel setup (24) [eap] = ok (24) } # if (EAP-Message) = ok (24) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (24) } # authorize = updated (24) Found Auth-Type = eap (24) # Executing group from file /etc/freeradius/sites-enabled/default (24) Auth-Type eap { (24) eap: Removing EAP session with state 0x1a0c7e7713076752 (24) eap: Previous EAP request found for state 0x1a0c7e7713076752, released from the list (24) eap: Peer sent packet with method EAP PEAP (25) (24) eap: Calling submodule eap_peap to process data (24) eap_peap: (TLS) EAP Done initial handshake (24) eap_peap: Session established. Decoding tunneled attributes (24) eap_peap: PEAP state phase2 (24) eap_peap: EAP method MSCHAPv2 (26) (24) eap_peap: Got tunneled request (24) eap_peap: EAP-Message = 0x020b00061a03 (24) eap_peap: Setting User-Name to jon.doe@unibe.ch (24) eap_peap: Sending tunneled request to proxy-inner-tunnel (24) eap_peap: EAP-Message = 0x020b00061a03 (24) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (24) eap_peap: User-Name = jon.doe@unibe.ch (24) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (24) eap_peap: Service-Type = Framed-User (24) eap_peap: Cisco-AVPair = "service-type=Framed" (24) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (24) eap_peap: Cisco-AVPair = "method=dot1x" (24) eap_peap: Cisco-AVPair = "client-iif-id=2818574557" (24) eap_peap: Cisco-AVPair = "vlan-id=1000" (24) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (24) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (24) eap_peap: Framed-MTU = 1485 (24) eap_peap: NAS-IP-Address = 1.2.3.4 (24) eap_peap: NAS-Port-Id = "capwap_9000000c" (24) eap_peap: NAS-Port-Type = Wireless-802.11 (24) eap_peap: NAS-Port = 4211 (24) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (24) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (24) eap_peap: Airespace-Wlan-Id = 97 (24) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) eap_peap: WLAN-Group-Cipher = 1027076 (24) eap_peap: WLAN-Pairwise-Cipher = 1027076 (24) eap_peap: WLAN-AKM-Suite = 1027075 (24) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078 (24) Virtual server proxy-inner-tunnel received request (24) EAP-Message = 0x020b00061a03 (24) FreeRADIUS-Proxied-To = 127.0.0.1 (24) User-Name = jon.doe@unibe.ch (24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (24) Service-Type = Framed-User (24) Cisco-AVPair = "service-type=Framed" (24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8" (24) Cisco-AVPair = "method=dot1x" (24) Cisco-AVPair = "client-iif-id=2818574557" (24) Cisco-AVPair = "vlan-id=1000" (24) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM" (24) Framed-MTU = 1485 (24) NAS-IP-Address = 1.2.3.4 (24) NAS-Port-Id = "capwap_9000000c" (24) NAS-Port-Type = Wireless-802.11 (24) NAS-Port = 4211 (24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (24) Airespace-Wlan-Id = 97 (24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) WLAN-Group-Cipher = 1027076 (24) WLAN-Pairwise-Cipher = 1027076 (24) WLAN-AKM-Suite = 1027075 (24) WLAN-Group-Mgmt-Cipher = 1027078 (24) server proxy-inner-tunnel { (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (24) authorize { (24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (24) if (!NAS-Port-Type){ (24) if (!NAS-Port-Type) -> FALSE (24) update control { (24) &Proxy-To-Realm := REALM-NPS-DEV (24) } # update control = noop (24) } # authorize = noop (24) } # server proxy-inner-tunnel (24) Virtual server sending reply (24) eap_peap: Got tunneled reply code 0 (24) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (24) eap: WARNING: Tunneled session will be proxied. Not doing EAP (24) [eap] = handled (24) if (handled && (Response-Packet-Type == Access-Challenge)) { (24) EXPAND Response-Packet-Type (24) --> (24) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (24) } # Auth-Type eap = handled (24) Starting proxy to home server 9.9.9.9 port 1812 (24) server default { (24) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (24) pre-proxy { (24) attr_filter.pre-proxy: EXPAND %{Realm} (24) attr_filter.pre-proxy: --> UNIBE.CH (24) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (24) [attr_filter.pre-proxy] = updated (24) } # pre-proxy = updated (24) } (24) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000 (24) Sent Access-Request Id 24 from 0.0.0.0:57225 to 9.9.9.9:1812 length 211 (24) Operator-Name := "1unibe.ch" (24) EAP-Message = 0x020b00061a03 (24) User-Name = jon.doe@unibe.ch (24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73 (24) NAS-IP-Address = 1.2.3.4 (24) NAS-Port-Type = Wireless-802.11 (24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam" (24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A" (24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam" (24) Message-Authenticator = 0x (24) Proxy-State = 0x313731 Thread 3 waiting to be assigned a request Waking up in 0.1 seconds. Thread 5 got semaphore Thread 5 handling request 24, (7 handled so far) (24) Clearing existing &reply: attributes (24) Received Access-Accept Id 24 from 9.9.9.9:1812 to 130.92.10.33:57225 length 289 (24) Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56 (24) Proxy-State = 0x313731 (24) Class = 0x7374616666 (24) Filter-Id = "staff" (24) Framed-Protocol = PPP (24) Service-Type = Framed-User (24) Tunnel-Medium-Type:0 = IEEE-802 (24) Tunnel-Private-Group-Id:0 = "2000" (24) Tunnel-Type:0 = VLAN (24) EAP-Message = 0x030b0004 (24) Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe (24) MS-CHAP-Domain = "\001CAMPUS" (24) MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f (24) MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0 (24) MS-CHAP2-Success = 0x01533d42374430413432353333434331463134413332324334454333354443333837434632353343383943 (24) server default { (24) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (24) post-proxy { (24) attr_filter.post-proxy: EXPAND %{Realm} (24) attr_filter.post-proxy: --> UNIBE.CH (24) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (24) [attr_filter.post-proxy] = updated (24) eap: Doing post-proxy callback (24) eap: Passing reply from proxy back into the tunnel (24) eap: Got tunneled reply RADIUS code 2 (24) eap: Tunnel-Type := VLAN (24) eap: Tunnel-Medium-Type := IEEE-802 (24) eap: Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56 (24) eap: Proxy-State = 0x313731 (24) eap: Class = 0x7374616666 (24) eap: Filter-Id = "staff" (24) eap: Tunnel-Private-Group-Id:0 = "2000" (24) eap: EAP-Message = 0x030b0004 (24) eap: Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe (24) eap: MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f (24) eap: MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0 (24) eap: Tunneled authentication was successful (24) eap: SUCCESS (24) eap: Saving tunneled attributes for later (24) eap: Reply was handled (24) eap: Sending EAP Request (code 1) ID 12 length 46 (24) eap: EAP session adding &reply:State = 0x1a0c7e7710006752 (24) [eap] = ok (24) } # post-proxy = updated (24) } (24) Using Post-Auth-Type Challenge (24) Post-Auth-Type sub-section not found. Ignoring. (24) # Executing group from file /etc/freeradius/sites-enabled/default (24) Sent Access-Challenge Id 171 from 130.92.10.33:1812 to 1.2.3.4:63606 length 104 (24) EAP-Message = 0x010c002e1900170303002369cd9549766a5c096f1e1c66977ad4a91fd857608710d39bf55e09ca568c703d98ec8f (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) State = 0x1a0c7e771000675279b57cf47df95d07 (24) Finished request
Hi Alan I think I was on track with getting it running based on your recommendation, but I think this „defect“ here is playing against our setup: https://github.com/FreeRADIUS/freeradius-server/issues/5288 https://lists.freeradius.org/pipermail/freeradius-users/2024-December/105157... I know you wrote this back then:
For now, don't do internal proxying, and it should work. I'll see if I can find time to track this down. But I am not able to completely change our setup in a short amount of time. Is there any other workaround for this specific problem?
(0) Received Access-Request Id 0 from 127.0.0.1:51983 to 127.0.0.1:1812 length 177 (0) User-Name = "anonymous@example.com" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) Called-Station-Id = "11-22-33-44-55-66:eduroam" (0) EAP-Message = 0x02ca001701616e6f6e796d6f757340756e6962652e6368 (0) Message-Authenticator = 0x8b7b499dec603bb90409b32543918122 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy rewrite_called_station_id { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 11-22-33-44-55-66 (0) &Called-Station-Id := 11-22-33-44-55-66 (0) } # update request = noop (0) if ("%{8}") { (0) EXPAND %{8} (0) --> eduroam (0) if ("%{8}") -> TRUE (0) if ("%{8}") { (0) update request { (0) EXPAND %{8} (0) --> eduroam (0) &Called-Station-SSID := eduroam (0) EXPAND %{Called-Station-Id}:%{8} (0) --> 11-22-33-44-55-66:eduroam (0) &Called-Station-Id := 11-22-33-44-55-66:eduroam (0) } # update request = noop (0) } # if ("%{8}") = noop (0) [updated] = updated (0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_called_station_id = updated (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 02-00-00-00-00-01 (0) &Calling-Station-Id := 02-00-00-00-00-01 (0) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (0) --> 02:00:00:00:00:01 (0) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (0) } # update request = noop (0) [updated] = updated (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_calling_station_id = updated (0) if (Service-Type == Call-Check) { (0) if (Service-Type == Call-Check) -> FALSE (0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (0) EXPAND Packet-Src-IP-Address (0) --> 127.0.0.1 (0) EXPAND Packet-Src-IP-Address (0) --> 127.0.0.1 (0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (0) if (EAP-Message) { (0) if (EAP-Message) -> TRUE (0) if (EAP-Message) { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = updated (0) } # policy filter_username = updated (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (0) suffix: Found realm "EXAMPLE.COM" (0) suffix: Adding Realm = "EXAMPLE.COM" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) policy deny_no_realm { (0) if (User-Name && (User-Name !~ /@/)) { (0) if (User-Name && (User-Name !~ /@/)) -> FALSE (0) } # policy deny_no_realm = updated (0) update request { (0) EXPAND %{toupper:%{Realm}} (0) --> EXAMPLE.COM (0) Realm := EXAMPLE.COM (0) } # update request = noop (0) eap: Peer sent EAP Response (code 2) ID 202 length 23 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # if (EAP-Message) = ok (0) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (0) } # authorize = updated (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type eap { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Using default_eap_type = PEAP (0) eap: Calling submodule eap_peap to process data (0) eap_peap: (TLS) PEAP -Initiating new session (0) eap: Sending EAP Request (code 1) ID 203 length 6 (0) eap: EAP session adding &reply:State = 0xd7951377d75e0ac5 (0) [eap] = handled (0) if (handled && (Response-Packet-Type == Access-Challenge)) { (0) EXPAND Response-Packet-Type (0) --> Access-Challenge (0) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (0) if (handled && (Response-Packet-Type == Access-Challenge)) { (0) attr_filter.access_challenge: EXPAND %{User-Name} (0) attr_filter.access_challenge: --> anonymous@example.com (0) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (0) [attr_filter.access_challenge.post-auth] = updated (0) [handled] = handled (0) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (0) } # Auth-Type eap = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) session-state: Saving cached attributes (0) Framed-MTU = 1014 (0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:51983 length 64 (0) EAP-Message = 0x01cb00061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xd7951377d75e0ac5141f11c810ce92e5 (0) Finished request Thread 5 waiting to be assigned a request Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) (1) Received Access-Request Id 1 from 127.0.0.1:51983 to 127.0.0.1:1812 length 366 (1) User-Name = "anonymous@example.com" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) Called-Station-Id = "11-22-33-44-55-66:eduroam" (1) EAP-Message = 0x02cb00c21980000000b816030100b3010000af03033ef9ddb2c9690718a1123db2cf6d4508b04f43b75bde677dfa20266a8414e6c0000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602 (1) State = 0xd7951377d75e0ac5141f11c810ce92e5 (1) Message-Authenticator = 0xe15c5d324b55396d678e2a0aed9622ea (1) Restoring &session-state Waking up in 0.3 seconds. (1) &session-state:Framed-MTU = 1014 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 11-22-33-44-55-66 (1) &Called-Station-Id := 11-22-33-44-55-66 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> eduroam (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> eduroam (1) &Called-Station-SSID := eduroam (1) EXPAND %{Called-Station-Id}:%{8} (1) --> 11-22-33-44-55-66:eduroam (1) &Called-Station-Id := 11-22-33-44-55-66:eduroam (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) policy rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 02-00-00-00-00-01 (1) &Calling-Station-Id := 02-00-00-00-00-01 (1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> 02:00:00:00:00:01 (1) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_calling_station_id = updated (1) if (Service-Type == Call-Check) { (1) if (Service-Type == Call-Check) -> FALSE (1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (1) EXPAND Packet-Src-IP-Address (1) --> 127.0.0.1 (1) EXPAND Packet-Src-IP-Address (1) --> 127.0.0.1 (1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (1) if (EAP-Message) { (1) if (EAP-Message) -> TRUE (1) if (EAP-Message) { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = updated (1) } # policy filter_username = updated (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (1) suffix: Found realm "EXAMPLE.COM" (1) suffix: Adding Realm = "EXAMPLE.COM" (1) suffix: Authentication realm is LOCAL (1) [suffix] = ok (1) policy deny_no_realm { (1) if (User-Name && (User-Name !~ /@/)) { (1) if (User-Name && (User-Name !~ /@/)) -> FALSE (1) } # policy deny_no_realm = updated (1) update request { (1) EXPAND %{toupper:%{Realm}} (1) --> EXAMPLE.COM (1) Realm := EXAMPLE.COM (1) } # update request = noop (1) eap: Peer sent EAP Response (code 2) ID 203 length 194 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # if (EAP-Message) = ok (1) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Auth-Type eap { (1) eap: Removing EAP session with state 0xd7951377d75e0ac5 (1) eap: Previous EAP request found for state 0xd7951377d75e0ac5, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) EAP Peer says that the final record size will be 184 bytes (1) eap_peap: (TLS) EAP Got all data (184 bytes) (1) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (1) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (1) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (1) eap_peap: (TLS) PEAP - In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 204 length 1024 (1) eap: EAP session adding &reply:State = 0xd7951377d6590ac5 (1) [eap] = handled (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) EXPAND Response-Packet-Type (1) --> Access-Challenge (1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) attr_filter.access_challenge: EXPAND %{User-Name} (1) attr_filter.access_challenge: --> anonymous@example.com (1) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (1) [attr_filter.access_challenge.post-auth] = updated (1) [handled] = handled (1) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (1) } # Auth-Type eap = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) session-state: Saving cached attributes (1) Framed-MTU = 1014 (1) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:51983 length 1090 (1) EAP-Message = 0x01cc040019c000001135160303003d02000039030385b131ca62bb9399ec4cfeef6086f9689782dafdd184bffa444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xd7951377d6590ac5141f11c810ce92e5 (1) Finished request Thread 2 waiting to be assigned a request Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 2, (1 handled so far) (2) Received Access-Request Id 2 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178 (2) User-Name = "anonymous@example.com" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) Called-Station-Id = "11-22-33-44-55-66:eduroam" (2) EAP-Message = 0x02cc00061900 (2) State = 0xd7951377d6590ac5141f11c810ce92e5 (2) Message-Authenticator = 0x57bbf79e433bd872f0b103261a61153f (2) Restoring &session-state (2) &session-state:Framed-MTU = 1014 (2) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy rewrite_called_station_id { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 11-22-33-44-55-66 (2) &Called-Station-Id := 11-22-33-44-55-66 (2) } # update request = noop (2) if ("%{8}") { (2) EXPAND %{8} (2) --> eduroam (2) if ("%{8}") -> TRUE (2) if ("%{8}") { (2) update request { (2) EXPAND %{8} (2) --> eduroam (2) &Called-Station-SSID := eduroam (2) EXPAND %{Called-Station-Id}:%{8} (2) --> 11-22-33-44-55-66:eduroam (2) &Called-Station-Id := 11-22-33-44-55-66:eduroam (2) } # update request = noop (2) } # if ("%{8}") = noop (2) [updated] = updated (2) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_called_station_id = updated (2) policy rewrite_calling_station_id { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 02-00-00-00-00-01 (2) &Calling-Station-Id := 02-00-00-00-00-01 (2) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2) --> 02:00:00:00:00:01 (2) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_calling_station_id = updated (2) if (Service-Type == Call-Check) { (2) if (Service-Type == Call-Check) -> FALSE (2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (2) EXPAND Packet-Src-IP-Address (2) --> 127.0.0.1 (2) EXPAND Packet-Src-IP-Address (2) --> 127.0.0.1 (2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (2) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (2) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (2) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (2) if (EAP-Message) { (2) if (EAP-Message) -> TRUE (2) if (EAP-Message) { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = updated (2) } # policy filter_username = updated (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (2) suffix: Found realm "EXAMPLE.COM" (2) suffix: Adding Realm = "EXAMPLE.COM" (2) suffix: Authentication realm is LOCAL (2) [suffix] = ok (2) policy deny_no_realm { (2) if (User-Name && (User-Name !~ /@/)) { (2) if (User-Name && (User-Name !~ /@/)) -> FALSE (2) } # policy deny_no_realm = updated (2) update request { (2) EXPAND %{toupper:%{Realm}} (2) --> EXAMPLE.COM (2) Realm := EXAMPLE.COM (2) } # update request = noop (2) eap: Peer sent EAP Response (code 2) ID 204 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # if (EAP-Message) = ok (2) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Auth-Type eap { (2) eap: Removing EAP session with state 0xd7951377d6590ac5 (2) eap: Previous EAP request found for state 0xd7951377d6590ac5, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 205 length 1020 (2) eap: EAP session adding &reply:State = 0xd7951377d5580ac5 (2) [eap] = handled (2) if (handled && (Response-Packet-Type == Access-Challenge)) { (2) EXPAND Response-Packet-Type (2) --> Access-Challenge (2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (2) if (handled && (Response-Packet-Type == Access-Challenge)) { (2) attr_filter.access_challenge: EXPAND %{User-Name} (2) attr_filter.access_challenge: --> anonymous@example.com (2) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (2) [attr_filter.access_challenge.post-auth] = updated (2) [handled] = handled (2) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (2) } # Auth-Type eap = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) session-state: Saving cached attributes (2) Framed-MTU = 1014 (2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:51983 length 1086 (2) EAP-Message = 0x01cd03fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xd7951377d5580ac5141f11c810ce92e5 (2) Finished request Thread 1 waiting to be assigned a request Waking up in 0.3 seconds. Thread 3 got semaphore Thread 3 handling request 3, (1 handled so far) (3) Received Access-Request Id 3 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178 (3) User-Name = "anonymous@example.com" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) Called-Station-Id = "11-22-33-44-55-66:eduroam" (3) EAP-Message = 0x02cd00061900 (3) State = 0xd7951377d5580ac5141f11c810ce92e5 (3) Message-Authenticator = 0xa8b9317b7fa52631e457c50926dbde4c (3) Restoring &session-state (3) &session-state:Framed-MTU = 1014 (3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy rewrite_called_station_id { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> 11-22-33-44-55-66 (3) &Called-Station-Id := 11-22-33-44-55-66 (3) } # update request = noop (3) if ("%{8}") { (3) EXPAND %{8} (3) --> eduroam (3) if ("%{8}") -> TRUE (3) if ("%{8}") { (3) update request { (3) EXPAND %{8} (3) --> eduroam (3) &Called-Station-SSID := eduroam (3) EXPAND %{Called-Station-Id}:%{8} (3) --> 11-22-33-44-55-66:eduroam (3) &Called-Station-Id := 11-22-33-44-55-66:eduroam (3) } # update request = noop (3) } # if ("%{8}") = noop (3) [updated] = updated (3) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_called_station_id = updated (3) policy rewrite_calling_station_id { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> 02-00-00-00-00-01 (3) &Calling-Station-Id := 02-00-00-00-00-01 (3) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3) --> 02:00:00:00:00:01 (3) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (3) } # update request = noop (3) [updated] = updated (3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_calling_station_id = updated (3) if (Service-Type == Call-Check) { (3) if (Service-Type == Call-Check) -> FALSE (3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (3) EXPAND Packet-Src-IP-Address (3) --> 127.0.0.1 (3) EXPAND Packet-Src-IP-Address (3) --> 127.0.0.1 (3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (3) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (3) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (3) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (3) if (EAP-Message) { (3) if (EAP-Message) -> TRUE (3) if (EAP-Message) { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = updated (3) } # policy filter_username = updated (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (3) suffix: Found realm "EXAMPLE.COM" (3) suffix: Adding Realm = "EXAMPLE.COM" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) policy deny_no_realm { (3) if (User-Name && (User-Name !~ /@/)) { (3) if (User-Name && (User-Name !~ /@/)) -> FALSE (3) } # policy deny_no_realm = updated (3) update request { (3) EXPAND %{toupper:%{Realm}} (3) --> EXAMPLE.COM (3) Realm := EXAMPLE.COM (3) } # update request = noop (3) eap: Peer sent EAP Response (code 2) ID 205 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # if (EAP-Message) = ok (3) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Auth-Type eap { (3) eap: Removing EAP session with state 0xd7951377d5580ac5 (3) eap: Previous EAP request found for state 0xd7951377d5580ac5, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 206 length 1020 (3) eap: EAP session adding &reply:State = 0xd7951377d45b0ac5 (3) [eap] = handled (3) if (handled && (Response-Packet-Type == Access-Challenge)) { (3) EXPAND Response-Packet-Type (3) --> Access-Challenge (3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (3) if (handled && (Response-Packet-Type == Access-Challenge)) { (3) attr_filter.access_challenge: EXPAND %{User-Name} (3) attr_filter.access_challenge: --> anonymous@example.com (3) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (3) [attr_filter.access_challenge.post-auth] = updated (3) [handled] = handled (3) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (3) } # Auth-Type eap = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) session-state: Saving cached attributes (3) Framed-MTU = 1014 (3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:51983 length 1086 (3) EAP-Message = 0x01ce03fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xd7951377d45b0ac5141f11c810ce92e5 (3) Finished request Thread 3 waiting to be assigned a request Waking up in 0.3 seconds. Thread 4 got semaphore Thread 4 handling request 4, (1 handled so far) (4) Received Access-Request Id 4 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178 (4) User-Name = "anonymous@example.com" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) Called-Station-Id = "11-22-33-44-55-66:eduroam" (4) EAP-Message = 0x02ce00061900 (4) State = 0xd7951377d45b0ac5141f11c810ce92e5 (4) Message-Authenticator = 0x98a95941ef599d046953b555bbd0a67f (4) Restoring &session-state (4) &session-state:Framed-MTU = 1014 (4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy rewrite_called_station_id { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> 11-22-33-44-55-66 (4) &Called-Station-Id := 11-22-33-44-55-66 (4) } # update request = noop (4) if ("%{8}") { (4) EXPAND %{8} (4) --> eduroam (4) if ("%{8}") -> TRUE (4) if ("%{8}") { (4) update request { (4) EXPAND %{8} (4) --> eduroam (4) &Called-Station-SSID := eduroam (4) EXPAND %{Called-Station-Id}:%{8} (4) --> 11-22-33-44-55-66:eduroam (4) &Called-Station-Id := 11-22-33-44-55-66:eduroam (4) } # update request = noop (4) } # if ("%{8}") = noop (4) [updated] = updated (4) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_called_station_id = updated (4) policy rewrite_calling_station_id { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> 02-00-00-00-00-01 (4) &Calling-Station-Id := 02-00-00-00-00-01 (4) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4) --> 02:00:00:00:00:01 (4) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (4) } # update request = noop (4) [updated] = updated (4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_calling_station_id = updated (4) if (Service-Type == Call-Check) { (4) if (Service-Type == Call-Check) -> FALSE (4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (4) EXPAND Packet-Src-IP-Address (4) --> 127.0.0.1 (4) EXPAND Packet-Src-IP-Address (4) --> 127.0.0.1 (4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (4) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (4) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (4) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (4) if (EAP-Message) { (4) if (EAP-Message) -> TRUE (4) if (EAP-Message) { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = updated (4) } # policy filter_username = updated (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (4) suffix: Found realm "EXAMPLE.COM" (4) suffix: Adding Realm = "EXAMPLE.COM" (4) suffix: Authentication realm is LOCAL (4) [suffix] = ok (4) policy deny_no_realm { (4) if (User-Name && (User-Name !~ /@/)) { (4) if (User-Name && (User-Name !~ /@/)) -> FALSE (4) } # policy deny_no_realm = updated (4) update request { (4) EXPAND %{toupper:%{Realm}} (4) --> EXAMPLE.COM (4) Realm := EXAMPLE.COM (4) } # update request = noop (4) eap: Peer sent EAP Response (code 2) ID 206 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # if (EAP-Message) = ok (4) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Auth-Type eap { (4) eap: Removing EAP session with state 0xd7951377d45b0ac5 (4) eap: Previous EAP request found for state 0xd7951377d45b0ac5, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 207 length 1020 (4) eap: EAP session adding &reply:State = 0xd7951377d35a0ac5 (4) [eap] = handled (4) if (handled && (Response-Packet-Type == Access-Challenge)) { (4) EXPAND Response-Packet-Type (4) --> Access-Challenge (4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (4) if (handled && (Response-Packet-Type == Access-Challenge)) { (4) attr_filter.access_challenge: EXPAND %{User-Name} (4) attr_filter.access_challenge: --> anonymous@example.com (4) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (4) [attr_filter.access_challenge.post-auth] = updated (4) [handled] = handled (4) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (4) } # Auth-Type eap = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) session-state: Saving cached attributes (4) Framed-MTU = 1014 (4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:51983 length 1086 (4) EAP-Message = 0x01cf03fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xd7951377d35a0ac5141f11c810ce92e5 (4) Finished request Thread 4 waiting to be assigned a request Waking up in 0.3 seconds. Thread 5 got semaphore Thread 5 handling request 5, (2 handled so far) (5) Received Access-Request Id 5 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178 (5) User-Name = "anonymous@example.com" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) Called-Station-Id = "11-22-33-44-55-66:eduroam" (5) EAP-Message = 0x02cf00061900 (5) State = 0xd7951377d35a0ac5141f11c810ce92e5 (5) Message-Authenticator = 0x3cae6ba42a44fc5129aa533e41977792 (5) Restoring &session-state (5) &session-state:Framed-MTU = 1014 (5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy rewrite_called_station_id { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> 11-22-33-44-55-66 (5) &Called-Station-Id := 11-22-33-44-55-66 (5) } # update request = noop (5) if ("%{8}") { (5) EXPAND %{8} (5) --> eduroam (5) if ("%{8}") -> TRUE (5) if ("%{8}") { (5) update request { (5) EXPAND %{8} (5) --> eduroam (5) &Called-Station-SSID := eduroam (5) EXPAND %{Called-Station-Id}:%{8} (5) --> 11-22-33-44-55-66:eduroam (5) &Called-Station-Id := 11-22-33-44-55-66:eduroam (5) } # update request = noop (5) } # if ("%{8}") = noop (5) [updated] = updated (5) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_called_station_id = updated (5) policy rewrite_calling_station_id { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> 02-00-00-00-00-01 (5) &Calling-Station-Id := 02-00-00-00-00-01 (5) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5) --> 02:00:00:00:00:01 (5) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (5) } # update request = noop (5) [updated] = updated (5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_calling_station_id = updated (5) if (Service-Type == Call-Check) { (5) if (Service-Type == Call-Check) -> FALSE (5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (5) EXPAND Packet-Src-IP-Address (5) --> 127.0.0.1 (5) EXPAND Packet-Src-IP-Address (5) --> 127.0.0.1 (5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (5) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (5) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (5) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (5) if (EAP-Message) { (5) if (EAP-Message) -> TRUE (5) if (EAP-Message) { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = updated (5) } # policy filter_username = updated (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (5) suffix: Found realm "EXAMPLE.COM" (5) suffix: Adding Realm = "EXAMPLE.COM" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) policy deny_no_realm { (5) if (User-Name && (User-Name !~ /@/)) { (5) if (User-Name && (User-Name !~ /@/)) -> FALSE (5) } # policy deny_no_realm = updated (5) update request { (5) EXPAND %{toupper:%{Realm}} (5) --> EXAMPLE.COM (5) Realm := EXAMPLE.COM (5) } # update request = noop (5) eap: Peer sent EAP Response (code 2) ID 207 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # if (EAP-Message) = ok (5) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Auth-Type eap { (5) eap: Removing EAP session with state 0xd7951377d35a0ac5 (5) eap: Previous EAP request found for state 0xd7951377d35a0ac5, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: (TLS) Peer ACKed our handshake fragment (5) eap: Sending EAP Request (code 1) ID 208 length 355 (5) eap: EAP session adding &reply:State = 0xd7951377d2450ac5 (5) [eap] = handled (5) if (handled && (Response-Packet-Type == Access-Challenge)) { (5) EXPAND Response-Packet-Type (5) --> Access-Challenge (5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (5) if (handled && (Response-Packet-Type == Access-Challenge)) { (5) attr_filter.access_challenge: EXPAND %{User-Name} (5) attr_filter.access_challenge: --> anonymous@example.com (5) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (5) [attr_filter.access_challenge.post-auth] = updated (5) [handled] = handled (5) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (5) } # Auth-Type eap = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) session-state: Saving cached attributes (5) Framed-MTU = 1014 (5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:51983 length 415 (5) EAP-Message = 0x01d00163190032b6160303014d0c00014903001741043eb618d64c9a4f2c11dca1d111e45afc17d21b94e275618c39b75c80cbc2a22b9a47d4927813add21c1c6995922f01ec5f6c6ea612dc4fb32d0442dc75b9564b08040100b6c75eb1a4de4c59ebe6e6096bde28d88d196f55f44e6fc8a07582e89d48ad8087664f9819704f9ae4922260a89d4430265cae49395ded285f2381e397d9ca98144dcb8058f6e694ab8595b9167625f77a2181f46060fa2759a2a6c7f22436f8b0902920d76cb5859b0b59ff432e20db773b0772b4488faf0031ef1c27deda852f159f3e717a9dd4f3fd67d2139f65e4f0e5c1bd0ef2d08dfb31748e29537356bc3defb6ed3dac1fda0b4f4f1c2df9562ff3b63bf0bbcdfc40ccb4cba7134e900010c6eedf02976f6e7ffd36531bce970234138754ab164645759df2363321d59374aff938e0bde8ce5cb88d5ba051497469585e3f1b1ed08ecab44d6998035b16030300040e000000 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xd7951377d2450ac5141f11c810ce92e5 (5) Finished request Thread 5 waiting to be assigned a request Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 6, (2 handled so far) (6) Received Access-Request Id 6 from 127.0.0.1:51983 to 127.0.0.1:1812 length 308 (6) User-Name = "anonymous@example.com" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) Called-Station-Id = "11-22-33-44-55-66:eduroam" (6) EAP-Message = 0x02d0008819800000007e16030300461000004241041c7d2bbdbac2ec0bc6c5ce30a2725fc857aa1a7b49d9a2044a3c8c7e7d0fc414634c946707b7c8134f6164204b8175c1d8c7f29b5957ad8ca59753ab49569e3a1403030001011603030028a0c35e659375723f9bd0423aa783b1e765497fb8e21f9d07b6b9653a6c7c860b1d6d9aa8d12a575f (6) State = 0xd7951377d2450ac5141f11c810ce92e5 (6) Message-Authenticator = 0x0450b73c031ded354ff2e255509e72e5 (6) Restoring &session-state (6) &session-state:Framed-MTU = 1014 (6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 11-22-33-44-55-66 (6) &Called-Station-Id := 11-22-33-44-55-66 (6) } # update request = noop (6) if ("%{8}") { (6) EXPAND %{8} (6) --> eduroam (6) if ("%{8}") -> TRUE (6) if ("%{8}") { (6) update request { (6) EXPAND %{8} (6) --> eduroam (6) &Called-Station-SSID := eduroam (6) EXPAND %{Called-Station-Id}:%{8} (6) --> 11-22-33-44-55-66:eduroam (6) &Called-Station-Id := 11-22-33-44-55-66:eduroam (6) } # update request = noop (6) } # if ("%{8}") = noop (6) [updated] = updated (6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) policy rewrite_calling_station_id { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 02-00-00-00-00-01 (6) &Calling-Station-Id := 02-00-00-00-00-01 (6) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6) --> 02:00:00:00:00:01 (6) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (6) } # update request = noop (6) [updated] = updated (6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_calling_station_id = updated (6) if (Service-Type == Call-Check) { (6) if (Service-Type == Call-Check) -> FALSE (6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (6) EXPAND Packet-Src-IP-Address (6) --> 127.0.0.1 (6) EXPAND Packet-Src-IP-Address (6) --> 127.0.0.1 (6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (6) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (6) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (6) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (6) if (EAP-Message) { (6) if (EAP-Message) -> TRUE (6) if (EAP-Message) { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = updated (6) } # policy filter_username = updated (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (6) suffix: Found realm "EXAMPLE.COM" (6) suffix: Adding Realm = "EXAMPLE.COM" (6) suffix: Authentication realm is LOCAL (6) [suffix] = ok (6) policy deny_no_realm { (6) if (User-Name && (User-Name !~ /@/)) { (6) if (User-Name && (User-Name !~ /@/)) -> FALSE (6) } # policy deny_no_realm = updated (6) update request { (6) EXPAND %{toupper:%{Realm}} (6) --> EXAMPLE.COM (6) Realm := EXAMPLE.COM (6) } # update request = noop (6) eap: Peer sent EAP Response (code 2) ID 208 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # if (EAP-Message) = ok (6) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Auth-Type eap { (6) eap: Removing EAP session with state 0xd7951377d2450ac5 (6) eap: Previous EAP request found for state 0xd7951377d2450ac5, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (6) eap_peap: (TLS) EAP Got all data (126 bytes) (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (6) eap_peap: (TLS) PEAP - Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 209 length 57 (6) eap: EAP session adding &reply:State = 0xd7951377d1440ac5 (6) [eap] = handled (6) if (handled && (Response-Packet-Type == Access-Challenge)) { (6) EXPAND Response-Packet-Type (6) --> Access-Challenge (6) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (6) if (handled && (Response-Packet-Type == Access-Challenge)) { (6) attr_filter.access_challenge: EXPAND %{User-Name} (6) attr_filter.access_challenge: --> anonymous@example.com (6) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (6) [attr_filter.access_challenge.post-auth] = updated (6) [handled] = handled (6) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (6) } # Auth-Type eap = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) session-state: Saving cached attributes (6) Framed-MTU = 1014 (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:51983 length 115 (6) EAP-Message = 0x01d1003919001403030001011603030028d08871868b3bffb640e6728735837752ba623d50f6893d4fc7b7af7d4efd7bcaf2ca8ac6bb7a0f43 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xd7951377d1440ac5141f11c810ce92e5 (6) Finished request Thread 2 waiting to be assigned a request Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 7, (2 handled so far) (7) Received Access-Request Id 7 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178 (7) User-Name = "anonymous@example.com" (7) NAS-IP-Address = 127.0.0.1 (7) Calling-Station-Id = "02-00-00-00-00-01" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Connect-Info = "CONNECT 11Mbps 802.11b" (7) Called-Station-Id = "11-22-33-44-55-66:eduroam" (7) EAP-Message = 0x02d100061900 (7) State = 0xd7951377d1440ac5141f11c810ce92e5 (7) Message-Authenticator = 0xb9a9d7c2cba7afd51165bed1a9850eae (7) Restoring &session-state (7) &session-state:Framed-MTU = 1014 (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy rewrite_called_station_id { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 11-22-33-44-55-66 (7) &Called-Station-Id := 11-22-33-44-55-66 (7) } # update request = noop (7) if ("%{8}") { (7) EXPAND %{8} (7) --> eduroam (7) if ("%{8}") -> TRUE (7) if ("%{8}") { (7) update request { (7) EXPAND %{8} (7) --> eduroam (7) &Called-Station-SSID := eduroam (7) EXPAND %{Called-Station-Id}:%{8} (7) --> 11-22-33-44-55-66:eduroam (7) &Called-Station-Id := 11-22-33-44-55-66:eduroam (7) } # update request = noop (7) } # if ("%{8}") = noop (7) [updated] = updated (7) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_called_station_id = updated (7) policy rewrite_calling_station_id { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 02-00-00-00-00-01 (7) &Calling-Station-Id := 02-00-00-00-00-01 (7) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (7) --> 02:00:00:00:00:01 (7) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (7) } # update request = noop (7) [updated] = updated (7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_calling_station_id = updated (7) if (Service-Type == Call-Check) { (7) if (Service-Type == Call-Check) -> FALSE (7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (7) EXPAND Packet-Src-IP-Address (7) --> 127.0.0.1 (7) EXPAND Packet-Src-IP-Address (7) --> 127.0.0.1 (7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (7) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (7) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (7) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (7) if (EAP-Message) { (7) if (EAP-Message) -> TRUE (7) if (EAP-Message) { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = updated (7) } # policy filter_username = updated (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (7) suffix: Found realm "EXAMPLE.COM" (7) suffix: Adding Realm = "EXAMPLE.COM" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) policy deny_no_realm { (7) if (User-Name && (User-Name !~ /@/)) { (7) if (User-Name && (User-Name !~ /@/)) -> FALSE (7) } # policy deny_no_realm = updated (7) update request { (7) EXPAND %{toupper:%{Realm}} (7) --> EXAMPLE.COM (7) Realm := EXAMPLE.COM (7) } # update request = noop (7) eap: Peer sent EAP Response (code 2) ID 209 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # if (EAP-Message) = ok (7) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Auth-Type eap { (7) eap: Removing EAP session with state 0xd7951377d1440ac5 (7) eap: Previous EAP request found for state 0xd7951377d1440ac5, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 210 length 40 (7) eap: EAP session adding &reply:State = 0xd7951377d0470ac5 (7) [eap] = handled (7) if (handled && (Response-Packet-Type == Access-Challenge)) { (7) EXPAND Response-Packet-Type (7) --> Access-Challenge (7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (7) if (handled && (Response-Packet-Type == Access-Challenge)) { (7) attr_filter.access_challenge: EXPAND %{User-Name} (7) attr_filter.access_challenge: --> anonymous@example.com (7) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (7) [attr_filter.access_challenge.post-auth] = updated (7) [handled] = handled (7) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (7) } # Auth-Type eap = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) session-state: Saving cached attributes (7) Framed-MTU = 1014 (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:51983 length 98 (7) EAP-Message = 0x01d200281900170303001dd08871868b3bffb7bbc2bed6ce68327f71572c0a5cabefeb22d06f5ae2 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xd7951377d0470ac5141f11c810ce92e5 (7) Finished request Thread 1 waiting to be assigned a request Waking up in 0.3 seconds. Thread 3 got semaphore Thread 3 handling request 8, (2 handled so far) (8) Received Access-Request Id 8 from 127.0.0.1:51983 to 127.0.0.1:1812 length 231 (8) User-Name = "anonymous@example.com" (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id = "02-00-00-00-00-01" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Connect-Info = "CONNECT 11Mbps 802.11b" (8) Called-Station-Id = "11-22-33-44-55-66:eduroam" (8) EAP-Message = 0x02d2003b19001703030030a0c35e6593757240eeb6e8507a8fe95476b2d592a8e730d86f4ff08f5749d37c2bc16b7b1a20a93a7c5affaeb24aea9b (8) State = 0xd7951377d0470ac5141f11c810ce92e5 (8) Message-Authenticator = 0x039cdbc36148d08b6ec83e5e4217a9c9 (8) Restoring &session-state (8) &session-state:Framed-MTU = 1014 (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy rewrite_called_station_id { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 11-22-33-44-55-66 (8) &Called-Station-Id := 11-22-33-44-55-66 (8) } # update request = noop (8) if ("%{8}") { (8) EXPAND %{8} (8) --> eduroam (8) if ("%{8}") -> TRUE (8) if ("%{8}") { (8) update request { (8) EXPAND %{8} (8) --> eduroam (8) &Called-Station-SSID := eduroam (8) EXPAND %{Called-Station-Id}:%{8} (8) --> 11-22-33-44-55-66:eduroam (8) &Called-Station-Id := 11-22-33-44-55-66:eduroam (8) } # update request = noop (8) } # if ("%{8}") = noop (8) [updated] = updated (8) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_called_station_id = updated (8) policy rewrite_calling_station_id { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 02-00-00-00-00-01 (8) &Calling-Station-Id := 02-00-00-00-00-01 (8) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (8) --> 02:00:00:00:00:01 (8) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (8) } # update request = noop (8) [updated] = updated (8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_calling_station_id = updated (8) if (Service-Type == Call-Check) { (8) if (Service-Type == Call-Check) -> FALSE (8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (8) EXPAND Packet-Src-IP-Address (8) --> 127.0.0.1 (8) EXPAND Packet-Src-IP-Address (8) --> 127.0.0.1 (8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (8) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (8) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (8) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (8) if (EAP-Message) { (8) if (EAP-Message) -> TRUE (8) if (EAP-Message) { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = updated (8) } # policy filter_username = updated (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (8) suffix: Found realm "EXAMPLE.COM" (8) suffix: Adding Realm = "EXAMPLE.COM" (8) suffix: Authentication realm is LOCAL (8) [suffix] = ok (8) policy deny_no_realm { (8) if (User-Name && (User-Name !~ /@/)) { (8) if (User-Name && (User-Name !~ /@/)) -> FALSE (8) } # policy deny_no_realm = updated (8) update request { (8) EXPAND %{toupper:%{Realm}} (8) --> EXAMPLE.COM (8) Realm := EXAMPLE.COM (8) } # update request = noop (8) eap: Peer sent EAP Response (code 2) ID 210 length 59 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # if (EAP-Message) = ok (8) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Auth-Type eap { (8) eap: Removing EAP session with state 0xd7951377d0470ac5 (8) eap: Previous EAP request found for state 0xd7951377d0470ac5, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - testuser@example.com (8) eap_peap: Got inner identity 'testuser@example.com' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x02d2001c0169645f726164696e66737461666640756e6962652e6368 (8) eap_peap: Setting User-Name to testuser@example.com (8) eap_peap: Sending tunneled request to proxy-inner-tunnel (8) eap_peap: EAP-Message = 0x02d2001c0169645f726164696e66737461666640756e6962652e6368 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "testuser@example.com" (8) eap_peap: NAS-IP-Address = 127.0.0.1 (8) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (8) eap_peap: Framed-MTU = 1400 (8) eap_peap: NAS-Port-Type = Wireless-802.11 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (8) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam" (8) Virtual server proxy-inner-tunnel received request (8) EAP-Message = 0x02d2001c0169645f726164696e66737461666640756e6962652e6368 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "testuser@example.com" (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id := "02-00-00-00-00-01" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Connect-Info = "CONNECT 11Mbps 802.11b" (8) Called-Station-Id := "11-22-33-44-55-66:eduroam" (8) server proxy-inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (8) authorize { (8) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) { (8) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE (8) if (!NAS-Port-Type){ (8) if (!NAS-Port-Type) -> FALSE (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) update { (8) &outer.session-state:locInner-User-Name := "overwritten@example.com" (8) } # update = noop (8) } # if (&User-Name) = noop (8) update control { (8) &Proxy-To-Realm := REALM-NPS-DEV (8) } # update control = noop (8) } # authorize = noop (8) } # server proxy-inner-tunnel (8) Virtual server sending reply (8) eap_peap: Got tunneled reply code 0 (8) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (8) eap: WARNING: Tunneled session will be proxied. Not doing EAP (8) [eap] = handled (8) if (handled && (Response-Packet-Type == Access-Challenge)) { (8) EXPAND Response-Packet-Type (8) --> (8) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (8) } # Auth-Type eap = handled (8) Starting proxy to home server 1.2.3.4 port 1812 (8) server default { (8) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (8) pre-proxy { (8) attr_filter.pre-proxy: EXPAND %{Realm} (8) attr_filter.pre-proxy: --> EXAMPLE.COM (8) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (8) [attr_filter.pre-proxy] = updated (8) } # pre-proxy = updated (8) } (8) Proxying request to home server 1.2.3.4 port 1812 timeout 20.000000 (8) Sent Access-Request Id 8 from 0.0.0.0:41928 to 1.2.3.4:1812 length 165 (8) Operator-Name := "1example.com" (8) EAP-Message = 0x02d2001c0169645f726164696e66737461666640756e6962652e6368 (8) User-Name = "testuser@example.com" (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id := "02-00-00-00-00-01" (8) NAS-Port-Type = Wireless-802.11 (8) Called-Station-Id := "11-22-33-44-55-66:eduroam" (8) Message-Authenticator = 0x (8) Proxy-State = 0x38 Thread 3 waiting to be assigned a request (8) Marking home server 1.2.3.4 port 1812 alive Waking up in 0.2 seconds. Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) (8) Clearing existing &reply: attributes (8) Received Access-Challenge Id 8 from 1.2.3.4:1812 to 130.92.10.33:41928 length 126 (8) Message-Authenticator = 0x4a97c2d8c5105a0a1b32d305769d6e44 (8) Proxy-State = 0x38 (8) Session-Timeout = 60 (8) EAP-Message = 0x01d300271a01d300221080a64f5e68bbed2e8c546c3d33d9ebf44141492d4e50532d4544555632 (8) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (8) server default { (8) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (8) post-proxy { (8) if (&session-state:locInner-User-Name) { (8) if (&session-state:locInner-User-Name) -> TRUE (8) if (&session-state:locInner-User-Name) { (8) update reply { (8) EXPAND %{session-state:locInner-User-Name} (8) --> overwritten@example.com (8) User-Name := overwritten@example.com (8) } # update reply = noop (8) } # if (&session-state:locInner-User-Name) = noop (8) attr_filter.post-proxy: EXPAND %{Realm} (8) attr_filter.post-proxy: --> EXAMPLE.COM (8) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102 (8) [attr_filter.post-proxy] = updated (8) eap: Doing post-proxy callback (8) eap: Passing reply from proxy back into the tunnel (8) eap: Got tunneled reply RADIUS code 11 (8) eap: Tunnel-Type := VLAN (8) eap: Tunnel-Medium-Type := IEEE-802 (8) eap: Message-Authenticator = 0x4a97c2d8c5105a0a1b32d305769d6e44 (8) eap: Proxy-State = 0x38 (8) eap: EAP-Message = 0x01d300271a01d300221080a64f5e68bbed2e8c546c3d33d9ebf44141492d4e50532d4544555632 (8) eap: State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (8) eap: Got tunneled Access-Challenge (8) eap: Reply was handled (8) eap: Sending EAP Request (code 1) ID 211 length 70 (8) eap: EAP session adding &reply:State = 0xd7951377df460ac5 (8) [eap] = ok (8) } # post-proxy = updated (8) } (8) session-state: Saving cached attributes (8) Framed-MTU = 1014 (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) locInner-User-Name := "overwritten@example.com" (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:51983 length 150 (8) User-Name := "overwritten@example.com" (8) EAP-Message = 0x01d300461900170303003bd08871868b3bffb8898d17a0f67bee71192351814e45d330c2d4fdf93134401cabff44a6f3c2d4f97562ef73dc0609e7b1c4ff74a2b44e4a2863cf (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xd7951377df460ac5141f11c810ce92e5 (8) Finished request Thread 4 waiting to be assigned a request Waking up in 0.2 seconds. Thread 5 got semaphore Thread 5 handling request 9, (3 handled so far) (9) Received Access-Request Id 9 from 127.0.0.1:51983 to 127.0.0.1:1812 length 285 (9) User-Name = "anonymous@example.com" (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id = "02-00-00-00-00-01" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) Called-Station-Id = "11-22-33-44-55-66:eduroam" (9) EAP-Message = 0x02d3007119001703030066a0c35e6593757241d3554722e6c7f69584c67010f08f501367355e0643178f963092b1d1aadacac4dc657416eb2eff4d4c5f95bbf77f57c2e555ba8aaf81312d5d520f70391c810abb19a35894fbc828587c6dab71a5da723ce0c4c29b10341296d6ceca2ab0 (9) State = 0xd7951377df460ac5141f11c810ce92e5 (9) Message-Authenticator = 0x56297f0c514ed4ed1376686dfebebf59 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy rewrite_called_station_id { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 11-22-33-44-55-66 (9) &Called-Station-Id := 11-22-33-44-55-66 (9) } # update request = noop (9) if ("%{8}") { (9) EXPAND %{8} (9) --> eduroam (9) if ("%{8}") -> TRUE (9) if ("%{8}") { (9) update request { (9) EXPAND %{8} (9) --> eduroam (9) &Called-Station-SSID := eduroam (9) EXPAND %{Called-Station-Id}:%{8} (9) --> 11-22-33-44-55-66:eduroam (9) &Called-Station-Id := 11-22-33-44-55-66:eduroam (9) } # update request = noop (9) } # if ("%{8}") = noop (9) [updated] = updated (9) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_called_station_id = updated (9) policy rewrite_calling_station_id { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 02-00-00-00-00-01 (9) &Calling-Station-Id := 02-00-00-00-00-01 (9) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (9) --> 02:00:00:00:00:01 (9) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (9) } # update request = noop (9) [updated] = updated (9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_calling_station_id = updated (9) if (Service-Type == Call-Check) { (9) if (Service-Type == Call-Check) -> FALSE (9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (9) EXPAND Packet-Src-IP-Address (9) --> 127.0.0.1 (9) EXPAND Packet-Src-IP-Address (9) --> 127.0.0.1 (9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (9) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (9) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (9) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (9) if (EAP-Message) { (9) if (EAP-Message) -> TRUE (9) if (EAP-Message) { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = updated (9) } # policy filter_username = updated (9) suffix: Checking for suffix after "@" (9) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (9) suffix: Found realm "EXAMPLE.COM" (9) suffix: Adding Realm = "EXAMPLE.COM" (9) suffix: Authentication realm is LOCAL (9) [suffix] = ok (9) policy deny_no_realm { (9) if (User-Name && (User-Name !~ /@/)) { (9) if (User-Name && (User-Name !~ /@/)) -> FALSE (9) } # policy deny_no_realm = updated (9) update request { (9) EXPAND %{toupper:%{Realm}} (9) --> EXAMPLE.COM (9) Realm := EXAMPLE.COM (9) } # update request = noop (9) eap: Peer sent EAP Response (code 2) ID 211 length 113 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # if (EAP-Message) = ok (9) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Auth-Type eap { (9) eap: Removing EAP session with state 0xd7951377df460ac5 (9) eap: Previous EAP request found for state 0xd7951377df460ac5, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: (TLS) EAP Done initial handshake (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x02d300521a02d3004d31c32ac4a7733d52b8a3b9e89cedcc69cc00000000000000002442d9b6b5db9a4b86c1d4fbd4859b2fecf1d533e437bdd20069645f726164696e66737461666640756e6962652e6368 (9) eap_peap: Setting User-Name to testuser@example.com (9) eap_peap: Sending tunneled request to proxy-inner-tunnel (9) eap_peap: EAP-Message = 0x02d300521a02d3004d31c32ac4a7733d52b8a3b9e89cedcc69cc00000000000000002442d9b6b5db9a4b86c1d4fbd4859b2fecf1d533e437bdd20069645f726164696e66737461666640756e6962652e6368 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "testuser@example.com" (9) eap_peap: State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (9) eap_peap: NAS-IP-Address = 127.0.0.1 (9) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (9) eap_peap: Framed-MTU = 1400 (9) eap_peap: NAS-Port-Type = Wireless-802.11 (9) eap_peap: Service-Type = Framed-User (9) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (9) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam" (9) Virtual server proxy-inner-tunnel received request (9) EAP-Message = 0x02d300521a02d3004d31c32ac4a7733d52b8a3b9e89cedcc69cc00000000000000002442d9b6b5db9a4b86c1d4fbd4859b2fecf1d533e437bdd20069645f726164696e66737461666640756e6962652e6368 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "testuser@example.com" (9) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id := "02-00-00-00-00-01" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) Called-Station-Id := "11-22-33-44-55-66:eduroam" (9) server proxy-inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (9) authorize { (9) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) { (9) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE (9) if (!NAS-Port-Type){ (9) if (!NAS-Port-Type) -> FALSE (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) update { (9) &outer.session-state:locInner-User-Name := "overwritten@example.com" (9) } # update = noop (9) } # if (&User-Name) = noop (9) update control { (9) &Proxy-To-Realm := REALM-NPS-DEV (9) } # update control = noop (9) } # authorize = noop (9) } # server proxy-inner-tunnel (9) Virtual server sending reply (9) eap_peap: Got tunneled reply code 0 (9) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (9) eap: WARNING: Tunneled session will be proxied. Not doing EAP (9) [eap] = handled (9) if (handled && (Response-Packet-Type == Access-Challenge)) { (9) EXPAND Response-Packet-Type (9) --> (9) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (9) } # Auth-Type eap = handled (9) Starting proxy to home server 1.2.3.4 port 1812 (9) server default { (9) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (9) pre-proxy { (9) attr_filter.pre-proxy: EXPAND %{Realm} (9) attr_filter.pre-proxy: --> EXAMPLE.COM (9) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (9) [attr_filter.pre-proxy] = updated (9) } # pre-proxy = updated (9) } (9) Proxying request to home server 1.2.3.4 port 1812 timeout 20.000000 (9) Sent Access-Request Id 9 from 0.0.0.0:41928 to 1.2.3.4:1812 length 257 (9) Operator-Name := "1example.com" (9) EAP-Message = 0x02d300521a02d3004d31c32ac4a7733d52b8a3b9e89cedcc69cc00000000000000002442d9b6b5db9a4b86c1d4fbd4859b2fecf1d533e437bdd20069645f726164696e66737461666640756e6962652e6368 (9) User-Name = "testuser@example.com" (9) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id := "02-00-00-00-00-01" (9) NAS-Port-Type = Wireless-802.11 (9) Called-Station-Id := "11-22-33-44-55-66:eduroam" (9) Message-Authenticator = 0x (9) Proxy-State = 0x39 Thread 5 waiting to be assigned a request Waking up in 0.2 seconds. Thread 2 got semaphore Thread 2 handling request 9, (3 handled so far) (9) Clearing existing &reply: attributes (9) Received Access-Challenge Id 9 from 1.2.3.4:1812 to 130.92.10.33:41928 length 138 (9) Message-Authenticator = 0x1028f60eb9d66a0b41cbdf79d64a7521 (9) Proxy-State = 0x39 (9) Session-Timeout = 60 (9) EAP-Message = 0x01d400331a03d3002e533d41344544444533414142453541433645354245453243393935333033464146363942463138383244 (9) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (9) server default { (9) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (9) post-proxy { (9) if (&session-state:locInner-User-Name) { (9) if (&session-state:locInner-User-Name) -> TRUE (9) if (&session-state:locInner-User-Name) { (9) update reply { (9) EXPAND %{session-state:locInner-User-Name} (9) --> overwritten@example.com (9) User-Name := overwritten@example.com (9) } # update reply = noop (9) } # if (&session-state:locInner-User-Name) = noop (9) attr_filter.post-proxy: EXPAND %{Realm} (9) attr_filter.post-proxy: --> EXAMPLE.COM (9) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102 (9) [attr_filter.post-proxy] = updated (9) eap: Doing post-proxy callback (9) eap: Passing reply from proxy back into the tunnel (9) eap: Got tunneled reply RADIUS code 11 (9) eap: Tunnel-Type := VLAN (9) eap: Tunnel-Medium-Type := IEEE-802 (9) eap: Message-Authenticator = 0x1028f60eb9d66a0b41cbdf79d64a7521 (9) eap: Proxy-State = 0x39 (9) eap: EAP-Message = 0x01d400331a03d3002e533d41344544444533414142453541433645354245453243393935333033464146363942463138383244 (9) eap: State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (9) eap: Got tunneled Access-Challenge (9) eap: Reply was handled (9) eap: Sending EAP Request (code 1) ID 212 length 82 (9) eap: EAP session adding &reply:State = 0xd7951377de410ac5 (9) [eap] = ok (9) } # post-proxy = updated (9) } (9) session-state: Saving cached attributes (9) locInner-User-Name := "overwritten@example.com" (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Sent Access-Challenge Id 9 from 127.0.0.1:1812 to 127.0.0.1:51983 length 162 (9) User-Name := "overwritten@example.com" (9) EAP-Message = 0x01d4005219001703030047d08871868b3bffb936ed24a5eaa21c60c25f876fffb9062133a55a5be1ec394155ee3eba9e85fd2aab9843b2ba06657093c2fd4e9300a294a3904150691cd79e497180ed7df574 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xd7951377de410ac5141f11c810ce92e5 (9) Finished request Thread 2 waiting to be assigned a request Waking up in 0.2 seconds. Thread 1 got semaphore Thread 1 handling request 10, (3 handled so far) (10) Received Access-Request Id 10 from 127.0.0.1:51983 to 127.0.0.1:1812 length 209 (10) User-Name = "anonymous@example.com" (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id = "02-00-00-00-00-01" (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Connect-Info = "CONNECT 11Mbps 802.11b" (10) Called-Station-Id = "11-22-33-44-55-66:eduroam" (10) EAP-Message = 0x02d400251900170303001aa0c35e65937572427f15529a5d3471616022201d08ed5df09dea (10) State = 0xd7951377de410ac5141f11c810ce92e5 (10) Message-Authenticator = 0x0ceccd37f46dbf5e5c3b841abb622626 (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) policy rewrite_called_station_id { (10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (10) update request { (10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (10) --> 11-22-33-44-55-66 (10) &Called-Station-Id := 11-22-33-44-55-66 (10) } # update request = noop (10) if ("%{8}") { (10) EXPAND %{8} (10) --> eduroam (10) if ("%{8}") -> TRUE (10) if ("%{8}") { (10) update request { (10) EXPAND %{8} (10) --> eduroam (10) &Called-Station-SSID := eduroam (10) EXPAND %{Called-Station-Id}:%{8} (10) --> 11-22-33-44-55-66:eduroam (10) &Called-Station-Id := 11-22-33-44-55-66:eduroam (10) } # update request = noop (10) } # if ("%{8}") = noop (10) [updated] = updated (10) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (10) ... skipping else: Preceding "if" was taken (10) } # policy rewrite_called_station_id = updated (10) policy rewrite_calling_station_id { (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (10) update request { (10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (10) --> 02-00-00-00-00-01 (10) &Calling-Station-Id := 02-00-00-00-00-01 (10) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (10) --> 02:00:00:00:00:01 (10) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (10) } # update request = noop (10) [updated] = updated (10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (10) ... skipping else: Preceding "if" was taken (10) } # policy rewrite_calling_station_id = updated (10) if (Service-Type == Call-Check) { (10) if (Service-Type == Call-Check) -> FALSE (10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (10) EXPAND Packet-Src-IP-Address (10) --> 127.0.0.1 (10) EXPAND Packet-Src-IP-Address (10) --> 127.0.0.1 (10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (10) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (10) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (10) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (10) if (EAP-Message) { (10) if (EAP-Message) -> TRUE (10) if (EAP-Message) { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = updated (10) } # policy filter_username = updated (10) suffix: Checking for suffix after "@" (10) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (10) suffix: Found realm "EXAMPLE.COM" (10) suffix: Adding Realm = "EXAMPLE.COM" (10) suffix: Authentication realm is LOCAL (10) [suffix] = ok (10) policy deny_no_realm { (10) if (User-Name && (User-Name !~ /@/)) { (10) if (User-Name && (User-Name !~ /@/)) -> FALSE (10) } # policy deny_no_realm = updated (10) update request { (10) EXPAND %{toupper:%{Realm}} (10) --> EXAMPLE.COM (10) Realm := EXAMPLE.COM (10) } # update request = noop (10) eap: Peer sent EAP Response (code 2) ID 212 length 37 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # if (EAP-Message) = ok (10) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Auth-Type eap { (10) eap: Removing EAP session with state 0xd7951377de410ac5 (10) eap: Previous EAP request found for state 0xd7951377de410ac5, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: (TLS) EAP Done initial handshake (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state phase2 (10) eap_peap: EAP method MSCHAPv2 (26) (10) eap_peap: Got tunneled request (10) eap_peap: EAP-Message = 0x02d400061a03 (10) eap_peap: Setting User-Name to testuser@example.com (10) eap_peap: Sending tunneled request to proxy-inner-tunnel (10) eap_peap: EAP-Message = 0x02d400061a03 (10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (10) eap_peap: User-Name = "testuser@example.com" (10) eap_peap: State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (10) eap_peap: NAS-IP-Address = 127.0.0.1 (10) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (10) eap_peap: Framed-MTU = 1400 (10) eap_peap: NAS-Port-Type = Wireless-802.11 (10) eap_peap: Service-Type = Framed-User (10) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (10) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam" (10) Virtual server proxy-inner-tunnel received request (10) EAP-Message = 0x02d400061a03 (10) FreeRADIUS-Proxied-To = 127.0.0.1 (10) User-Name = "testuser@example.com" (10) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id := "02-00-00-00-00-01" (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Connect-Info = "CONNECT 11Mbps 802.11b" (10) Called-Station-Id := "11-22-33-44-55-66:eduroam" (10) server proxy-inner-tunnel { (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (10) authorize { (10) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) { (10) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE (10) if (!NAS-Port-Type){ (10) if (!NAS-Port-Type) -> FALSE (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) update { (10) &outer.session-state:locInner-User-Name := "overwritten@example.com" (10) } # update = noop (10) } # if (&User-Name) = noop (10) update control { (10) &Proxy-To-Realm := REALM-NPS-DEV (10) } # update control = noop (10) } # authorize = noop (10) } # server proxy-inner-tunnel (10) Virtual server sending reply (10) eap_peap: Got tunneled reply code 0 (10) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (10) eap: WARNING: Tunneled session will be proxied. Not doing EAP (10) [eap] = handled (10) if (handled && (Response-Packet-Type == Access-Challenge)) { (10) EXPAND Response-Packet-Type (10) --> (10) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (10) } # Auth-Type eap = handled (10) Starting proxy to home server 1.2.3.4 port 1812 (10) server default { (10) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (10) pre-proxy { (10) attr_filter.pre-proxy: EXPAND %{Realm} (10) attr_filter.pre-proxy: --> EXAMPLE.COM (10) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (10) [attr_filter.pre-proxy] = updated (10) } # pre-proxy = updated (10) } (10) Proxying request to home server 1.2.3.4 port 1812 timeout 20.000000 (10) Sent Access-Request Id 10 from 0.0.0.0:41928 to 1.2.3.4:1812 length 182 (10) Operator-Name := "1example.com" (10) EAP-Message = 0x02d400061a03 (10) User-Name = "testuser@example.com" (10) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9 (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id := "02-00-00-00-00-01" (10) NAS-Port-Type = Wireless-802.11 (10) Called-Station-Id := "11-22-33-44-55-66:eduroam" (10) Message-Authenticator = 0x (10) Proxy-State = 0x3130 Thread 1 waiting to be assigned a request Thread 3 got semaphore Thread 3 handling request 10, (3 handled so far) (10) Clearing existing &reply: attributes Waking up in 0.2 seconds. (10) Received Access-Accept Id 10 from 1.2.3.4:1812 to 130.92.10.33:41928 length 288 (10) Message-Authenticator = 0x795ada91d9ec4181b5702670e0bcdc09 (10) Proxy-State = 0x3130 (10) Class = 0x7374616666 (10) Filter-Id = "staff" (10) Framed-Protocol = PPP (10) Service-Type = Framed-User (10) Tunnel-Medium-Type:0 = IEEE-802 (10) Tunnel-Private-Group-Id:0 = "1874" (10) Tunnel-Type:0 = VLAN (10) EAP-Message = 0x03d40004 (10) Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340 (10) MS-CHAP-Domain = "\001CAMPUS" (10) MS-MPPE-Send-Key = 0xc654f28aee914809685418249aba76f7 (10) MS-MPPE-Recv-Key = 0x68315c4f74c4f699d0750567dd9f24b4 (10) MS-CHAP2-Success = 0x01533d41344544444533414142453541433645354245453243393935333033464146363942463138383244 (10) server default { (10) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (10) post-proxy { (10) if (&session-state:locInner-User-Name) { (10) if (&session-state:locInner-User-Name) -> TRUE (10) if (&session-state:locInner-User-Name) { (10) update reply { (10) EXPAND %{session-state:locInner-User-Name} (10) --> overwritten@example.com (10) User-Name := overwritten@example.com (10) } # update reply = noop (10) } # if (&session-state:locInner-User-Name) = noop (10) attr_filter.post-proxy: EXPAND %{Realm} (10) attr_filter.post-proxy: --> EXAMPLE.COM (10) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102 (10) [attr_filter.post-proxy] = updated (10) eap: Doing post-proxy callback (10) eap: Passing reply from proxy back into the tunnel (10) eap: Got tunneled reply RADIUS code 2 (10) eap: Tunnel-Type := VLAN (10) eap: Tunnel-Medium-Type := IEEE-802 (10) eap: Message-Authenticator = 0x795ada91d9ec4181b5702670e0bcdc09 (10) eap: Proxy-State = 0x3130 (10) eap: Class = 0x7374616666 (10) eap: Filter-Id = "staff" (10) eap: Tunnel-Private-Group-Id:0 = "1874" (10) eap: EAP-Message = 0x03d40004 (10) eap: Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340 (10) eap: MS-MPPE-Send-Key = 0xc654f28aee914809685418249aba76f7 (10) eap: MS-MPPE-Recv-Key = 0x68315c4f74c4f699d0750567dd9f24b4 (10) eap: Tunneled authentication was successful (10) eap: SUCCESS (10) eap: Saving tunneled attributes for later (10) eap: Reply was handled (10) eap: Sending EAP Request (code 1) ID 213 length 46 (10) eap: EAP session adding &reply:State = 0xd7951377dd400ac5 (10) [eap] = ok (10) } # post-proxy = updated (10) } (10) session-state: Saving cached attributes (10) locInner-User-Name := "overwritten@example.com" (10) Using Post-Auth-Type Challenge (10) Post-Auth-Type sub-section not found. Ignoring. (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Sent Access-Challenge Id 10 from 127.0.0.1:1812 to 127.0.0.1:51983 length 126 (10) User-Name := "overwritten@example.com" (10) EAP-Message = 0x01d5002e19001703030023d08871868b3bffba3aeb9f54843f450a8efea94c3d8831971b58e905a7825e996795d8 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xd7951377dd400ac5141f11c810ce92e5 (10) Finished request Thread 3 waiting to be assigned a request Thread 4 got semaphore Thread 4 handling request 11, (3 handled so far) (11) Received Access-Request Id 11 from 127.0.0.1:51983 to 127.0.0.1:1812 length 218 (11) User-Name = "anonymous@example.com" (11) NAS-IP-Address = 127.0.0.1 (11) Calling-Station-Id = "02-00-00-00-00-01" Waking up in 0.2 seconds. (11) Framed-MTU = 1400 (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) Connect-Info = "CONNECT 11Mbps 802.11b" (11) Called-Station-Id = "11-22-33-44-55-66:eduroam" (11) EAP-Message = 0x02d5002e19001703030023a0c35e6593757243a3f598e329dd849cfc8f29e1217aab5fe1ced41afd18f9725b6ea6 (11) State = 0xd7951377dd400ac5141f11c810ce92e5 (11) Message-Authenticator = 0x668bc11b060431f36f2a66547e67f3cc (11) session-state: No cached attributes (11) # Executing section authorize from file /etc/freeradius/sites-enabled/default (11) authorize { (11) policy rewrite_called_station_id { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 11-22-33-44-55-66 (11) &Called-Station-Id := 11-22-33-44-55-66 (11) } # update request = noop (11) if ("%{8}") { (11) EXPAND %{8} (11) --> eduroam (11) if ("%{8}") -> TRUE (11) if ("%{8}") { (11) update request { (11) EXPAND %{8} (11) --> eduroam (11) &Called-Station-SSID := eduroam (11) EXPAND %{Called-Station-Id}:%{8} (11) --> 11-22-33-44-55-66:eduroam (11) &Called-Station-Id := 11-22-33-44-55-66:eduroam (11) } # update request = noop (11) } # if ("%{8}") = noop (11) [updated] = updated (11) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_called_station_id = updated (11) policy rewrite_calling_station_id { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 02-00-00-00-00-01 (11) &Calling-Station-Id := 02-00-00-00-00-01 (11) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (11) --> 02:00:00:00:00:01 (11) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (11) } # update request = noop (11) [updated] = updated (11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_calling_station_id = updated (11) if (Service-Type == Call-Check) { (11) if (Service-Type == Call-Check) -> FALSE (11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (11) EXPAND Packet-Src-IP-Address (11) --> 127.0.0.1 (11) EXPAND Packet-Src-IP-Address (11) --> 127.0.0.1 (11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (11) if (EAP-Message) { (11) if (EAP-Message) -> TRUE (11) if (EAP-Message) { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = updated (11) } # policy filter_username = updated (11) suffix: Checking for suffix after "@" (11) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (11) suffix: Found realm "EXAMPLE.COM" (11) suffix: Adding Realm = "EXAMPLE.COM" (11) suffix: Authentication realm is LOCAL (11) [suffix] = ok (11) policy deny_no_realm { (11) if (User-Name && (User-Name !~ /@/)) { (11) if (User-Name && (User-Name !~ /@/)) -> FALSE (11) } # policy deny_no_realm = updated (11) update request { (11) EXPAND %{toupper:%{Realm}} (11) --> EXAMPLE.COM (11) Realm := EXAMPLE.COM (11) } # update request = noop (11) eap: Peer sent EAP Response (code 2) ID 213 length 46 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # if (EAP-Message) = ok (11) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (11) } # authorize = updated (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/sites-enabled/default (11) Auth-Type eap { (11) eap: Removing EAP session with state 0xd7951377dd400ac5 (11) eap: Previous EAP request found for state 0xd7951377dd400ac5, released from the list (11) eap: Peer sent packet with method EAP PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: (TLS) EAP Done initial handshake (11) eap_peap: Session established. Decoding tunneled attributes (11) eap_peap: PEAP state send tlv success (11) eap_peap: Received EAP-TLV response (11) eap_peap: Success (11) eap_peap: Using saved attributes from the original Access-Accept (11) eap_peap: Tunnel-Type := VLAN (11) eap_peap: Tunnel-Medium-Type := IEEE-802 (11) eap_peap: Class = 0x7374616666 (11) eap_peap: Filter-Id = "staff" (11) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (11) eap_peap: Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340 (11) eap: Sending EAP Success (code 3) ID 213 length 4 (11) eap: Freeing handler (11) [eap] = ok (11) if (handled && (Response-Packet-Type == Access-Challenge)) { (11) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (11) } # Auth-Type eap = ok (11) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (11) post-auth { (11) policy debug_all { (11) policy debug_control { (11) if ("%{debug_attr:control:}" == '') { (11) Attributes matching "control:" (11) &control:Auth-Type = eap (11) EXPAND %{debug_attr:control:} (11) --> (11) if ("%{debug_attr:control:}" == '') -> TRUE (11) if ("%{debug_attr:control:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:control:}" == '') = noop (11) } # policy debug_control = noop (11) policy debug_request { (11) if ("%{debug_attr:request:}" == '') { (11) Attributes matching "request:" (11) &request:User-Name = anonymous@example.com (11) &request:NAS-IP-Address = 127.0.0.1 (11) &request:Calling-Station-Id := 02-00-00-00-00-01 (11) &request:Framed-MTU = 1400 (11) &request:NAS-Port-Type = Wireless-802.11 (11) &request:Service-Type = Framed-User (11) &request:Connect-Info = CONNECT 11Mbps 802.11b (11) &request:Called-Station-Id := 11-22-33-44-55-66:eduroam (11) &request:EAP-Message = 0x02d5002e19001703030023a0c35e6593757243a3f598e329dd849cfc8f29e1217aab5fe1ced41afd18f9725b6ea6 (11) &request:State = 0xd7951377dd400ac5141f11c810ce92e5 (11) &request:Message-Authenticator = 0x668bc11b060431f36f2a66547e67f3cc (11) &request:Called-Station-SSID := eduroam (11) &request:locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (11) &request:Realm := EXAMPLE.COM (11) &request:EAP-Type = PEAP (11) EXPAND %{debug_attr:request:} (11) --> (11) if ("%{debug_attr:request:}" == '') -> TRUE (11) if ("%{debug_attr:request:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:request:}" == '') = noop (11) } # policy debug_request = noop (11) policy debug_coa { (11) if ("%{debug_attr:coa:}" == '') { (11) Attributes matching "coa:" (11) WARNING: List "coa" is not available (11) EXPAND %{debug_attr:coa:} (11) --> (11) if ("%{debug_attr:coa:}" == '') -> TRUE (11) if ("%{debug_attr:coa:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:coa:}" == '') = noop (11) } # policy debug_coa = noop (11) policy debug_reply { (11) if ("%{debug_attr:reply:}" == '') { (11) Attributes matching "reply:" (11) &reply:Tunnel-Type:-128 := VLAN (11) &reply:Tunnel-Medium-Type:-128 := IEEE-802 (11) &reply:Class = 0x7374616666 (11) &reply:Filter-Id = staff (11) &reply:Tunnel-Private-Group-Id:0 = 1874 (11) &reply:Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340 (11) &reply:MS-MPPE-Recv-Key = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a (11) &reply:MS-MPPE-Send-Key = 0x00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d (11) &reply:EAP-MSK = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d (11) &reply:EAP-EMSK = 0x89d4b3bc7a7ba0051fc32759a78266fadc1965bbf19c06c0f0ceb31dd4b714f58560add74659a1d49dc75b59b99e08e41032f585097625faa0cbf879b3656280 (11) &reply:EAP-Session-Id = 0x193ef9ddb2c9690718a1123db2cf6d4508b04f43b75bde677dfa20266a8414e6c085b131ca62bb9399ec4cfeef6086f9689782dafdd184bffa444f574e47524401 (11) &reply:EAP-Message = 0x03d50004 (11) &reply:Message-Authenticator = 0x00000000000000000000000000000000 (11) &reply:User-Name = anonymous@example.com (11) EXPAND %{debug_attr:reply:} (11) --> (11) if ("%{debug_attr:reply:}" == '') -> TRUE (11) if ("%{debug_attr:reply:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:reply:}" == '') = noop (11) } # policy debug_reply = noop (11) policy debug_session_state { (11) if ("%{debug_attr:session-state:}" == '') { (11) Attributes matching "session-state:" (11) EXPAND %{debug_attr:session-state:} (11) --> (11) if ("%{debug_attr:session-state:}" == '') -> TRUE (11) if ("%{debug_attr:session-state:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:session-state:}" == '') = noop (11) } # policy debug_session_state = noop (11) } # policy debug_all = noop (11) if (&session-state:locInner-User-Name) { (11) if (&session-state:locInner-User-Name) -> FALSE (11) update { (11) No attributes updated for RHS &session-state (11) } # update = noop (11) if (Service-Type == Call-Check) { (11) if (Service-Type == Call-Check) -> FALSE (11) else { (11) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{session-state:locInner-User-Name}:-NULL}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (11) 802.1x_auth_log: --> Fri Nov 7 13:54:34 2025 : AuthZ: (11) Access-Accept: [NULL] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=02-00-00-00-00-01 Called-Station-Id=11-22-33-44-55-66:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client localhost port 0 operator-name Unknown) (11) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log (11) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log (11) [802.1x_auth_log] = ok (11) } # else = ok (11) policy debug_all { (11) policy debug_control { (11) if ("%{debug_attr:control:}" == '') { (11) Attributes matching "control:" (11) &control:Auth-Type = eap (11) EXPAND %{debug_attr:control:} (11) --> (11) if ("%{debug_attr:control:}" == '') -> TRUE (11) if ("%{debug_attr:control:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:control:}" == '') = noop (11) } # policy debug_control = noop (11) policy debug_request { (11) if ("%{debug_attr:request:}" == '') { (11) Attributes matching "request:" (11) &request:User-Name = anonymous@example.com (11) &request:NAS-IP-Address = 127.0.0.1 (11) &request:Calling-Station-Id := 02-00-00-00-00-01 (11) &request:Framed-MTU = 1400 (11) &request:NAS-Port-Type = Wireless-802.11 (11) &request:Service-Type = Framed-User (11) &request:Connect-Info = CONNECT 11Mbps 802.11b (11) &request:Called-Station-Id := 11-22-33-44-55-66:eduroam (11) &request:EAP-Message = 0x02d5002e19001703030023a0c35e6593757243a3f598e329dd849cfc8f29e1217aab5fe1ced41afd18f9725b6ea6 (11) &request:State = 0xd7951377dd400ac5141f11c810ce92e5 (11) &request:Message-Authenticator = 0x668bc11b060431f36f2a66547e67f3cc (11) &request:Called-Station-SSID := eduroam (11) &request:locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (11) &request:Realm := EXAMPLE.COM (11) &request:EAP-Type = PEAP (11) EXPAND %{debug_attr:request:} (11) --> (11) if ("%{debug_attr:request:}" == '') -> TRUE (11) if ("%{debug_attr:request:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:request:}" == '') = noop (11) } # policy debug_request = noop (11) policy debug_coa { (11) if ("%{debug_attr:coa:}" == '') { (11) Attributes matching "coa:" (11) WARNING: List "coa" is not available (11) EXPAND %{debug_attr:coa:} (11) --> (11) if ("%{debug_attr:coa:}" == '') -> TRUE (11) if ("%{debug_attr:coa:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:coa:}" == '') = noop (11) } # policy debug_coa = noop (11) policy debug_reply { (11) if ("%{debug_attr:reply:}" == '') { (11) Attributes matching "reply:" (11) &reply:Tunnel-Type:-128 := VLAN (11) &reply:Tunnel-Medium-Type:-128 := IEEE-802 (11) &reply:Class = 0x7374616666 (11) &reply:Filter-Id = staff (11) &reply:Tunnel-Private-Group-Id:0 = 1874 (11) &reply:Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340 (11) &reply:MS-MPPE-Recv-Key = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a (11) &reply:MS-MPPE-Send-Key = 0x00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d (11) &reply:EAP-MSK = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d (11) &reply:EAP-EMSK = 0x89d4b3bc7a7ba0051fc32759a78266fadc1965bbf19c06c0f0ceb31dd4b714f58560add74659a1d49dc75b59b99e08e41032f585097625faa0cbf879b3656280 (11) &reply:EAP-Session-Id = 0x193ef9ddb2c9690718a1123db2cf6d4508b04f43b75bde677dfa20266a8414e6c085b131ca62bb9399ec4cfeef6086f9689782dafdd184bffa444f574e47524401 (11) &reply:EAP-Message = 0x03d50004 (11) &reply:Message-Authenticator = 0x00000000000000000000000000000000 (11) &reply:User-Name = anonymous@example.com (11) EXPAND %{debug_attr:reply:} (11) --> (11) if ("%{debug_attr:reply:}" == '') -> TRUE (11) if ("%{debug_attr:reply:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:reply:}" == '') = noop (11) } # policy debug_reply = noop (11) policy debug_session_state { (11) if ("%{debug_attr:session-state:}" == '') { (11) Attributes matching "session-state:" (11) EXPAND %{debug_attr:session-state:} (11) --> (11) if ("%{debug_attr:session-state:}" == '') -> TRUE (11) if ("%{debug_attr:session-state:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:session-state:}" == '') = noop (11) } # policy debug_session_state = noop (11) } # policy debug_all = noop (11) if (&session-state:locInner-User-Name) { (11) if (&session-state:locInner-User-Name) -> FALSE (11) policy debug_all { (11) policy debug_control { (11) if ("%{debug_attr:control:}" == '') { (11) Attributes matching "control:" (11) &control:Auth-Type = eap (11) EXPAND %{debug_attr:control:} (11) --> (11) if ("%{debug_attr:control:}" == '') -> TRUE (11) if ("%{debug_attr:control:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:control:}" == '') = noop (11) } # policy debug_control = noop (11) policy debug_request { (11) if ("%{debug_attr:request:}" == '') { (11) Attributes matching "request:" (11) &request:User-Name = anonymous@example.com (11) &request:NAS-IP-Address = 127.0.0.1 (11) &request:Calling-Station-Id := 02-00-00-00-00-01 (11) &request:Framed-MTU = 1400 (11) &request:NAS-Port-Type = Wireless-802.11 (11) &request:Service-Type = Framed-User (11) &request:Connect-Info = CONNECT 11Mbps 802.11b (11) &request:Called-Station-Id := 11-22-33-44-55-66:eduroam (11) &request:EAP-Message = 0x02d5002e19001703030023a0c35e6593757243a3f598e329dd849cfc8f29e1217aab5fe1ced41afd18f9725b6ea6 (11) &request:State = 0xd7951377dd400ac5141f11c810ce92e5 (11) &request:Message-Authenticator = 0x668bc11b060431f36f2a66547e67f3cc (11) &request:Called-Station-SSID := eduroam (11) &request:locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (11) &request:Realm := EXAMPLE.COM (11) &request:EAP-Type = PEAP (11) EXPAND %{debug_attr:request:} (11) --> (11) if ("%{debug_attr:request:}" == '') -> TRUE (11) if ("%{debug_attr:request:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:request:}" == '') = noop (11) } # policy debug_request = noop (11) policy debug_coa { (11) if ("%{debug_attr:coa:}" == '') { (11) Attributes matching "coa:" (11) WARNING: List "coa" is not available (11) EXPAND %{debug_attr:coa:} (11) --> (11) if ("%{debug_attr:coa:}" == '') -> TRUE (11) if ("%{debug_attr:coa:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:coa:}" == '') = noop (11) } # policy debug_coa = noop (11) policy debug_reply { (11) if ("%{debug_attr:reply:}" == '') { (11) Attributes matching "reply:" (11) &reply:Tunnel-Type:-128 := VLAN (11) &reply:Tunnel-Medium-Type:-128 := IEEE-802 (11) &reply:Class = 0x7374616666 (11) &reply:Filter-Id = staff (11) &reply:Tunnel-Private-Group-Id:0 = 1874 (11) &reply:Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340 (11) &reply:MS-MPPE-Recv-Key = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a (11) &reply:MS-MPPE-Send-Key = 0x00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d (11) &reply:EAP-MSK = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d (11) &reply:EAP-EMSK = 0x89d4b3bc7a7ba0051fc32759a78266fadc1965bbf19c06c0f0ceb31dd4b714f58560add74659a1d49dc75b59b99e08e41032f585097625faa0cbf879b3656280 (11) &reply:EAP-Session-Id = 0x193ef9ddb2c9690718a1123db2cf6d4508b04f43b75bde677dfa20266a8414e6c085b131ca62bb9399ec4cfeef6086f9689782dafdd184bffa444f574e47524401 (11) &reply:EAP-Message = 0x03d50004 (11) &reply:Message-Authenticator = 0x00000000000000000000000000000000 (11) &reply:User-Name = anonymous@example.com (11) EXPAND %{debug_attr:reply:} (11) --> (11) if ("%{debug_attr:reply:}" == '') -> TRUE (11) if ("%{debug_attr:reply:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:reply:}" == '') = noop (11) } # policy debug_reply = noop (11) policy debug_session_state { (11) if ("%{debug_attr:session-state:}" == '') { (11) Attributes matching "session-state:" (11) EXPAND %{debug_attr:session-state:} (11) --> (11) if ("%{debug_attr:session-state:}" == '') -> TRUE (11) if ("%{debug_attr:session-state:}" == '') { (11) [noop] = noop (11) } # if ("%{debug_attr:session-state:}" == '') = noop (11) } # policy debug_session_state = noop (11) } # policy debug_all = noop (11) } # post-auth = ok (11) Login OK: [anonymous@example.com] (from client localhost port 0 cli 02-00-00-00-00-01) (11) Sent Access-Accept Id 11 from 127.0.0.1:1812 to 127.0.0.1:51983 length 258 (11) Tunnel-Type := VLAN (11) Tunnel-Medium-Type := IEEE-802 (11) Class = 0x7374616666 (11) Filter-Id = "staff" (11) Tunnel-Private-Group-Id:0 = "1874" (11) Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340 (11) MS-MPPE-Recv-Key = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a (11) MS-MPPE-Send-Key = 0x00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d (11) EAP-Message = 0x03d50004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) User-Name = "anonymous@example.com" (11) Finished request Thread 4 waiting to be assigned a request Waking up in 4.6 seconds.
On Nov 7, 2025, at 8:10 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
I think I was on track with getting it running based on your recommendation, but I think this „defect“ here is playing against our setup:
https://github.com/FreeRADIUS/freeradius-server/issues/5288
https://lists.freeradius.org/pipermail/freeradius-users/2024-December/105157...
Maybe?
I know you wrote this back then:
For now, don't do internal proxying, and it should work. I'll see if I can find time to track this down. But I am not able to completely change our setup in a short amount of time. Is there any other workaround for this specific problem?
I really don't know. You've been (again) careful to not describe what you did. Presumably you edited the configuration files somehow. I gave explicit instructions on what to do,. That should work, and that should not be affected by the bug report. But again, you've been careful to hide as much information as possible. You need to post clear and descriptive messages. You're not doing that. Learn how to ask good questions. Until you do that, it's essentially impossible to help you. Alan DeKok.
OK, let’s try again. Goal: copy the inner identity to the outer session state and then add this inner identity to the Access-Accept message as username. What I did: 1. added the save of (a) inner identiy into the session-state namespace in the authorize{} section in proxy-inner-tunnel: /etc/sites-enabled/proxy-inner-tunnel: server proxy-inner-tunnel { authorize { if (&User-Name) { update { &outer.session-state:locInner-User-Name := „user@example.com" } } update control { &Proxy-To-Realm := REALM-NPS-DEV } } } --- 2. Tried to read the session-state namespace attribute and add it to the Access-Accept / reply message in different sections in default: /etc/sites-enabled/default: server default { post-auth { debug_all if (&session-state:locInner-User-Name) { update reply { User-Name := "%{session-state:locInner-User-Name}“ } } update { &reply: += &session-state } } post-proxy { if (&session-state:locInner-User-Name) { update reply { User-Name := "%{session-state:locInner-User-Name}" } } attr_filter.post-proxy eap } } Does this help to clarify my intention and what I tried? Regards
Am 07.11.2025 um 14:49 schrieb Alan DeKok via Freeradius-Users <freeradius-users@lists.freeradius.org>:
On Nov 7, 2025, at 8:10 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
I think I was on track with getting it running based on your recommendation, but I think this „defect“ here is playing against our setup:
https://github.com/FreeRADIUS/freeradius-server/issues/5288
https://lists.freeradius.org/pipermail/freeradius-users/2024-December/105157...
Maybe?
I know you wrote this back then:
For now, don't do internal proxying, and it should work. I'll see if I can find time to track this down. But I am not able to completely change our setup in a short amount of time. Is there any other workaround for this specific problem?
I really don't know. You've been (again) careful to not describe what you did.
Presumably you edited the configuration files somehow.
I gave explicit instructions on what to do,. That should work, and that should not be affected by the bug report.
But again, you've been careful to hide as much information as possible.
You need to post clear and descriptive messages. You're not doing that. Learn how to ask good questions. Until you do that, it's essentially impossible to help you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've pushed a patch which produces a bit more debug output that might help. But it won't fix the issue. I will also note that it took 6 rounds of messages before you pointed out that you had already filed a bug on this issue, and that the issue hadn't been fixed. Suppressing that information meant I spent a fair amount of time trying to understand what you were talking about, because I don't read all of the bug reports before replying to message on the list. You will need to communicate a LOT better in the future. Your current process is to post minimal information, and then hope that everyone magically knows what you mean. Get better at communication, or it will be easier to just ignore your messages. Alan DeKok.
Hi Alan
I've pushed a patch which produces a bit more debug output that might help. But it won't fix the issue. Thanks, I will update the system and will go through the new / enhanced debug output as soon as possible.
I will also note that it took 6 rounds of messages before you pointed out that you had already filed a bug on this issue, and that the issue hadn't been fixed. Suppressing that information meant I spent a fair amount of time trying to understand what you were talking about, because I don't read all of the bug reports before replying to message on the list. This is true, but only because I did not know, that I am hitting the same bug as in December 2024. Back then, I had another issue with a logging configuration, that worked before on FR 3.0.26.
I only stumbled over the this issue right here (https://github.com/FreeRADIUS/freeradius-server/issues/5288) today while looking for a possible solution and found „my“ mailing list post reference there from back in Dec 2024. If I knew this before, I would have pointed it out much earlier for sure. Regards
Am 07.11.2025 um 21:08 schrieb Alan DeKok <alan.dekok@inkbridge.io>:
I've pushed a patch which produces a bit more debug output that might help. But it won't fix the issue.
I will also note that it took 6 rounds of messages before you pointed out that you had already filed a bug on this issue, and that the issue hadn't been fixed. Suppressing that information meant I spent a fair amount of time trying to understand what you were talking about, because I don't read all of the bug reports before replying to message on the list.
You will need to communicate a LOT better in the future. Your current process is to post minimal information, and then hope that everyone magically knows what you mean.
Get better at communication, or it will be easier to just ignore your messages.
Alan DeKok.
Hi Alan I have updated the system to the following version, which includes your last patches: root@id-radiustest1:/etc/freeradius# freeradius -v radiusd: FreeRADIUS Version 3.2.9 (git #8efdca0c6), for host x86_64-pc-linux-gnu FreeRADIUS Version 3.2.9 Again, this is the situation i am fighting with and maybe you have an finger point, what else I can try to „workaround“ the disadvantages with your current setup: - FreeRADIUS 3.2.9 - PEAP with MS-CHAPv2 - Proxying is always done internally / locally first - ONLY the inner tunnel is proxied to a Microsoft NPS server - the MS NPS server is not able to return the inner username in the Access-Accept message - I hit defect / bug #5288: "[defect]: session-state is empty in post_auth section after proxying request to home server, branch 3.2.x“ - I will change our setup to „not doing internal proxying“ in the near future, but this takes time and I will have to involve another team, which takes care of the Microsoft server infrastructure —> I know, this will help in the future, but as I said, not changeble in a timely fashion - Files involved (in my opinion): sites-available/default, sites-available/proxy-inner-tunnel, mods-available/eap I have tried to save the inner username to an attribute called locInner-User-Name in either the session-state namespace (which is affected by the defect / bug #5288) or another namespace like control. In both cases, the variable is not persistent till the end of the RADIUS process, please see debug output below. Again, do you have any idea how to overcome the actual situation with our setup (internal proxying) and the current defect / bug #5288? Any help is appreciated. Regards Dominic (0) Received Access-Request Id 0 from 127.0.0.1:58298 to 127.0.0.1:1812 length 177 (0) User-Name = "anonymous@example.com" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) Called-Station-Id = "11-22-33-44-55-66:eduroam" (0) EAP-Message = 0x020d001701616e6f6e796d6f757340756e6962652e6368 (0) Message-Authenticator = 0x06c1c680b3ef95df1202c79fb45166a2 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy rewrite_called_station_id { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 11-22-33-44-55-66 (0) &Called-Station-Id := 11-22-33-44-55-66 (0) } # update request = noop (0) if ("%{8}") { (0) EXPAND %{8} (0) --> eduroam (0) if ("%{8}") -> TRUE (0) if ("%{8}") { (0) update request { (0) EXPAND %{8} (0) --> eduroam (0) &Called-Station-SSID := eduroam (0) EXPAND %{Called-Station-Id}:%{8} (0) --> 11-22-33-44-55-66:eduroam (0) &Called-Station-Id := 11-22-33-44-55-66:eduroam (0) } # update request = noop (0) } # if ("%{8}") = noop (0) [updated] = updated (0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_called_station_id = updated (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 02-00-00-00-00-01 (0) &Calling-Station-Id := 02-00-00-00-00-01 (0) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (0) --> 02:00:00:00:00:01 (0) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (0) } # update request = noop (0) [updated] = updated (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_calling_station_id = updated (0) if (Service-Type == Call-Check) { (0) if (Service-Type == Call-Check) -> FALSE (0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (0) EXPAND Packet-Src-IP-Address (0) --> 127.0.0.1 (0) EXPAND Packet-Src-IP-Address (0) --> 127.0.0.1 (0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (0) if (EAP-Message) { (0) if (EAP-Message) -> TRUE (0) if (EAP-Message) { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = updated (0) } # policy filter_username = updated (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (0) suffix: Found realm "EXAMPLE.COM" (0) suffix: Adding Realm = "EXAMPLE.COM" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) policy deny_no_realm { (0) if (User-Name && (User-Name !~ /@/)) { (0) if (User-Name && (User-Name !~ /@/)) -> FALSE (0) } # policy deny_no_realm = updated (0) update request { (0) EXPAND %{toupper:%{Realm}} (0) --> EXAMPLE.COM (0) Realm := EXAMPLE.COM (0) } # update request = noop (0) eap: Peer sent EAP Response (code 2) ID 13 length 23 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # if (EAP-Message) = ok (0) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (0) } # authorize = updated (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type eap { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Using default_eap_type = PEAP (0) eap: Calling submodule eap_peap to process data (0) eap_peap: (TLS) PEAP -Initiating new session (0) eap: Sending EAP Request (code 1) ID 14 length 6 (0) eap: EAP session adding &reply:State = 0xafa7dc71afa9c54b (0) [eap] = handled (0) if (handled && (Response-Packet-Type == Access-Challenge)) { (0) EXPAND Response-Packet-Type (0) --> Access-Challenge (0) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (0) if (handled && (Response-Packet-Type == Access-Challenge)) { (0) attr_filter.access_challenge: EXPAND %{User-Name} (0) attr_filter.access_challenge: --> anonymous@example.com (0) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (0) [attr_filter.access_challenge.post-auth] = updated (0) [handled] = handled (0) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (0) } # Auth-Type eap = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) session-state: Saving cached attributes for server default (0) Framed-MTU = 1014 (0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:58298 length 64 (0) EAP-Message = 0x010e00061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xafa7dc71afa9c54bd50cde17df51e2b7 (0) Finished request Thread 4 waiting to be assigned a request Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) (1) Received Access-Request Id 1 from 127.0.0.1:58298 to 127.0.0.1:1812 length 366 (1) User-Name = "anonymous@example.com" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) Called-Station-Id = "11-22-33-44-55-66:eduroam" (1) EAP-Message = 0x020e00c21980000000b816030100b3010000af0303a6603acb0ad334b1a7514619e97a2ed5509c041248ca4cc446156e535d62be04000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602 (1) State = 0xafa7dc71afa9c54bd50cde17df51e2b7 (1) Message-Authenticator = 0xf80e555becc8e15c44c723043ac11b4b (1) session-state: Restoring attributes for server default (1) &session-state:Framed-MTU = 1014 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 11-22-33-44-55-66 (1) &Called-Station-Id := 11-22-33-44-55-66 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> eduroam (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> eduroam (1) &Called-Station-SSID := eduroam (1) EXPAND %{Called-Station-Id}:%{8} (1) --> 11-22-33-44-55-66:eduroam (1) &Called-Station-Id := 11-22-33-44-55-66:eduroam (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) policy rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 02-00-00-00-00-01 (1) &Calling-Station-Id := 02-00-00-00-00-01 (1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> 02:00:00:00:00:01 (1) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_calling_station_id = updated (1) if (Service-Type == Call-Check) { (1) if (Service-Type == Call-Check) -> FALSE (1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (1) EXPAND Packet-Src-IP-Address (1) --> 127.0.0.1 (1) EXPAND Packet-Src-IP-Address (1) --> 127.0.0.1 (1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (1) if (EAP-Message) { (1) if (EAP-Message) -> TRUE (1) if (EAP-Message) { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = updated (1) } # policy filter_username = updated (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (1) suffix: Found realm "EXAMPLE.COM" (1) suffix: Adding Realm = "EXAMPLE.COM" (1) suffix: Authentication realm is LOCAL (1) [suffix] = ok (1) policy deny_no_realm { (1) if (User-Name && (User-Name !~ /@/)) { (1) if (User-Name && (User-Name !~ /@/)) -> FALSE (1) } # policy deny_no_realm = updated (1) update request { (1) EXPAND %{toupper:%{Realm}} (1) --> EXAMPLE.COM (1) Realm := EXAMPLE.COM (1) } # update request = noop (1) eap: Peer sent EAP Response (code 2) ID 14 length 194 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # if (EAP-Message) = ok (1) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Auth-Type eap { (1) eap: Removing EAP session with state 0xafa7dc71afa9c54b (1) eap: Previous EAP request found for state 0xafa7dc71afa9c54b, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) EAP Peer says that the final record size will be 184 bytes (1) eap_peap: (TLS) EAP Got all data (184 bytes) (1) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (1) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (1) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (1) eap_peap: (TLS) PEAP - In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 15 length 1024 (1) eap: EAP session adding &reply:State = 0xafa7dc71aea8c54b (1) [eap] = handled (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) EXPAND Response-Packet-Type (1) --> Access-Challenge (1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) attr_filter.access_challenge: EXPAND %{User-Name} (1) attr_filter.access_challenge: --> anonymous@example.com (1) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (1) [attr_filter.access_challenge.post-auth] = updated (1) [handled] = handled (1) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (1) } # Auth-Type eap = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) session-state: Saving cached attributes for server default (1) Framed-MTU = 1014 (1) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1090 (1) EAP-Message = 0x010f040019c000001135160303003d020000390303c6dc5fc2f65c269aa22fac4d563962cfd78795555dc90102444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xafa7dc71aea8c54bd50cde17df51e2b7 (1) Finished request Thread 2 waiting to be assigned a request Thread 5 got semaphore Thread 5 handling request 2, (1 handled so far) (2) Received Access-Request Id 2 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (2) User-Name = "anonymous@example.com" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) Called-Station-Id = "11-22-33-44-55-66:eduroam" (2) EAP-Message = 0x020f00061900 (2) State = 0xafa7dc71aea8c54bd50cde17df51e2b7 (2) Message-Authenticator = 0xc0f08954ac4322ac403afe73ba484134 (2) session-state: Restoring attributes for server default (2) &session-state:Framed-MTU = 1014 (2) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" Waking up in 0.3 seconds. (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy rewrite_called_station_id { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 11-22-33-44-55-66 (2) &Called-Station-Id := 11-22-33-44-55-66 (2) } # update request = noop (2) if ("%{8}") { (2) EXPAND %{8} (2) --> eduroam (2) if ("%{8}") -> TRUE (2) if ("%{8}") { (2) update request { (2) EXPAND %{8} (2) --> eduroam (2) &Called-Station-SSID := eduroam (2) EXPAND %{Called-Station-Id}:%{8} (2) --> 11-22-33-44-55-66:eduroam (2) &Called-Station-Id := 11-22-33-44-55-66:eduroam (2) } # update request = noop (2) } # if ("%{8}") = noop (2) [updated] = updated (2) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_called_station_id = updated (2) policy rewrite_calling_station_id { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 02-00-00-00-00-01 (2) &Calling-Station-Id := 02-00-00-00-00-01 (2) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2) --> 02:00:00:00:00:01 (2) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_calling_station_id = updated (2) if (Service-Type == Call-Check) { (2) if (Service-Type == Call-Check) -> FALSE (2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (2) EXPAND Packet-Src-IP-Address (2) --> 127.0.0.1 (2) EXPAND Packet-Src-IP-Address (2) --> 127.0.0.1 (2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (2) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (2) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (2) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (2) if (EAP-Message) { (2) if (EAP-Message) -> TRUE (2) if (EAP-Message) { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = updated (2) } # policy filter_username = updated (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (2) suffix: Found realm "EXAMPLE.COM" (2) suffix: Adding Realm = "EXAMPLE.COM" (2) suffix: Authentication realm is LOCAL (2) [suffix] = ok (2) policy deny_no_realm { (2) if (User-Name && (User-Name !~ /@/)) { (2) if (User-Name && (User-Name !~ /@/)) -> FALSE (2) } # policy deny_no_realm = updated (2) update request { (2) EXPAND %{toupper:%{Realm}} (2) --> EXAMPLE.COM (2) Realm := EXAMPLE.COM (2) } # update request = noop (2) eap: Peer sent EAP Response (code 2) ID 15 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # if (EAP-Message) = ok (2) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Auth-Type eap { (2) eap: Removing EAP session with state 0xafa7dc71aea8c54b (2) eap: Previous EAP request found for state 0xafa7dc71aea8c54b, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 16 length 1020 (2) eap: EAP session adding &reply:State = 0xafa7dc71adb7c54b (2) [eap] = handled (2) if (handled && (Response-Packet-Type == Access-Challenge)) { (2) EXPAND Response-Packet-Type (2) --> Access-Challenge (2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (2) if (handled && (Response-Packet-Type == Access-Challenge)) { (2) attr_filter.access_challenge: EXPAND %{User-Name} (2) attr_filter.access_challenge: --> anonymous@example.com (2) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (2) [attr_filter.access_challenge.post-auth] = updated (2) [handled] = handled (2) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (2) } # Auth-Type eap = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) session-state: Saving cached attributes for server default (2) Framed-MTU = 1014 (2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1086 (2) EAP-Message = 0x011003fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xafa7dc71adb7c54bd50cde17df51e2b7 (2) Finished request Thread 5 waiting to be assigned a request Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 3, (1 handled so far) (3) Received Access-Request Id 3 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (3) User-Name = "anonymous@example.com" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) Called-Station-Id = "11-22-33-44-55-66:eduroam" (3) EAP-Message = 0x021000061900 (3) State = 0xafa7dc71adb7c54bd50cde17df51e2b7 (3) Message-Authenticator = 0xcb3fb191e4250283a6d6250e964b3200 (3) session-state: Restoring attributes for server default (3) &session-state:Framed-MTU = 1014 (3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy rewrite_called_station_id { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> 11-22-33-44-55-66 (3) &Called-Station-Id := 11-22-33-44-55-66 (3) } # update request = noop (3) if ("%{8}") { (3) EXPAND %{8} (3) --> eduroam (3) if ("%{8}") -> TRUE (3) if ("%{8}") { (3) update request { (3) EXPAND %{8} (3) --> eduroam (3) &Called-Station-SSID := eduroam (3) EXPAND %{Called-Station-Id}:%{8} (3) --> 11-22-33-44-55-66:eduroam (3) &Called-Station-Id := 11-22-33-44-55-66:eduroam (3) } # update request = noop (3) } # if ("%{8}") = noop (3) [updated] = updated (3) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_called_station_id = updated (3) policy rewrite_calling_station_id { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> 02-00-00-00-00-01 (3) &Calling-Station-Id := 02-00-00-00-00-01 (3) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3) --> 02:00:00:00:00:01 (3) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (3) } # update request = noop (3) [updated] = updated (3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_calling_station_id = updated (3) if (Service-Type == Call-Check) { (3) if (Service-Type == Call-Check) -> FALSE (3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (3) EXPAND Packet-Src-IP-Address (3) --> 127.0.0.1 (3) EXPAND Packet-Src-IP-Address (3) --> 127.0.0.1 (3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (3) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (3) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (3) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (3) if (EAP-Message) { (3) if (EAP-Message) -> TRUE (3) if (EAP-Message) { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = updated (3) } # policy filter_username = updated (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (3) suffix: Found realm "EXAMPLE.COM" (3) suffix: Adding Realm = "EXAMPLE.COM" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) policy deny_no_realm { (3) if (User-Name && (User-Name !~ /@/)) { (3) if (User-Name && (User-Name !~ /@/)) -> FALSE (3) } # policy deny_no_realm = updated (3) update request { (3) EXPAND %{toupper:%{Realm}} (3) --> EXAMPLE.COM (3) Realm := EXAMPLE.COM (3) } # update request = noop (3) eap: Peer sent EAP Response (code 2) ID 16 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # if (EAP-Message) = ok (3) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Auth-Type eap { (3) eap: Removing EAP session with state 0xafa7dc71adb7c54b (3) eap: Previous EAP request found for state 0xafa7dc71adb7c54b, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 17 length 1020 (3) eap: EAP session adding &reply:State = 0xafa7dc71acb6c54b (3) [eap] = handled (3) if (handled && (Response-Packet-Type == Access-Challenge)) { (3) EXPAND Response-Packet-Type (3) --> Access-Challenge (3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (3) if (handled && (Response-Packet-Type == Access-Challenge)) { (3) attr_filter.access_challenge: EXPAND %{User-Name} (3) attr_filter.access_challenge: --> anonymous@example.com (3) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (3) [attr_filter.access_challenge.post-auth] = updated (3) [handled] = handled (3) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (3) } # Auth-Type eap = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) session-state: Saving cached attributes for server default (3) Framed-MTU = 1014 (3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1086 (3) EAP-Message = 0x011103fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xafa7dc71acb6c54bd50cde17df51e2b7 (3) Finished request Thread 1 waiting to be assigned a request Waking up in 0.3 seconds. Thread 3 got semaphore Thread 3 handling request 4, (1 handled so far) (4) Received Access-Request Id 4 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (4) User-Name = "anonymous@example.com" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) Called-Station-Id = "11-22-33-44-55-66:eduroam" (4) EAP-Message = 0x021100061900 (4) State = 0xafa7dc71acb6c54bd50cde17df51e2b7 (4) Message-Authenticator = 0x95ae360623a91d8e19ce9b76b3238fad (4) session-state: Restoring attributes for server default (4) &session-state:Framed-MTU = 1014 (4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy rewrite_called_station_id { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> 11-22-33-44-55-66 (4) &Called-Station-Id := 11-22-33-44-55-66 (4) } # update request = noop (4) if ("%{8}") { (4) EXPAND %{8} (4) --> eduroam (4) if ("%{8}") -> TRUE (4) if ("%{8}") { (4) update request { (4) EXPAND %{8} (4) --> eduroam (4) &Called-Station-SSID := eduroam (4) EXPAND %{Called-Station-Id}:%{8} (4) --> 11-22-33-44-55-66:eduroam (4) &Called-Station-Id := 11-22-33-44-55-66:eduroam (4) } # update request = noop (4) } # if ("%{8}") = noop (4) [updated] = updated (4) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_called_station_id = updated (4) policy rewrite_calling_station_id { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> 02-00-00-00-00-01 (4) &Calling-Station-Id := 02-00-00-00-00-01 (4) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4) --> 02:00:00:00:00:01 (4) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (4) } # update request = noop (4) [updated] = updated (4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_calling_station_id = updated (4) if (Service-Type == Call-Check) { (4) if (Service-Type == Call-Check) -> FALSE (4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (4) EXPAND Packet-Src-IP-Address (4) --> 127.0.0.1 (4) EXPAND Packet-Src-IP-Address (4) --> 127.0.0.1 (4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (4) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (4) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (4) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (4) if (EAP-Message) { (4) if (EAP-Message) -> TRUE (4) if (EAP-Message) { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = updated (4) } # policy filter_username = updated (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (4) suffix: Found realm "EXAMPLE.COM" (4) suffix: Adding Realm = "EXAMPLE.COM" (4) suffix: Authentication realm is LOCAL (4) [suffix] = ok (4) policy deny_no_realm { (4) if (User-Name && (User-Name !~ /@/)) { (4) if (User-Name && (User-Name !~ /@/)) -> FALSE (4) } # policy deny_no_realm = updated (4) update request { (4) EXPAND %{toupper:%{Realm}} (4) --> EXAMPLE.COM (4) Realm := EXAMPLE.COM (4) } # update request = noop (4) eap: Peer sent EAP Response (code 2) ID 17 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # if (EAP-Message) = ok (4) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Auth-Type eap { (4) eap: Removing EAP session with state 0xafa7dc71acb6c54b (4) eap: Previous EAP request found for state 0xafa7dc71acb6c54b, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 18 length 1020 (4) eap: EAP session adding &reply:State = 0xafa7dc71abb5c54b (4) [eap] = handled (4) if (handled && (Response-Packet-Type == Access-Challenge)) { (4) EXPAND Response-Packet-Type (4) --> Access-Challenge (4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (4) if (handled && (Response-Packet-Type == Access-Challenge)) { (4) attr_filter.access_challenge: EXPAND %{User-Name} (4) attr_filter.access_challenge: --> anonymous@example.com (4) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (4) [attr_filter.access_challenge.post-auth] = updated (4) [handled] = handled (4) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (4) } # Auth-Type eap = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) session-state: Saving cached attributes for server default (4) Framed-MTU = 1014 (4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1086 (4) EAP-Message = 0x011203fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xafa7dc71abb5c54bd50cde17df51e2b7 (4) Finished request Waking up in 0.3 seconds. Thread 4 got semaphore Thread 4 handling request 5, (2 handled so far) (5) Received Access-Request Id 5 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (5) User-Name = "anonymous@example.com" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) Called-Station-Id = "11-22-33-44-55-66:eduroam" (5) EAP-Message = 0x021200061900 (5) State = 0xafa7dc71abb5c54bd50cde17df51e2b7 (5) Message-Authenticator = 0x110895b87d5f426939588767952b980e (5) session-state: Restoring attributes for server default (5) &session-state:Framed-MTU = 1014 (5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy rewrite_called_station_id { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> 11-22-33-44-55-66 (5) &Called-Station-Id := 11-22-33-44-55-66 (5) } # update request = noop (5) if ("%{8}") { (5) EXPAND %{8} (5) --> eduroam (5) if ("%{8}") -> TRUE (5) if ("%{8}") { (5) update request { (5) EXPAND %{8} (5) --> eduroam (5) &Called-Station-SSID := eduroam (5) EXPAND %{Called-Station-Id}:%{8} (5) --> 11-22-33-44-55-66:eduroam (5) &Called-Station-Id := 11-22-33-44-55-66:eduroam Thread 3 waiting to be assigned a request (5) } # update request = noop (5) } # if ("%{8}") = noop (5) [updated] = updated (5) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_called_station_id = updated (5) policy rewrite_calling_station_id { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> 02-00-00-00-00-01 (5) &Calling-Station-Id := 02-00-00-00-00-01 (5) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5) --> 02:00:00:00:00:01 (5) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (5) } # update request = noop (5) [updated] = updated (5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_calling_station_id = updated (5) if (Service-Type == Call-Check) { (5) if (Service-Type == Call-Check) -> FALSE (5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (5) EXPAND Packet-Src-IP-Address (5) --> 127.0.0.1 (5) EXPAND Packet-Src-IP-Address (5) --> 127.0.0.1 (5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (5) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (5) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (5) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (5) if (EAP-Message) { (5) if (EAP-Message) -> TRUE (5) if (EAP-Message) { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = updated (5) } # policy filter_username = updated (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (5) suffix: Found realm "EXAMPLE.COM" (5) suffix: Adding Realm = "EXAMPLE.COM" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) policy deny_no_realm { (5) if (User-Name && (User-Name !~ /@/)) { (5) if (User-Name && (User-Name !~ /@/)) -> FALSE (5) } # policy deny_no_realm = updated (5) update request { (5) EXPAND %{toupper:%{Realm}} (5) --> EXAMPLE.COM (5) Realm := EXAMPLE.COM (5) } # update request = noop (5) eap: Peer sent EAP Response (code 2) ID 18 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # if (EAP-Message) = ok (5) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Auth-Type eap { (5) eap: Removing EAP session with state 0xafa7dc71abb5c54b (5) eap: Previous EAP request found for state 0xafa7dc71abb5c54b, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: (TLS) Peer ACKed our handshake fragment (5) eap: Sending EAP Request (code 1) ID 19 length 355 (5) eap: EAP session adding &reply:State = 0xafa7dc71aab4c54b (5) [eap] = handled (5) if (handled && (Response-Packet-Type == Access-Challenge)) { (5) EXPAND Response-Packet-Type (5) --> Access-Challenge (5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (5) if (handled && (Response-Packet-Type == Access-Challenge)) { (5) attr_filter.access_challenge: EXPAND %{User-Name} (5) attr_filter.access_challenge: --> anonymous@example.com (5) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (5) [attr_filter.access_challenge.post-auth] = updated (5) [handled] = handled (5) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (5) } # Auth-Type eap = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) session-state: Saving cached attributes for server default (5) Framed-MTU = 1014 (5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:58298 length 415 (5) EAP-Message = 0x01130163190032b6160303014d0c0001490300174104d6c25131955fa9d5a32b82fe0c9946faa04077b64b76fd5f22e57029916c464206ae3b257202f4dbdfe1e232fefa15c33e76d79f90734cf2cf51224d83add402080401002b481341defb4b68e8c1fc1c89928bbfe7b34c4a6c331e2dad3c23fe2c97e36be88fa8f03eaa3a37f4597fc8e7a5130b15b6b117d6efa5ed8e41e380f60275bc361a21ef3c3c38d0f7ce1caa34748c3fdbd13176c71bfeff614668912c8443e2407d4d63bbf843c0a48ca4bb96050bf1339d63a54c7c1b81c37da94df70b03b93de626466c45c241c1592bc18764d5903b6190312461866f0daff4b4d07877be03946eb340cbb691bf61dbbe7c00c574447f2cfc213997406f40b375840bec78e375f39ecf5fae42e505a91676c8db7e5e4d11e13ab14cf87ed90a14a404ed4bc0792b060a1fcb096483e0ec609bc243a47d7f84a135bcfa4fcfa863ab7a2ee316030300040e000000 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xafa7dc71aab4c54bd50cde17df51e2b7 (5) Finished request Thread 4 waiting to be assigned a request Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 6, (2 handled so far) (6) Received Access-Request Id 6 from 127.0.0.1:58298 to 127.0.0.1:1812 length 308 (6) User-Name = "anonymous@example.com" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) Called-Station-Id = "11-22-33-44-55-66:eduroam" (6) EAP-Message = 0x0213008819800000007e1603030046100000424104cde4725a02e51628adb570203425942e8376b7eb917052c91cf73ee58f4549727707cefd46163decb23e5bce3a9abbc967fd7ee5b51977503f6af2fbb44023e1140303000101160303002875b785dd798fea122dc888bf79c0739b1388ab79106c0ebdcd9b56ddf7860757295939c2bc9b9c1f (6) State = 0xafa7dc71aab4c54bd50cde17df51e2b7 (6) Message-Authenticator = 0x3f4dfe266ae453efe5a645253d32a41f (6) session-state: Restoring attributes for server default (6) &session-state:Framed-MTU = 1014 (6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 11-22-33-44-55-66 (6) &Called-Station-Id := 11-22-33-44-55-66 (6) } # update request = noop (6) if ("%{8}") { (6) EXPAND %{8} (6) --> eduroam (6) if ("%{8}") -> TRUE (6) if ("%{8}") { (6) update request { (6) EXPAND %{8} (6) --> eduroam (6) &Called-Station-SSID := eduroam (6) EXPAND %{Called-Station-Id}:%{8} (6) --> 11-22-33-44-55-66:eduroam (6) &Called-Station-Id := 11-22-33-44-55-66:eduroam (6) } # update request = noop (6) } # if ("%{8}") = noop (6) [updated] = updated (6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) policy rewrite_calling_station_id { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 02-00-00-00-00-01 (6) &Calling-Station-Id := 02-00-00-00-00-01 (6) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6) --> 02:00:00:00:00:01 (6) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (6) } # update request = noop (6) [updated] = updated (6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_calling_station_id = updated (6) if (Service-Type == Call-Check) { (6) if (Service-Type == Call-Check) -> FALSE (6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (6) EXPAND Packet-Src-IP-Address (6) --> 127.0.0.1 (6) EXPAND Packet-Src-IP-Address (6) --> 127.0.0.1 (6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (6) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (6) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (6) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (6) if (EAP-Message) { (6) if (EAP-Message) -> TRUE (6) if (EAP-Message) { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = updated (6) } # policy filter_username = updated (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (6) suffix: Found realm "EXAMPLE.COM" (6) suffix: Adding Realm = "EXAMPLE.COM" (6) suffix: Authentication realm is LOCAL (6) [suffix] = ok (6) policy deny_no_realm { (6) if (User-Name && (User-Name !~ /@/)) { (6) if (User-Name && (User-Name !~ /@/)) -> FALSE (6) } # policy deny_no_realm = updated (6) update request { (6) EXPAND %{toupper:%{Realm}} (6) --> EXAMPLE.COM (6) Realm := EXAMPLE.COM (6) } # update request = noop (6) eap: Peer sent EAP Response (code 2) ID 19 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # if (EAP-Message) = ok (6) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Auth-Type eap { (6) eap: Removing EAP session with state 0xafa7dc71aab4c54b (6) eap: Previous EAP request found for state 0xafa7dc71aab4c54b, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (6) eap_peap: (TLS) EAP Got all data (126 bytes) (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (6) eap_peap: (TLS) PEAP - Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 20 length 57 (6) eap: EAP session adding &reply:State = 0xafa7dc71a9b3c54b (6) [eap] = handled (6) if (handled && (Response-Packet-Type == Access-Challenge)) { (6) EXPAND Response-Packet-Type (6) --> Access-Challenge (6) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (6) if (handled && (Response-Packet-Type == Access-Challenge)) { (6) attr_filter.access_challenge: EXPAND %{User-Name} (6) attr_filter.access_challenge: --> anonymous@example.com (6) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (6) [attr_filter.access_challenge.post-auth] = updated (6) [handled] = handled (6) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (6) } # Auth-Type eap = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) session-state: Saving cached attributes for server default (6) Framed-MTU = 1014 (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:58298 length 115 (6) EAP-Message = 0x011400391900140303000101160303002864f52ed12ea54c8db9ec40c1c930f12216b536521fe729a169e6512baba1fb9f4254162bc18808f0 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xafa7dc71a9b3c54bd50cde17df51e2b7 (6) Finished request Thread 2 waiting to be assigned a request Waking up in 0.3 seconds. Thread 5 got semaphore Thread 5 handling request 7, (2 handled so far) (7) Received Access-Request Id 7 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178 (7) User-Name = "anonymous@example.com" (7) NAS-IP-Address = 127.0.0.1 (7) Calling-Station-Id = "02-00-00-00-00-01" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Connect-Info = "CONNECT 11Mbps 802.11b" (7) Called-Station-Id = "11-22-33-44-55-66:eduroam" (7) EAP-Message = 0x021400061900 (7) State = 0xafa7dc71a9b3c54bd50cde17df51e2b7 (7) Message-Authenticator = 0xcb8cc4aaf40234fb76c6e2771c68a54d (7) session-state: Restoring attributes for server default (7) &session-state:Framed-MTU = 1014 (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy rewrite_called_station_id { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 11-22-33-44-55-66 (7) &Called-Station-Id := 11-22-33-44-55-66 (7) } # update request = noop (7) if ("%{8}") { (7) EXPAND %{8} (7) --> eduroam (7) if ("%{8}") -> TRUE (7) if ("%{8}") { (7) update request { (7) EXPAND %{8} (7) --> eduroam (7) &Called-Station-SSID := eduroam (7) EXPAND %{Called-Station-Id}:%{8} (7) --> 11-22-33-44-55-66:eduroam (7) &Called-Station-Id := 11-22-33-44-55-66:eduroam (7) } # update request = noop (7) } # if ("%{8}") = noop (7) [updated] = updated (7) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_called_station_id = updated (7) policy rewrite_calling_station_id { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 02-00-00-00-00-01 (7) &Calling-Station-Id := 02-00-00-00-00-01 (7) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (7) --> 02:00:00:00:00:01 (7) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (7) } # update request = noop (7) [updated] = updated (7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_calling_station_id = updated (7) if (Service-Type == Call-Check) { (7) if (Service-Type == Call-Check) -> FALSE (7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (7) EXPAND Packet-Src-IP-Address (7) --> 127.0.0.1 (7) EXPAND Packet-Src-IP-Address (7) --> 127.0.0.1 (7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (7) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (7) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (7) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (7) if (EAP-Message) { (7) if (EAP-Message) -> TRUE (7) if (EAP-Message) { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = updated (7) } # policy filter_username = updated (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (7) suffix: Found realm "EXAMPLE.COM" (7) suffix: Adding Realm = "EXAMPLE.COM" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) policy deny_no_realm { (7) if (User-Name && (User-Name !~ /@/)) { (7) if (User-Name && (User-Name !~ /@/)) -> FALSE (7) } # policy deny_no_realm = updated (7) update request { (7) EXPAND %{toupper:%{Realm}} (7) --> EXAMPLE.COM (7) Realm := EXAMPLE.COM (7) } # update request = noop (7) eap: Peer sent EAP Response (code 2) ID 20 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # if (EAP-Message) = ok (7) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Auth-Type eap { (7) eap: Removing EAP session with state 0xafa7dc71a9b3c54b (7) eap: Previous EAP request found for state 0xafa7dc71a9b3c54b, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 21 length 40 (7) eap: EAP session adding &reply:State = 0xafa7dc71a8b2c54b (7) [eap] = handled (7) if (handled && (Response-Packet-Type == Access-Challenge)) { (7) EXPAND Response-Packet-Type (7) --> Access-Challenge (7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (7) if (handled && (Response-Packet-Type == Access-Challenge)) { (7) attr_filter.access_challenge: EXPAND %{User-Name} (7) attr_filter.access_challenge: --> anonymous@example.com (7) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (7) [attr_filter.access_challenge.post-auth] = updated (7) [handled] = handled (7) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (7) } # Auth-Type eap = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) session-state: Saving cached attributes for server default (7) Framed-MTU = 1014 (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:58298 length 98 (7) EAP-Message = 0x011500281900170303001d64f52ed12ea54c8e39e6e9ae296be6f270041366136e149607ad91f48e (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xafa7dc71a8b2c54bd50cde17df51e2b7 (7) Finished request Thread 5 waiting to be assigned a request Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 8, (2 handled so far) (8) Received Access-Request Id 8 from 127.0.0.1:58298 to 127.0.0.1:1812 length 231 (8) User-Name = "anonymous@example.com" (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id = "02-00-00-00-00-01" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Connect-Info = "CONNECT 11Mbps 802.11b" (8) Called-Station-Id = "11-22-33-44-55-66:eduroam" (8) EAP-Message = 0x0215003b1900170303003075b785dd798fea13d1e6304c1b7160227a0e83e6dc155dc3cd1f3fe96cf86c7daeac8cef201b136415b1f64de9552925 (8) State = 0xafa7dc71a8b2c54bd50cde17df51e2b7 (8) Message-Authenticator = 0x91788ea1d6feeaa72a328302eccee0fc (8) session-state: Restoring attributes for server default (8) &session-state:Framed-MTU = 1014 (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy rewrite_called_station_id { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 11-22-33-44-55-66 (8) &Called-Station-Id := 11-22-33-44-55-66 (8) } # update request = noop (8) if ("%{8}") { (8) EXPAND %{8} (8) --> eduroam (8) if ("%{8}") -> TRUE (8) if ("%{8}") { (8) update request { (8) EXPAND %{8} (8) --> eduroam (8) &Called-Station-SSID := eduroam (8) EXPAND %{Called-Station-Id}:%{8} (8) --> 11-22-33-44-55-66:eduroam (8) &Called-Station-Id := 11-22-33-44-55-66:eduroam (8) } # update request = noop (8) } # if ("%{8}") = noop (8) [updated] = updated (8) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_called_station_id = updated (8) policy rewrite_calling_station_id { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 02-00-00-00-00-01 (8) &Calling-Station-Id := 02-00-00-00-00-01 (8) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (8) --> 02:00:00:00:00:01 (8) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (8) } # update request = noop (8) [updated] = updated (8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_calling_station_id = updated (8) if (Service-Type == Call-Check) { (8) if (Service-Type == Call-Check) -> FALSE (8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (8) EXPAND Packet-Src-IP-Address (8) --> 127.0.0.1 (8) EXPAND Packet-Src-IP-Address (8) --> 127.0.0.1 (8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (8) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (8) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (8) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (8) if (EAP-Message) { (8) if (EAP-Message) -> TRUE (8) if (EAP-Message) { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = updated (8) } # policy filter_username = updated (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (8) suffix: Found realm "EXAMPLE.COM" (8) suffix: Adding Realm = "EXAMPLE.COM" (8) suffix: Authentication realm is LOCAL (8) [suffix] = ok (8) policy deny_no_realm { (8) if (User-Name && (User-Name !~ /@/)) { (8) if (User-Name && (User-Name !~ /@/)) -> FALSE (8) } # policy deny_no_realm = updated (8) update request { (8) EXPAND %{toupper:%{Realm}} (8) --> EXAMPLE.COM (8) Realm := EXAMPLE.COM (8) } # update request = noop (8) eap: Peer sent EAP Response (code 2) ID 21 length 59 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # if (EAP-Message) = ok (8) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Auth-Type eap { (8) eap: Removing EAP session with state 0xafa7dc71a8b2c54b (8) eap: Previous EAP request found for state 0xafa7dc71a8b2c54b, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - user@example.com (8) eap_peap: Got inner identity 'user@example.com' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368 (8) eap_peap: Setting User-Name to user@example.com (8) eap_peap: Sending tunneled request to proxy-inner-tunnel (8) eap_peap: EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "user@example.com" (8) eap_peap: NAS-IP-Address = 127.0.0.1 (8) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (8) eap_peap: Framed-MTU = 1400 (8) eap_peap: NAS-Port-Type = Wireless-802.11 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (8) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam" (8) Virtual server proxy-inner-tunnel received request (8) EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "user@example.com" (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id := "02-00-00-00-00-01" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Connect-Info = "CONNECT 11Mbps 802.11b" (8) Called-Station-Id := "11-22-33-44-55-66:eduroam" (8) server proxy-inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (8) authorize { (8) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) { (8) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE (8) update outer.control { (8) EXPAND %{User-Name} (8) --> user@example.com (8) locInner-User-Name := user@example.com (8) } # update outer.control = noop (8) if (!NAS-Port-Type){ (8) if (!NAS-Port-Type) -> FALSE (8) update control { (8) &Proxy-To-Realm := REALM-NPS-DEV (8) } # update control = noop (8) } # authorize = noop (8) } # server proxy-inner-tunnel (8) Virtual server sending reply (8) eap_peap: Got tunneled reply code 0 (8) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (8) eap: WARNING: Tunneled session will be proxied. Not doing EAP (8) [eap] = handled (8) if (handled && (Response-Packet-Type == Access-Challenge)) { (8) EXPAND Response-Packet-Type (8) --> (8) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (8) } # Auth-Type eap = handled (8) Starting proxy to home server 2.2.2.2 port 1812 (8) server default { (8) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (8) pre-proxy { (8) attr_filter.pre-proxy: EXPAND %{Realm} (8) attr_filter.pre-proxy: --> EXAMPLE.COM (8) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (8) [attr_filter.pre-proxy] = updated (8) } # pre-proxy = updated (8) } (8) Proxying request to home server 2.2.2.2 port 1812 timeout 20.000000 (8) Sent Access-Request Id 8 from 0.0.0.0:52965 to 2.2.2.2:1812 length 165 (8) Operator-Name := "1EXAMPLE.COM" (8) EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368 (8) User-Name = "user@example.com" (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id := "02-00-00-00-00-01" (8) NAS-Port-Type = Wireless-802.11 (8) Called-Station-Id := "11-22-33-44-55-66:eduroam" (8) Message-Authenticator = 0x (8) Proxy-State = 0x38 Thread 1 waiting to be assigned a request (8) Marking home server 2.2.2.2 port 1812 alive Waking up in 0.2 seconds. Thread 3 got semaphore Thread 3 handling request 8, (2 handled so far) (8) Received Access-Challenge Id 8 from 2.2.2.2:1812 to 1.1.1.1:52965 length 126 (8) Message-Authenticator = 0x66483cd50ef9f92fccdcd294bb7d2c04 (8) Proxy-State = 0x38 (8) Session-Timeout = 60 (8) EAP-Message = 0x011600271a0116002210eb9cf2395a8053f7a7da8f5303e3e63b4141492d4e50532d4544555632 (8) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (8) Clearing existing &reply: attributes (8) server default { (8) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (8) post-proxy { (8) attr_filter.post-proxy: EXPAND %{Realm} (8) attr_filter.post-proxy: --> EXAMPLE.COM (8) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102 (8) [attr_filter.post-proxy] = updated (8) eap: Doing post-proxy callback (8) eap: Passing reply from proxy back into the tunnel (8) eap: Got tunneled reply RADIUS code 11 (8) eap: Tunnel-Type := VLAN (8) eap: Tunnel-Medium-Type := IEEE-802 (8) eap: Message-Authenticator = 0x66483cd50ef9f92fccdcd294bb7d2c04 (8) eap: Proxy-State = 0x38 (8) eap: EAP-Message = 0x011600271a0116002210eb9cf2395a8053f7a7da8f5303e3e63b4141492d4e50532d4544555632 (8) eap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (8) eap: Got tunneled Access-Challenge (8) eap: Reply was handled (8) eap: Sending EAP Request (code 1) ID 22 length 70 (8) eap: EAP session adding &reply:State = 0xafa7dc71a7b1c54b (8) [eap] = ok (8) update reply { (8) EXPAND %{control:locInner-User-Name} (8) --> user@example.com (8) &User-Name := user@example.com (8) } # update reply = noop (8) } # post-proxy = updated (8) } (8) session-state: Saving cached attributes for server default (8) Framed-MTU = 1014 (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:58298 length 153 (8) EAP-Message = 0x011600461900170303003b64f52ed12ea54c8f18512005c0151ef6bdf23f5a7ad4df27fbbbad944ae3352f168c363e09cab960ef0f81ff81dfdebc0eaac34b350227b3647f66 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xafa7dc71a7b1c54bd50cde17df51e2b7 (8) User-Name := "user@example.com" (8) Finished request Thread 3 waiting to be assigned a request Waking up in 0.2 seconds. Thread 4 got semaphore Thread 4 handling request 9, (3 handled so far) (9) Received Access-Request Id 9 from 127.0.0.1:58298 to 127.0.0.1:1812 length 285 (9) User-Name = "anonymous@example.com" (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id = "02-00-00-00-00-01" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) Called-Station-Id = "11-22-33-44-55-66:eduroam" (9) EAP-Message = 0x021600711900170303006675b785dd798fea14870e20dbbfa5338af5df058a43d9647480c865545aeabbd722b49d8021d29eab61642104c445a4eb8c06df995a802a2967ad27883f2de941c3fa2b208626eb79a87e2fb828ae327790dedf08f415bf5d51851abdb153ec11db68f1d29b52 (9) State = 0xafa7dc71a7b1c54bd50cde17df51e2b7 (9) Message-Authenticator = 0x7056f3072ea11a647ea29135b157bb20 (9) session-state: No cached attributes for server default (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy rewrite_called_station_id { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 11-22-33-44-55-66 (9) &Called-Station-Id := 11-22-33-44-55-66 (9) } # update request = noop (9) if ("%{8}") { (9) EXPAND %{8} (9) --> eduroam (9) if ("%{8}") -> TRUE (9) if ("%{8}") { (9) update request { (9) EXPAND %{8} (9) --> eduroam (9) &Called-Station-SSID := eduroam (9) EXPAND %{Called-Station-Id}:%{8} (9) --> 11-22-33-44-55-66:eduroam (9) &Called-Station-Id := 11-22-33-44-55-66:eduroam (9) } # update request = noop (9) } # if ("%{8}") = noop (9) [updated] = updated (9) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_called_station_id = updated (9) policy rewrite_calling_station_id { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 02-00-00-00-00-01 (9) &Calling-Station-Id := 02-00-00-00-00-01 (9) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (9) --> 02:00:00:00:00:01 (9) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (9) } # update request = noop (9) [updated] = updated (9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_calling_station_id = updated (9) if (Service-Type == Call-Check) { (9) if (Service-Type == Call-Check) -> FALSE (9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (9) EXPAND Packet-Src-IP-Address (9) --> 127.0.0.1 (9) EXPAND Packet-Src-IP-Address (9) --> 127.0.0.1 (9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (9) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (9) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (9) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (9) if (EAP-Message) { (9) if (EAP-Message) -> TRUE (9) if (EAP-Message) { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = updated (9) } # policy filter_username = updated (9) suffix: Checking for suffix after "@" (9) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (9) suffix: Found realm "EXAMPLE.COM" (9) suffix: Adding Realm = "EXAMPLE.COM" (9) suffix: Authentication realm is LOCAL (9) [suffix] = ok (9) policy deny_no_realm { (9) if (User-Name && (User-Name !~ /@/)) { (9) if (User-Name && (User-Name !~ /@/)) -> FALSE (9) } # policy deny_no_realm = updated (9) update request { (9) EXPAND %{toupper:%{Realm}} (9) --> EXAMPLE.COM (9) Realm := EXAMPLE.COM (9) } # update request = noop (9) eap: Peer sent EAP Response (code 2) ID 22 length 113 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # if (EAP-Message) = ok (9) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Auth-Type eap { (9) eap: Removing EAP session with state 0xafa7dc71a7b1c54b (9) eap: Previous EAP request found for state 0xafa7dc71a7b1c54b, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: (TLS) EAP Done initial handshake (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368 (9) eap_peap: Setting User-Name to user@example.com (9) eap_peap: Sending tunneled request to proxy-inner-tunnel (9) eap_peap: EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "user@example.com" (9) eap_peap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) eap_peap: NAS-IP-Address = 127.0.0.1 (9) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (9) eap_peap: Framed-MTU = 1400 (9) eap_peap: NAS-Port-Type = Wireless-802.11 (9) eap_peap: Service-Type = Framed-User (9) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (9) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam" (9) Virtual server proxy-inner-tunnel received request (9) EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "user@example.com" (9) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id := "02-00-00-00-00-01" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) Called-Station-Id := "11-22-33-44-55-66:eduroam" (9) server proxy-inner-tunnel { (9) session-state: No cached attributes for server proxy-inner-tunnel (9) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (9) authorize { (9) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) { (9) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE (9) update outer.control { (9) EXPAND %{User-Name} (9) --> user@example.com (9) locInner-User-Name := user@example.com (9) } # update outer.control = noop (9) if (!NAS-Port-Type){ (9) if (!NAS-Port-Type) -> FALSE (9) update control { (9) &Proxy-To-Realm := REALM-NPS-DEV (9) } # update control = noop (9) } # authorize = noop (9) } # server proxy-inner-tunnel (9) Virtual server sending reply (9) eap_peap: Got tunneled reply code 0 (9) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (9) eap: WARNING: Tunneled session will be proxied. Not doing EAP (9) [eap] = handled (9) if (handled && (Response-Packet-Type == Access-Challenge)) { (9) EXPAND Response-Packet-Type (9) --> (9) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (9) } # Auth-Type eap = handled (9) Starting proxy to home server 2.2.2.2 port 1812 (9) server default { (9) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (9) pre-proxy { (9) attr_filter.pre-proxy: EXPAND %{Realm} (9) attr_filter.pre-proxy: --> EXAMPLE.COM (9) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (9) [attr_filter.pre-proxy] = updated (9) } # pre-proxy = updated (9) } (9) Proxying request to home server 2.2.2.2 port 1812 timeout 20.000000 (9) Sent Access-Request Id 9 from 0.0.0.0:52965 to 2.2.2.2:1812 length 257 (9) Operator-Name := "1EXAMPLE.COM" (9) EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368 (9) User-Name = "user@example.com" (9) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) NAS-IP-Address = 127.0.0.1 (9) Calling-Station-Id := "02-00-00-00-00-01" (9) NAS-Port-Type = Wireless-802.11 (9) Called-Station-Id := "11-22-33-44-55-66:eduroam" (9) Message-Authenticator = 0x (9) Proxy-State = 0x39 Thread 4 waiting to be assigned a request Waking up in 0.2 seconds. Thread 2 got semaphore Thread 2 handling request 9, (3 handled so far) (9) Received Access-Challenge Id 9 from 2.2.2.2:1812 to 1.1.1.1:52965 length 138 (9) Message-Authenticator = 0xc42d2656dd05f7f1f02bef15d5e8e38f (9) Proxy-State = 0x39 (9) Session-Timeout = 60 (9) EAP-Message = 0x011700331a0316002e533d33444131374638464334373842394132304537414644353430364246394537424135454143454639 (9) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) Clearing existing &reply: attributes (9) server default { (9) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (9) post-proxy { (9) attr_filter.post-proxy: EXPAND %{Realm} (9) attr_filter.post-proxy: --> EXAMPLE.COM (9) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102 (9) [attr_filter.post-proxy] = updated (9) eap: Doing post-proxy callback (9) eap: Passing reply from proxy back into the tunnel (9) eap: Got tunneled reply RADIUS code 11 (9) eap: Tunnel-Type := VLAN (9) eap: Tunnel-Medium-Type := IEEE-802 (9) eap: Message-Authenticator = 0xc42d2656dd05f7f1f02bef15d5e8e38f (9) eap: Proxy-State = 0x39 (9) eap: EAP-Message = 0x011700331a0316002e533d33444131374638464334373842394132304537414644353430364246394537424135454143454639 (9) eap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (9) eap: Got tunneled Access-Challenge (9) eap: Reply was handled (9) eap: Sending EAP Request (code 1) ID 23 length 82 (9) eap: EAP session adding &reply:State = 0xafa7dc71a6b0c54b (9) [eap] = ok (9) update reply { (9) EXPAND %{control:locInner-User-Name} (9) --> user@example.com (9) &User-Name := user@example.com (9) } # update reply = noop (9) } # post-proxy = updated (9) } (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Sent Access-Challenge Id 9 from 127.0.0.1:1812 to 127.0.0.1:58298 length 165 (9) EAP-Message = 0x011700521900170303004764f52ed12ea54c902b90dd600763d13a74ca5367c8fc00299e6e7c32c374e6250ed30140f7f089b51de255471b31f6a804cce004a5383471438d6333d4b042429f782af1c6c4e1 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xafa7dc71a6b0c54bd50cde17df51e2b7 (9) User-Name := "user@example.com" (9) Finished request Thread 2 waiting to be assigned a request Waking up in 0.2 seconds. Thread 5 got semaphore Thread 5 handling request 10, (3 handled so far) (10) Received Access-Request Id 10 from 127.0.0.1:58298 to 127.0.0.1:1812 length 209 (10) User-Name = "anonymous@example.com" (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id = "02-00-00-00-00-01" (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Connect-Info = "CONNECT 11Mbps 802.11b" (10) Called-Station-Id = "11-22-33-44-55-66:eduroam" (10) EAP-Message = 0x021700251900170303001a75b785dd798fea153b66975884eb245f9c132850db6c50233090 (10) State = 0xafa7dc71a6b0c54bd50cde17df51e2b7 (10) Message-Authenticator = 0x8a9c6f10bc67225977d457aab3be0c04 (10) session-state: No cached attributes for server default (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) policy rewrite_called_station_id { (10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (10) update request { (10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (10) --> 11-22-33-44-55-66 (10) &Called-Station-Id := 11-22-33-44-55-66 (10) } # update request = noop (10) if ("%{8}") { (10) EXPAND %{8} (10) --> eduroam (10) if ("%{8}") -> TRUE (10) if ("%{8}") { (10) update request { (10) EXPAND %{8} (10) --> eduroam (10) &Called-Station-SSID := eduroam (10) EXPAND %{Called-Station-Id}:%{8} (10) --> 11-22-33-44-55-66:eduroam (10) &Called-Station-Id := 11-22-33-44-55-66:eduroam (10) } # update request = noop (10) } # if ("%{8}") = noop (10) [updated] = updated (10) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (10) ... skipping else: Preceding "if" was taken (10) } # policy rewrite_called_station_id = updated (10) policy rewrite_calling_station_id { (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (10) update request { (10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (10) --> 02-00-00-00-00-01 (10) &Calling-Station-Id := 02-00-00-00-00-01 (10) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (10) --> 02:00:00:00:00:01 (10) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (10) } # update request = noop (10) [updated] = updated (10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (10) ... skipping else: Preceding "if" was taken (10) } # policy rewrite_calling_station_id = updated (10) if (Service-Type == Call-Check) { (10) if (Service-Type == Call-Check) -> FALSE (10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (10) EXPAND Packet-Src-IP-Address (10) --> 127.0.0.1 (10) EXPAND Packet-Src-IP-Address (10) --> 127.0.0.1 (10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (10) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (10) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (10) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (10) if (EAP-Message) { (10) if (EAP-Message) -> TRUE (10) if (EAP-Message) { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = updated (10) } # policy filter_username = updated (10) suffix: Checking for suffix after "@" (10) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (10) suffix: Found realm "EXAMPLE.COM" (10) suffix: Adding Realm = "EXAMPLE.COM" (10) suffix: Authentication realm is LOCAL (10) [suffix] = ok (10) policy deny_no_realm { (10) if (User-Name && (User-Name !~ /@/)) { (10) if (User-Name && (User-Name !~ /@/)) -> FALSE (10) } # policy deny_no_realm = updated (10) update request { (10) EXPAND %{toupper:%{Realm}} (10) --> EXAMPLE.COM (10) Realm := EXAMPLE.COM (10) } # update request = noop (10) eap: Peer sent EAP Response (code 2) ID 23 length 37 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # if (EAP-Message) = ok (10) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Auth-Type eap { (10) eap: Removing EAP session with state 0xafa7dc71a6b0c54b (10) eap: Previous EAP request found for state 0xafa7dc71a6b0c54b, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: (TLS) EAP Done initial handshake (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state phase2 (10) eap_peap: EAP method MSCHAPv2 (26) (10) eap_peap: Got tunneled request (10) eap_peap: EAP-Message = 0x021700061a03 (10) eap_peap: Setting User-Name to user@example.com (10) eap_peap: Sending tunneled request to proxy-inner-tunnel (10) eap_peap: EAP-Message = 0x021700061a03 (10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (10) eap_peap: User-Name = "user@example.com" (10) eap_peap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (10) eap_peap: NAS-IP-Address = 127.0.0.1 (10) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (10) eap_peap: Framed-MTU = 1400 (10) eap_peap: NAS-Port-Type = Wireless-802.11 (10) eap_peap: Service-Type = Framed-User (10) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (10) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam" (10) Virtual server proxy-inner-tunnel received request (10) EAP-Message = 0x021700061a03 (10) FreeRADIUS-Proxied-To = 127.0.0.1 (10) User-Name = "user@example.com" (10) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id := "02-00-00-00-00-01" (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Connect-Info = "CONNECT 11Mbps 802.11b" (10) Called-Station-Id := "11-22-33-44-55-66:eduroam" (10) server proxy-inner-tunnel { (10) session-state: No cached attributes for server proxy-inner-tunnel (10) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (10) authorize { (10) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) { (10) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE (10) update outer.control { (10) EXPAND %{User-Name} (10) --> user@example.com (10) locInner-User-Name := user@example.com (10) } # update outer.control = noop (10) if (!NAS-Port-Type){ (10) if (!NAS-Port-Type) -> FALSE (10) update control { (10) &Proxy-To-Realm := REALM-NPS-DEV (10) } # update control = noop (10) } # authorize = noop (10) } # server proxy-inner-tunnel (10) Virtual server sending reply (10) eap_peap: Got tunneled reply code 0 (10) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (10) eap: WARNING: Tunneled session will be proxied. Not doing EAP (10) [eap] = handled (10) if (handled && (Response-Packet-Type == Access-Challenge)) { (10) EXPAND Response-Packet-Type (10) --> (10) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (10) } # Auth-Type eap = handled (10) Starting proxy to home server 2.2.2.2 port 1812 (10) server default { (10) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (10) pre-proxy { (10) attr_filter.pre-proxy: EXPAND %{Realm} (10) attr_filter.pre-proxy: --> EXAMPLE.COM (10) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (10) [attr_filter.pre-proxy] = updated (10) } # pre-proxy = updated (10) } (10) Proxying request to home server 2.2.2.2 port 1812 timeout 20.000000 (10) Sent Access-Request Id 10 from 0.0.0.0:52965 to 2.2.2.2:1812 length 182 (10) Operator-Name := "1EXAMPLE.COM" (10) EAP-Message = 0x021700061a03 (10) User-Name = "user@example.com" (10) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04 (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id := "02-00-00-00-00-01" (10) NAS-Port-Type = Wireless-802.11 (10) Called-Station-Id := "11-22-33-44-55-66:eduroam" (10) Message-Authenticator = 0x (10) Proxy-State = 0x3130 Thread 5 waiting to be assigned a request Waking up in 0.2 seconds. Thread 1 got semaphore Thread 1 handling request 10, (3 handled so far) (10) Received Access-Accept Id 10 from 2.2.2.2:1812 to 1.1.1.1:52965 length 288 (10) Message-Authenticator = 0x3b3904ca75e13b85992ee5aa89e1040f (10) Proxy-State = 0x3130 (10) Class = 0x7374616666 (10) Filter-Id = "staff" (10) Framed-Protocol = PPP (10) Service-Type = Framed-User (10) Tunnel-Medium-Type:0 = IEEE-802 (10) Tunnel-Private-Group-Id:0 = "1874" (10) Tunnel-Type:0 = VLAN (10) EAP-Message = 0x03170004 (10) Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3 (10) MS-CHAP-Domain = "\001CAMPUS" (10) MS-MPPE-Send-Key = 0xe41353497c2ce780e247ce0f7fec7fc2 (10) MS-MPPE-Recv-Key = 0x8f80fbfd47be7ca1597c79b8734fca7d (10) MS-CHAP2-Success = 0x01533d33444131374638464334373842394132304537414644353430364246394537424135454143454639 (10) Clearing existing &reply: attributes (10) server default { (10) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (10) post-proxy { (10) attr_filter.post-proxy: EXPAND %{Realm} (10) attr_filter.post-proxy: --> EXAMPLE.COM (10) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102 (10) [attr_filter.post-proxy] = updated (10) eap: Doing post-proxy callback (10) eap: Passing reply from proxy back into the tunnel (10) eap: Got tunneled reply RADIUS code 2 (10) eap: Tunnel-Type := VLAN (10) eap: Tunnel-Medium-Type := IEEE-802 (10) eap: Message-Authenticator = 0x3b3904ca75e13b85992ee5aa89e1040f (10) eap: Proxy-State = 0x3130 (10) eap: Class = 0x7374616666 (10) eap: Filter-Id = "staff" (10) eap: Tunnel-Private-Group-Id:0 = "1874" (10) eap: EAP-Message = 0x03170004 (10) eap: Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3 (10) eap: MS-MPPE-Send-Key = 0xe41353497c2ce780e247ce0f7fec7fc2 (10) eap: MS-MPPE-Recv-Key = 0x8f80fbfd47be7ca1597c79b8734fca7d (10) eap: Tunneled authentication was successful (10) eap: SUCCESS (10) eap: Saving tunneled attributes for later (10) eap: Reply was handled (10) eap: Sending EAP Request (code 1) ID 24 length 46 (10) eap: EAP session adding &reply:State = 0xafa7dc71a5bfc54b (10) [eap] = ok (10) update reply { (10) EXPAND %{control:locInner-User-Name} (10) --> user@example.com (10) &User-Name := user@example.com (10) } # update reply = noop (10) } # post-proxy = updated (10) } (10) Using Post-Auth-Type Challenge (10) Post-Auth-Type sub-section not found. Ignoring. (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Sent Access-Challenge Id 10 from 127.0.0.1:1812 to 127.0.0.1:58298 length 129 (10) EAP-Message = 0x0118002e1900170303002364f52ed12ea54c9150459e4e53ee9a1964caff39307afe7fd675169c4441eb576e296d (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xafa7dc71a5bfc54bd50cde17df51e2b7 (10) User-Name := "user@example.com" (10) Finished request Thread 1 waiting to be assigned a request Waking up in 0.2 seconds. Thread 3 got semaphore Thread 3 handling request 11, (3 handled so far) (11) Received Access-Request Id 11 from 127.0.0.1:58298 to 127.0.0.1:1812 length 218 (11) User-Name = "anonymous@example.com" (11) NAS-IP-Address = 127.0.0.1 (11) Calling-Station-Id = "02-00-00-00-00-01" (11) Framed-MTU = 1400 (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) Connect-Info = "CONNECT 11Mbps 802.11b" (11) Called-Station-Id = "11-22-33-44-55-66:eduroam" (11) EAP-Message = 0x0218002e1900170303002375b785dd798fea1648f80b27505bfdcc3aee84a9d6f597fb136533ecc2664fea510e2d (11) State = 0xafa7dc71a5bfc54bd50cde17df51e2b7 (11) Message-Authenticator = 0xeeb433c0442a232b09f02b69f261123b (11) session-state: No cached attributes for server default (11) # Executing section authorize from file /etc/freeradius/sites-enabled/default (11) authorize { (11) policy rewrite_called_station_id { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 11-22-33-44-55-66 (11) &Called-Station-Id := 11-22-33-44-55-66 (11) } # update request = noop (11) if ("%{8}") { (11) EXPAND %{8} (11) --> eduroam (11) if ("%{8}") -> TRUE (11) if ("%{8}") { (11) update request { (11) EXPAND %{8} (11) --> eduroam (11) &Called-Station-SSID := eduroam (11) EXPAND %{Called-Station-Id}:%{8} (11) --> 11-22-33-44-55-66:eduroam (11) &Called-Station-Id := 11-22-33-44-55-66:eduroam (11) } # update request = noop (11) } # if ("%{8}") = noop (11) [updated] = updated (11) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_called_station_id = updated (11) policy rewrite_calling_station_id { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11) update request { (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (11) --> 02-00-00-00-00-01 (11) &Calling-Station-Id := 02-00-00-00-00-01 (11) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (11) --> 02:00:00:00:00:01 (11) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01 (11) } # update request = noop (11) [updated] = updated (11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (11) ... skipping else: Preceding "if" was taken (11) } # policy rewrite_calling_station_id = updated (11) if (Service-Type == Call-Check) { (11) if (Service-Type == Call-Check) -> FALSE (11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (11) EXPAND Packet-Src-IP-Address (11) --> 127.0.0.1 (11) EXPAND Packet-Src-IP-Address (11) --> 127.0.0.1 (11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (11) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (11) if (EAP-Message) { (11) if (EAP-Message) -> TRUE (11) if (EAP-Message) { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = updated (11) } # policy filter_username = updated (11) suffix: Checking for suffix after "@" (11) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous@example.com" (11) suffix: Found realm "EXAMPLE.COM" (11) suffix: Adding Realm = "EXAMPLE.COM" (11) suffix: Authentication realm is LOCAL (11) [suffix] = ok (11) policy deny_no_realm { (11) if (User-Name && (User-Name !~ /@/)) { (11) if (User-Name && (User-Name !~ /@/)) -> FALSE (11) } # policy deny_no_realm = updated (11) update request { (11) EXPAND %{toupper:%{Realm}} (11) --> EXAMPLE.COM (11) Realm := EXAMPLE.COM (11) } # update request = noop (11) eap: Peer sent EAP Response (code 2) ID 24 length 46 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # if (EAP-Message) = ok (11) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (11) } # authorize = updated (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/sites-enabled/default (11) Auth-Type eap { (11) eap: Removing EAP session with state 0xafa7dc71a5bfc54b (11) eap: Previous EAP request found for state 0xafa7dc71a5bfc54b, released from the list (11) eap: Peer sent packet with method EAP PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: (TLS) EAP Done initial handshake (11) eap_peap: Session established. Decoding tunneled attributes (11) eap_peap: PEAP state send tlv success (11) eap_peap: Received EAP-TLV response (11) eap_peap: Success (11) eap_peap: Using saved attributes from the original Access-Accept (11) eap_peap: Tunnel-Type := VLAN (11) eap_peap: Tunnel-Medium-Type := IEEE-802 (11) eap_peap: Class = 0x7374616666 (11) eap_peap: Filter-Id = "staff" (11) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (11) eap_peap: Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3 (11) eap: Sending EAP Success (code 3) ID 24 length 4 (11) eap: Freeing handler (11) [eap] = ok (11) if (handled && (Response-Packet-Type == Access-Challenge)) { (11) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (11) } # Auth-Type eap = ok (11) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (11) post-auth { (11) update control { (11) &Tmp-String-0 := "default > post-auth{}" (11) EXPAND %{control:locInner-User-Name} (11) --> (11) &Tmp-String-1 := (11) } # update control = noop (11) update { (11) No attributes updated for RHS &session-state (11) } # update = noop (11) if (Service-Type == Call-Check) { (11) if (Service-Type == Call-Check) -> FALSE (11) else { (11) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (11) 802.1x_auth_log: --> Sun Nov 9 10:57:40 2025 : AuthZ: (11) Access-Accept: [anonymous@example.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=02-00-00-00-00-01 Called-Station-Id=11-22-33-44-55-66:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client localhost port 0 operator-name Unknown) (11) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log (11) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log (11) [802.1x_auth_log] = ok (11) } # else = ok (11) policy remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) { (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else { (11) [noop] = noop (11) } # else = noop (11) } # policy remove_reply_message_if_eap = noop (11) } # post-auth = ok (11) Login OK: [anonymous@example.com] (from client localhost port 0 cli 02-00-00-00-00-01) (11) Sent Access-Accept Id 11 from 127.0.0.1:1812 to 127.0.0.1:58298 length 258 (11) Tunnel-Type := VLAN (11) Tunnel-Medium-Type := IEEE-802 (11) Class = 0x7374616666 (11) Filter-Id = "staff" (11) Tunnel-Private-Group-Id:0 = "1874" (11) Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3 (11) MS-MPPE-Recv-Key = 0x9c49947d9239922ada70a14065fecc71f6487bda63c2f67f716bbe8a8dc2f9b3 (11) MS-MPPE-Send-Key = 0x9d0edd62febaf77bed0007c64bb759a21903395c4ecd9524717aeb8cfd3cd9bd (11) EAP-Message = 0x03180004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) User-Name = "anonymous@example.com" (11) Finished request
participants (2)
-
Alan DeKok -
Dominic Stalder