MSCHAP DC Server Authentication winbind reply failed
Hi FreeRADIUS! I'm trying to use FreeRADIUS with MSCHAP through a DC server. However, I'm getting an error like "winbind reply failed!" I'm running on OpenBSD 6.9. FreeRADIUS version: # /usr/local/sbin/radiusd -v | head -1 radiusd: FreeRADIUS Version 3.0.21, for host x86_64-unknown-openbsd6.9, built on Apr 20 2021 at 05:14:02 # My configuration is like that; ============= # cat /etc/samba/smb.conf [global] winbind use default domain = no security = ads netbios name = myhost workgroup = MYWORKGROUP realm = zz.example.com password server = zz.example.com ============== I joined the DC server successfully; # net join -U myadmin Using short domain name -- XX Joined 'YY' to dns domain 'zz.example.com' No DNS domain configured for myhost. Unable to perform DNS Update. ============= I can make challange based authentication with wbinfo; # wbinfo -a myuser%mypass plaintext password authentication failed Could not authenticate user myuser%mypass with plaintext password challenge/response password authentication succeeded # =============== And also with ntlm_auth; # ntlm_auth --request-nt-key --username myuser Password: myuser NT_STATUS_OK: The operation completed successfully. (0x0) # ================== I've created a user named "winbindd_priv" and added this user the _freeradius group to access winbind privileged socket from FreeRADIUS # cat /etc/group |grep winbind winbindd_priv:*:1000:_freeradius # ls -la /var/run/samba/winbindd* -rw-r--r-- 1 root winbindd_priv 6 Jun 21 18:39 /var/run/samba/winbindd.pid /var/run/samba/winbindd: srwxrwxrwx 1 root winbindd_priv 0 Jun 21 18:38 pipe # =================== I couldn't see anything wrong there, I followed the official documentation properly. I'm getting "winbind reply failed!" error anyway. The full output from radiusd -X; ====================== (0) Received Access-Request Id 25 from 172.100.0.60:49947 to 172.16.0.100:1812 length 338 (0) User-Name = "mypc-pc\\Administrator" (0) NAS-Port = 20497 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) Calling-Station-Id = "44a8-42f7-952d" (0) NAS-Identifier = "S5735_K6_SW1" (0) NAS-Port-Type = Ethernet (0) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (0) EAP-Message = 0x02a3001c01626c6774656b2d70635c41646d696e6973747261746f72 (0) Message-Authenticator = 0x2da911933329aa455da04b910df9e08e (0) Called-Station-Id = "44-67-47-26-F7-90" (0) NAS-IP-Address = 172.100.0.60 (0) Framed-MTU = 1500 (0) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (0) Huawei-Startup-Stamp = 1589932873 (0) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (0) Huawei-Connect-ID = 45 (0) Huawei-Version = "Huawei S5735" (0) Huawei-Product-ID = "S5735" (0) Huawei-User-Mac = "\000\000\000\001" (0) Huawei-Domain-Name = "default" (0) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (0) authorize { (0) update { (0) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (0) EXPAND --username=%{User-Name} (0) --> --username=mypc-pc\\Administrator (0) EXPAND --calledStationID=%{Called-Station-Id} (0) --> --calledStationID=44-67-47-26-F7-90 (0) EXPAND --callingStationID=%{Calling-Station-Id} (0) --> --callingStationID=44a8-42f7-952d (0) EXPAND --connectInfo=%{Connect-Info} (0) --> --connectInfo= (0) EXPAND --framedMTU=%{Framed-MTU} (0) --> --framedMTU=1500 (0) EXPAND --framedProtocol=%{Framed-Protocol} (0) --> --framedProtocol=PPP (0) EXPAND --nasIdentifier=%{NAS-Identifier} (0) --> --nasIdentifier=S5735_K6_SW1 (0) EXPAND --nasIPAddress=%{NAS-IP-Address} (0) --> --nasIPAddress=172.100.0.60 (0) EXPAND --nasPort=%{NAS-Port} (0) --> --nasPort=20497 (0) EXPAND --nasPortID=%{NAS-Port-Id} (0) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (0) EXPAND --nasPortType=%{NAS-Port-Type} (0) --> --nasPortType=Ethernet (0) EXPAND --serviceType=%{Service-Type} (0) --> --serviceType=Framed-User (0) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (0) --> --tunnelMediumType= (0) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (0) --> --tunnelPrivateGroupID= (0) EXPAND --tunnelType=%{Tunnel-Type} (0) --> --tunnelType= (0) Program returned code (0) and output 'Reply-Message :=""' (0) control::Reply-Message := (0) } # update = noop (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = noop (0) } # policy filter_username = noop (0) [preprocess] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 163 length 28 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 164 length 22 (0) eap: EAP session adding &reply:State = 0x06df9fcc067b9baa (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 25 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (0) EAP-Message = 0x01a400160410fb53358fd5f5bb176cb25434be27dc38 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x06df9fcc067b9baa43639075ca7d333a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 26 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (1) User-Name = "mypc-pc\\Administrator" (1) NAS-Port = 20497 (1) Service-Type = Framed-User (1) Framed-Protocol = PPP (1) Calling-Station-Id = "44a8-42f7-952d" (1) NAS-Identifier = "S5735_K6_SW1" (1) NAS-Port-Type = Ethernet (1) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (1) State = 0x06df9fcc067b9baa43639075ca7d333a (1) EAP-Message = 0x02a400060319 (1) Message-Authenticator = 0xf104c44a25c93bccb28f9f2e00f4333c (1) Called-Station-Id = "44-67-47-26-F7-90" (1) Login-IP-Host = 0.0.0.0 (1) NAS-IP-Address = 172.100.0.60 (1) Framed-MTU = 1500 (1) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (1) Huawei-Startup-Stamp = 1589932873 (1) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (1) Huawei-Connect-ID = 45 (1) Huawei-Version = "Huawei S5735" (1) Huawei-Product-ID = "S5735" (1) Huawei-User-Mac = "\000\000\000\001" (1) Huawei-Domain-Name = "default" (1) session-state: No cached attributes (1) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (1) authorize { (1) update { (1) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (1) EXPAND --username=%{User-Name} (1) --> --username=mypc-pc\\Administrator (1) EXPAND --calledStationID=%{Called-Station-Id} (1) --> --calledStationID=44-67-47-26-F7-90 (1) EXPAND --callingStationID=%{Calling-Station-Id} (1) --> --callingStationID=44a8-42f7-952d (1) EXPAND --connectInfo=%{Connect-Info} (1) --> --connectInfo= (1) EXPAND --framedMTU=%{Framed-MTU} (1) --> --framedMTU=1500 (1) EXPAND --framedProtocol=%{Framed-Protocol} (1) --> --framedProtocol=PPP (1) EXPAND --nasIdentifier=%{NAS-Identifier} (1) --> --nasIdentifier=S5735_K6_SW1 (1) EXPAND --nasIPAddress=%{NAS-IP-Address} (1) --> --nasIPAddress=172.100.0.60 (1) EXPAND --nasPort=%{NAS-Port} (1) --> --nasPort=20497 (1) EXPAND --nasPortID=%{NAS-Port-Id} (1) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (1) EXPAND --nasPortType=%{NAS-Port-Type} (1) --> --nasPortType=Ethernet (1) EXPAND --serviceType=%{Service-Type} (1) --> --serviceType=Framed-User (1) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (1) --> --tunnelMediumType= (1) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (1) --> --tunnelPrivateGroupID= (1) EXPAND --tunnelType=%{Tunnel-Type} (1) --> --tunnelType= (1) Program returned code (0) and output 'Reply-Message :=""' (1) control::Reply-Message := (1) } # update = noop (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = noop (1) } # policy filter_username = noop (1) [preprocess] = ok (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 164 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x06df9fcc067b9baa (1) eap: Finished EAP session with state 0x06df9fcc067b9baa (1) eap: Previous EAP request found for state 0x06df9fcc067b9baa, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 165 length 6 (1) eap: EAP session adding &reply:State = 0x06df9fcc077a86aa (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 26 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (1) EAP-Message = 0x01a500061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x06df9fcc077a86aa43639075ca7d333a (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 27 from 172.100.0.60:49947 to 172.16.0.100:1812 length 447 (2) User-Name = "mypc-pc\\Administrator" (2) NAS-Port = 20497 (2) Service-Type = Framed-User (2) Framed-Protocol = PPP (2) Calling-Station-Id = "44a8-42f7-952d" (2) NAS-Identifier = "S5735_K6_SW1" (2) NAS-Port-Type = Ethernet (2) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (2) State = 0x06df9fcc077a86aa43639075ca7d333a (2) EAP-Message = 0x02a5007119800000006716030100620100005e030160d0e32a6722bce31595a5e36c093697851bb230673e9d56c34961448f20d9c300001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100 (2) Message-Authenticator = 0x8e36104449de451d2f46716428d8d1d0 (2) Called-Station-Id = "44-67-47-26-F7-90" (2) Login-IP-Host = 0.0.0.0 (2) NAS-IP-Address = 172.100.0.60 (2) Framed-MTU = 1500 (2) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (2) Huawei-Startup-Stamp = 1589932873 (2) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (2) Huawei-Connect-ID = 45 (2) Huawei-Version = "Huawei S5735" (2) Huawei-Product-ID = "S5735" (2) Huawei-User-Mac = "\000\000\000\001" (2) Huawei-Domain-Name = "default" (2) session-state: No cached attributes (2) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (2) authorize { (2) update { (2) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (2) EXPAND --username=%{User-Name} (2) --> --username=mypc-pc\\Administrator (2) EXPAND --calledStationID=%{Called-Station-Id} (2) --> --calledStationID=44-67-47-26-F7-90 (2) EXPAND --callingStationID=%{Calling-Station-Id} (2) --> --callingStationID=44a8-42f7-952d (2) EXPAND --connectInfo=%{Connect-Info} (2) --> --connectInfo= (2) EXPAND --framedMTU=%{Framed-MTU} (2) --> --framedMTU=1500 (2) EXPAND --framedProtocol=%{Framed-Protocol} (2) --> --framedProtocol=PPP (2) EXPAND --nasIdentifier=%{NAS-Identifier} (2) --> --nasIdentifier=S5735_K6_SW1 (2) EXPAND --nasIPAddress=%{NAS-IP-Address} (2) --> --nasIPAddress=172.100.0.60 (2) EXPAND --nasPort=%{NAS-Port} (2) --> --nasPort=20497 (2) EXPAND --nasPortID=%{NAS-Port-Id} (2) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (2) EXPAND --nasPortType=%{NAS-Port-Type} (2) --> --nasPortType=Ethernet (2) EXPAND --serviceType=%{Service-Type} (2) --> --serviceType=Framed-User (2) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (2) --> --tunnelMediumType= (2) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (2) --> --tunnelPrivateGroupID= (2) EXPAND --tunnelType=%{Tunnel-Type} (2) --> --tunnelType= (2) Program returned code (0) and output 'Reply-Message :=""' (2) control::Reply-Message := (2) } # update = noop (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = noop (2) } # policy filter_username = noop (2) [preprocess] = ok (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 165 length 113 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x06df9fcc077a86aa (2) eap: Finished EAP session with state 0x06df9fcc077a86aa (2) eap: Previous EAP request found for state 0x06df9fcc077a86aa, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 103 bytes (2) eap_peap: Got complete TLS record (103 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before accept initialization (2) eap_peap: <<< recv UNKNOWN TLS VERSION '0304' [length 0062] (2) eap_peap: TLS_accept: SSLv3 read client hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0037], ServerHello (2) eap_peap: TLS_accept: SSLv3 write server hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 08e5], Certificate (2) eap_peap: TLS_accept: SSLv3 write certificate A (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap: TLS_accept: SSLv3 write key exchange A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap: TLS_accept: SSLv3 write server done A (2) eap_peap: TLS_accept: SSLv3 flush data (2) eap_peap: TLS_accept: SSLv3 read client certificate A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 2687 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 166 length 1004 (2) eap: EAP session adding &reply:State = 0x06df9fcc047986aa (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 27 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (2) EAP-Message = 0x01a603ec19c000000a7f16030100370200003303011069fa543cddfebbc2a59de247700b31bea216c1570e4080444f574e4752440000c01400000bff01000100000b0002010016030108e50b0008e10008de0003e8308203e4308202cca003020102020101300d06092a864886f70d01010b0500308196310b3009060355040613025452310e300c06035504080c05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e5061727461204e6574776f726b733120301e06092a864886f70d0109011611696e666f4070617274612e636f6d2e7472312d302b06035504030c245061727461204e6574776f726b7320436572746966696361746520417574686f72697479301e170d3230303333313131323930385a170d3330303332393131323930385a308182310b3009060355040613025452310e300c06035504080c05495a4d495231173015060355040a0c0e5061727461204e6574776f726b733128302606035504030c1f506172746120 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x06df9fcc047986aa43639075ca7d333a (2) Finished request Waking up in 4.7 seconds. (3) Received Access-Request Id 28 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (3) User-Name = "mypc-pc\\Administrator" (3) NAS-Port = 20497 (3) Service-Type = Framed-User (3) Framed-Protocol = PPP (3) Calling-Station-Id = "44a8-42f7-952d" (3) NAS-Identifier = "S5735_K6_SW1" (3) NAS-Port-Type = Ethernet (3) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (3) State = 0x06df9fcc047986aa43639075ca7d333a (3) EAP-Message = 0x02a600061900 (3) Message-Authenticator = 0xcc4d6c36e5459879cc826325ec4d747a (3) Called-Station-Id = "44-67-47-26-F7-90" (3) Login-IP-Host = 0.0.0.0 (3) NAS-IP-Address = 172.100.0.60 (3) Framed-MTU = 1500 (3) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (3) Huawei-Startup-Stamp = 1589932873 (3) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (3) Huawei-Connect-ID = 45 (3) Huawei-Version = "Huawei S5735" (3) Huawei-Product-ID = "S5735" (3) Huawei-User-Mac = "\000\000\000\001" (3) Huawei-Domain-Name = "default" (3) session-state: No cached attributes (3) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (3) authorize { (3) update { (3) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (3) EXPAND --username=%{User-Name} (3) --> --username=mypc-pc\\Administrator (3) EXPAND --calledStationID=%{Called-Station-Id} (3) --> --calledStationID=44-67-47-26-F7-90 (3) EXPAND --callingStationID=%{Calling-Station-Id} (3) --> --callingStationID=44a8-42f7-952d (3) EXPAND --connectInfo=%{Connect-Info} (3) --> --connectInfo= (3) EXPAND --framedMTU=%{Framed-MTU} (3) --> --framedMTU=1500 (3) EXPAND --framedProtocol=%{Framed-Protocol} (3) --> --framedProtocol=PPP (3) EXPAND --nasIdentifier=%{NAS-Identifier} (3) --> --nasIdentifier=S5735_K6_SW1 (3) EXPAND --nasIPAddress=%{NAS-IP-Address} (3) --> --nasIPAddress=172.100.0.60 (3) EXPAND --nasPort=%{NAS-Port} (3) --> --nasPort=20497 (3) EXPAND --nasPortID=%{NAS-Port-Id} (3) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (3) EXPAND --nasPortType=%{NAS-Port-Type} (3) --> --nasPortType=Ethernet (3) EXPAND --serviceType=%{Service-Type} (3) --> --serviceType=Framed-User (3) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (3) --> --tunnelMediumType= (3) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (3) --> --tunnelPrivateGroupID= (3) EXPAND --tunnelType=%{Tunnel-Type} (3) --> --tunnelType= (3) Program returned code (0) and output 'Reply-Message :=""' (3) control::Reply-Message := (3) } # update = noop (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = noop (3) } # policy filter_username = noop (3) [preprocess] = ok (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 166 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x06df9fcc047986aa (3) eap: Finished EAP session with state 0x06df9fcc047986aa (3) eap: Previous EAP request found for state 0x06df9fcc047986aa, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 167 length 1000 (3) eap: EAP session adding &reply:State = 0x06df9fcc057886aa (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 28 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (3) EAP-Message = 0x01a703e81940a73b4534fb54764797d56b51f469ff2e5a5feaf506057dbdfd6af543dfe986febe19c807b89244404cb9503c4a449efd5e8a9e68f31f0fa9b20107d112dde99fabadb55f609fefb8f0cfb09e1bb696330c0004f0308204ec308203d4a0030201020209008917e4729c9d3b3d300d06092a864886f70d01010b0500308196310b3009060355040613025452310e300c06035504080c05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e5061727461204e6574776f726b733120301e06092a864886f70d0109011611696e666f4070617274612e636f6d2e7472312d302b06035504030c245061727461204e6574776f726b7320436572746966696361746520417574686f72697479301e170d3230303333313131323930385a170d3330303332393131323930385a308196310b3009060355040613025452310e300c06035504080c05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e506172 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x06df9fcc057886aa43639075ca7d333a (3) Finished request Waking up in 4.7 seconds. (4) Received Access-Request Id 29 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (4) User-Name = "mypc-pc\\Administrator" (4) NAS-Port = 20497 (4) Service-Type = Framed-User (4) Framed-Protocol = PPP (4) Calling-Station-Id = "44a8-42f7-952d" (4) NAS-Identifier = "S5735_K6_SW1" (4) NAS-Port-Type = Ethernet (4) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (4) State = 0x06df9fcc057886aa43639075ca7d333a (4) EAP-Message = 0x02a700061900 (4) Message-Authenticator = 0x345bff17c216eb76264d2dd1836dced4 (4) Called-Station-Id = "44-67-47-26-F7-90" (4) Login-IP-Host = 0.0.0.0 (4) NAS-IP-Address = 172.100.0.60 (4) Framed-MTU = 1500 (4) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (4) Huawei-Startup-Stamp = 1589932873 (4) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (4) Huawei-Connect-ID = 45 (4) Huawei-Version = "Huawei S5735" (4) Huawei-Product-ID = "S5735" (4) Huawei-User-Mac = "\000\000\000\001" (4) Huawei-Domain-Name = "default" (4) session-state: No cached attributes (4) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (4) authorize { (4) update { (4) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (4) EXPAND --username=%{User-Name} (4) --> --username=mypc-pc\\Administrator (4) EXPAND --calledStationID=%{Called-Station-Id} (4) --> --calledStationID=44-67-47-26-F7-90 (4) EXPAND --callingStationID=%{Calling-Station-Id} (4) --> --callingStationID=44a8-42f7-952d (4) EXPAND --connectInfo=%{Connect-Info} (4) --> --connectInfo= (4) EXPAND --framedMTU=%{Framed-MTU} (4) --> --framedMTU=1500 (4) EXPAND --framedProtocol=%{Framed-Protocol} (4) --> --framedProtocol=PPP (4) EXPAND --nasIdentifier=%{NAS-Identifier} (4) --> --nasIdentifier=S5735_K6_SW1 (4) EXPAND --nasIPAddress=%{NAS-IP-Address} (4) --> --nasIPAddress=172.100.0.60 (4) EXPAND --nasPort=%{NAS-Port} (4) --> --nasPort=20497 (4) EXPAND --nasPortID=%{NAS-Port-Id} (4) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (4) EXPAND --nasPortType=%{NAS-Port-Type} (4) --> --nasPortType=Ethernet (4) EXPAND --serviceType=%{Service-Type} (4) --> --serviceType=Framed-User (4) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (4) --> --tunnelMediumType= (4) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (4) --> --tunnelPrivateGroupID= (4) EXPAND --tunnelType=%{Tunnel-Type} (4) --> --tunnelType= (4) Program returned code (0) and output 'Reply-Message :=""' (4) control::Reply-Message := (4) } # update = noop (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = noop (4) } # policy filter_username = noop (4) [preprocess] = ok (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 167 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x06df9fcc057886aa (4) eap: Finished EAP session with state 0x06df9fcc057886aa (4) eap: Previous EAP request found for state 0x06df9fcc057886aa, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 168 length 705 (4) eap: EAP session adding &reply:State = 0x06df9fcc027786aa (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 29 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (4) EAP-Message = 0x01a802c11900e4729c9d3b3d300f0603551d130101ff040530030101ff30350603551d1f042e302c302aa028a0268624687474703a2f2f7777772e70617274612e636f6d2e74722f70617274615f63612e63726c300d06092a864886f70d01010b0500038201010002a7a685fd8c45441aa4e88edd20fe072c2d6dc2fdf1a70bdfbb4e4d6e447ef63fb83535d1eb1a9b7eb0d8fc177cbe833bcd8ca72116ebd550b12ab279f5298beb6a8f7e58f38e9943d51a2b9a415f0f7b6cb3e284f54c181f57eea3ec231ccea3f982602d46374234e262a8a570981656b6e991155da7983b5edddd89239eec5c82cbc176541e5e32f2e1fcf783f162fbd7de96dbaadafd0e8f56d5f72f4de5ac1254656c6ba349ed7ae5202dfd20b3dc5e576bbba43c2f10d1b66b764038601b2e23a27a7a3b4b13e4d58343df004dbd21908c71c0d563f18eec86d5a74bf7b192d4da4ffa036e754623748cdfe9ee000c02a3ee75574fa594e9055132d03e160301014b0c0001470300174104a0 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x06df9fcc027786aa43639075ca7d333a (4) Finished request Waking up in 4.6 seconds. (5) Received Access-Request Id 30 from 172.100.0.60:49947 to 172.16.0.100:1812 length 478 (5) User-Name = "mypc-pc\\Administrator" (5) NAS-Port = 20497 (5) Service-Type = Framed-User (5) Framed-Protocol = PPP (5) Calling-Station-Id = "44a8-42f7-952d" (5) NAS-Identifier = "S5735_K6_SW1" (5) NAS-Port-Type = Ethernet (5) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (5) State = 0x06df9fcc027786aa43639075ca7d333a (5) EAP-Message = 0x02a800901980000000861603010046100000424104c7b577ecf031abd558556c730dea6a62961ef24e63b87df106b9981a6899f04e68a480a2b306f8f199787ac538d19bc572f82e277133f9ebbdbd8b3b4d17866e14030100010116030100301e14570b074715b54215c474e30f4ab9f9bfadb1590f0331598daef254ac64514ddef71c035306cdc1fea1cbdd58dcce (5) Message-Authenticator = 0x68db217c9425678c6ba8dba10a9679e9 (5) Called-Station-Id = "44-67-47-26-F7-90" (5) Login-IP-Host = 0.0.0.0 (5) NAS-IP-Address = 172.100.0.60 (5) Framed-MTU = 1500 (5) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (5) Huawei-Startup-Stamp = 1589932873 (5) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (5) Huawei-Connect-ID = 45 (5) Huawei-Version = "Huawei S5735" (5) Huawei-Product-ID = "S5735" (5) Huawei-User-Mac = "\000\000\000\001" (5) Huawei-Domain-Name = "default" (5) session-state: No cached attributes (5) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (5) authorize { (5) update { (5) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (5) EXPAND --username=%{User-Name} (5) --> --username=mypc-pc\\Administrator (5) EXPAND --calledStationID=%{Called-Station-Id} (5) --> --calledStationID=44-67-47-26-F7-90 (5) EXPAND --callingStationID=%{Calling-Station-Id} (5) --> --callingStationID=44a8-42f7-952d (5) EXPAND --connectInfo=%{Connect-Info} (5) --> --connectInfo= (5) EXPAND --framedMTU=%{Framed-MTU} (5) --> --framedMTU=1500 (5) EXPAND --framedProtocol=%{Framed-Protocol} (5) --> --framedProtocol=PPP (5) EXPAND --nasIdentifier=%{NAS-Identifier} (5) --> --nasIdentifier=S5735_K6_SW1 (5) EXPAND --nasIPAddress=%{NAS-IP-Address} (5) --> --nasIPAddress=172.100.0.60 (5) EXPAND --nasPort=%{NAS-Port} (5) --> --nasPort=20497 (5) EXPAND --nasPortID=%{NAS-Port-Id} (5) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (5) EXPAND --nasPortType=%{NAS-Port-Type} (5) --> --nasPortType=Ethernet (5) EXPAND --serviceType=%{Service-Type} (5) --> --serviceType=Framed-User (5) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (5) --> --tunnelMediumType= (5) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (5) --> --tunnelPrivateGroupID= (5) EXPAND --tunnelType=%{Tunnel-Type} (5) --> --tunnelType= (5) Program returned code (0) and output 'Reply-Message :=""' (5) control::Reply-Message := (5) } # update = noop (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = noop (5) } # policy filter_username = noop (5) [preprocess] = ok (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 168 length 144 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x06df9fcc027786aa (5) eap: Finished EAP session with state 0x06df9fcc027786aa (5) eap: Previous EAP request found for state 0x06df9fcc027786aa, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer indicated complete TLS record size will be 134 bytes (5) eap_peap: Got complete TLS record (134 bytes) (5) eap_peap: [eaptls verify] = length included (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap: TLS_accept: SSLv3 read client key exchange A (5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 read finished A (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 write finished A (5) eap_peap: TLS_accept: SSLv3 flush data (5) eap_peap: (other): SSL negotiation finished successfully (5) eap_peap: TLS - Connection Established (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) eap_peap: TLS-Session-Version = "TLS 1.0" (5) eap_peap: TLS - got 59 bytes of data (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 169 length 65 (5) eap: EAP session adding &reply:State = 0x06df9fcc037686aa (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) TLS-Session-Version = "TLS 1.0" (5) Sent Access-Challenge Id 30 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (5) EAP-Message = 0x01a90041190014030100010116030100302fe125fbf82aa49c3614c980adbe6cec3d9fcfee716e1ad42f33b3e8d99e997248e974d389d973a61f8d6f2facc5e492 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x06df9fcc037686aa43639075ca7d333a (5) Finished request Waking up in 4.6 seconds. (6) Received Access-Request Id 31 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (6) User-Name = "mypc-pc\\Administrator" (6) NAS-Port = 20497 (6) Service-Type = Framed-User (6) Framed-Protocol = PPP (6) Calling-Station-Id = "44a8-42f7-952d" (6) NAS-Identifier = "S5735_K6_SW1" (6) NAS-Port-Type = Ethernet (6) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (6) State = 0x06df9fcc037686aa43639075ca7d333a (6) EAP-Message = 0x02a900061900 (6) Message-Authenticator = 0x6eae2e14353af6bdf3490d21f430dfbe (6) Called-Station-Id = "44-67-47-26-F7-90" (6) Login-IP-Host = 0.0.0.0 (6) NAS-IP-Address = 172.100.0.60 (6) Framed-MTU = 1500 (6) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (6) Huawei-Startup-Stamp = 1589932873 (6) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (6) Huawei-Connect-ID = 45 (6) Huawei-Version = "Huawei S5735" (6) Huawei-Product-ID = "S5735" (6) Huawei-User-Mac = "\000\000\000\001" (6) Huawei-Domain-Name = "default" (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) &session-state:TLS-Session-Version = "TLS 1.0" (6) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (6) authorize { (6) update { (6) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (6) EXPAND --username=%{User-Name} (6) --> --username=mypc-pc\\Administrator (6) EXPAND --calledStationID=%{Called-Station-Id} (6) --> --calledStationID=44-67-47-26-F7-90 (6) EXPAND --callingStationID=%{Calling-Station-Id} (6) --> --callingStationID=44a8-42f7-952d (6) EXPAND --connectInfo=%{Connect-Info} (6) --> --connectInfo= (6) EXPAND --framedMTU=%{Framed-MTU} (6) --> --framedMTU=1500 (6) EXPAND --framedProtocol=%{Framed-Protocol} (6) --> --framedProtocol=PPP (6) EXPAND --nasIdentifier=%{NAS-Identifier} (6) --> --nasIdentifier=S5735_K6_SW1 (6) EXPAND --nasIPAddress=%{NAS-IP-Address} (6) --> --nasIPAddress=172.100.0.60 (6) EXPAND --nasPort=%{NAS-Port} (6) --> --nasPort=20497 (6) EXPAND --nasPortID=%{NAS-Port-Id} (6) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (6) EXPAND --nasPortType=%{NAS-Port-Type} (6) --> --nasPortType=Ethernet (6) EXPAND --serviceType=%{Service-Type} (6) --> --serviceType=Framed-User (6) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (6) --> --tunnelMediumType= (6) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (6) --> --tunnelPrivateGroupID= (6) EXPAND --tunnelType=%{Tunnel-Type} (6) --> --tunnelType= (6) Program returned code (0) and output 'Reply-Message :=""' (6) control::Reply-Message := (6) } # update = noop (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = noop (6) } # policy filter_username = noop (6) [preprocess] = ok (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 169 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x06df9fcc037686aa (6) eap: Finished EAP session with state 0x06df9fcc037686aa (6) eap: Previous EAP request found for state 0x06df9fcc037686aa, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: [eaptls verify] = success (6) eap_peap: [eaptls process] = success (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 170 length 43 (6) eap: EAP session adding &reply:State = 0x06df9fcc007586aa (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) TLS-Session-Version = "TLS 1.0" (6) Sent Access-Challenge Id 31 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (6) EAP-Message = 0x01aa002b1900170301002039839b1c2d3257209fb27a7353e9e75e31a406708676f7c33e1183170f61d947 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x06df9fcc007586aa43639075ca7d333a (6) Finished request Waking up in 4.5 seconds. (7) Received Access-Request Id 32 from 172.100.0.60:49947 to 172.16.0.100:1812 length 393 (7) User-Name = "mypc-pc\\Administrator" (7) NAS-Port = 20497 (7) Service-Type = Framed-User (7) Framed-Protocol = PPP (7) Calling-Station-Id = "44a8-42f7-952d" (7) NAS-Identifier = "S5735_K6_SW1" (7) NAS-Port-Type = Ethernet (7) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (7) State = 0x06df9fcc007586aa43639075ca7d333a (7) EAP-Message = 0x02aa003b190017030100303d5c35ae730f2e2172de89948e051cb0b227033be363ddea1c384cc141c1593d7ed0251c4ca849138cfdebf0e810852a (7) Message-Authenticator = 0x1a8ae85940fcefdcbc7a0528828a0c77 (7) Called-Station-Id = "44-67-47-26-F7-90" (7) Login-IP-Host = 0.0.0.0 (7) NAS-IP-Address = 172.100.0.60 (7) Framed-MTU = 1500 (7) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (7) Huawei-Startup-Stamp = 1589932873 (7) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (7) Huawei-Connect-ID = 45 (7) Huawei-Version = "Huawei S5735" (7) Huawei-Product-ID = "S5735" (7) Huawei-User-Mac = "\000\000\000\001" (7) Huawei-Domain-Name = "default" (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (7) &session-state:TLS-Session-Version = "TLS 1.0" (7) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (7) authorize { (7) update { (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (7) EXPAND --username=%{User-Name} (7) --> --username=mypc-pc\\Administrator (7) EXPAND --calledStationID=%{Called-Station-Id} (7) --> --calledStationID=44-67-47-26-F7-90 (7) EXPAND --callingStationID=%{Calling-Station-Id} (7) --> --callingStationID=44a8-42f7-952d (7) EXPAND --connectInfo=%{Connect-Info} (7) --> --connectInfo= (7) EXPAND --framedMTU=%{Framed-MTU} (7) --> --framedMTU=1500 (7) EXPAND --framedProtocol=%{Framed-Protocol} (7) --> --framedProtocol=PPP (7) EXPAND --nasIdentifier=%{NAS-Identifier} (7) --> --nasIdentifier=S5735_K6_SW1 (7) EXPAND --nasIPAddress=%{NAS-IP-Address} (7) --> --nasIPAddress=172.100.0.60 (7) EXPAND --nasPort=%{NAS-Port} (7) --> --nasPort=20497 (7) EXPAND --nasPortID=%{NAS-Port-Id} (7) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (7) EXPAND --nasPortType=%{NAS-Port-Type} (7) --> --nasPortType=Ethernet (7) EXPAND --serviceType=%{Service-Type} (7) --> --serviceType=Framed-User (7) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (7) --> --tunnelMediumType= (7) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (7) --> --tunnelPrivateGroupID= (7) EXPAND --tunnelType=%{Tunnel-Type} (7) --> --tunnelType= (7) Program returned code (0) and output 'Reply-Message :=""' (7) control::Reply-Message := (7) } # update = noop (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = noop (7) } # policy filter_username = noop (7) [preprocess] = ok (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 170 length 59 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x06df9fcc007586aa (7) eap: Finished EAP session with state 0x06df9fcc007586aa (7) eap: Previous EAP request found for state 0x06df9fcc007586aa, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - mypc-pc\Administrator (7) eap_peap: Got inner identity 'mypc-pc\Administrator' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) eap_peap: Setting User-Name to mypc-pc\Administrator (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "mypc-pc\\Administrator" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "mypc-pc\\Administrator" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) update { (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --verify=true --control=false: (7) EXPAND --username=%{User-Name} (7) --> --username=mypc-pc\\Administrator (7) Program returned code (0) and output 'Idle-Timeout := "30"' (7) reply::Idle-Timeout := 30 (7) } # update = noop (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = noop (7) } # policy filter_username = noop (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 170 length 28 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) eap: Sending EAP Request (code 1) ID 171 length 43 (7) eap: EAP session adding &reply:State = 0xb29197b0b23a8d1a (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) Idle-Timeout := 30 (7) EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b667265657261646975732d332e302e3231 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: Idle-Timeout := 30 (7) eap_peap: EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b667265657261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: Idle-Timeout := 30 (7) eap_peap: EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b667265657261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 171 length 75 (7) eap: EAP session adding &reply:State = 0x06df9fcc017486aa (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (7) TLS-Session-Version = "TLS 1.0" (7) Sent Access-Challenge Id 32 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (7) EAP-Message = 0x01ab004b19001703010040f117bdd7e2a2d6530a0eebaac5f17a0b3e5846e1278f4367eeb28499b7d4f60485adaa834a12a2f5fc22b2e4a7b75b2fd584277bbb9e717bf568d0b7c39b9b21 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x06df9fcc017486aa43639075ca7d333a (7) Finished request Waking up in 4.5 seconds. (8) Received Access-Request Id 33 from 172.100.0.60:49947 to 172.16.0.100:1812 length 441 (8) User-Name = "mypc-pc\\Administrator" (8) NAS-Port = 20497 (8) Service-Type = Framed-User (8) Framed-Protocol = PPP (8) Calling-Station-Id = "44a8-42f7-952d" (8) NAS-Identifier = "S5735_K6_SW1" (8) NAS-Port-Type = Ethernet (8) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (8) State = 0x06df9fcc017486aa43639075ca7d333a (8) EAP-Message = 0x02ab006b1900170301006030a260cec76b817616c8446e917733d195ea67fcb4cba7ea0c15873eccb189ac0c0482c8d146ae81eaf880b90364036ca514b87389987c4879b1e21d8c032b74a3adf543509c62b5cc1e85d7f556043d22e8f68156c08b94226c0358519793f0 (8) Message-Authenticator = 0x99f47b6e04e6c7df9ba0bad3ad23a0dc (8) Called-Station-Id = "44-67-47-26-F7-90" (8) Login-IP-Host = 0.0.0.0 (8) NAS-IP-Address = 172.100.0.60 (8) Framed-MTU = 1500 (8) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (8) Huawei-Startup-Stamp = 1589932873 (8) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (8) Huawei-Connect-ID = 45 (8) Huawei-Version = "Huawei S5735" (8) Huawei-Product-ID = "S5735" (8) Huawei-User-Mac = "\000\000\000\001" (8) Huawei-Domain-Name = "default" (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (8) &session-state:TLS-Session-Version = "TLS 1.0" (8) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (8) authorize { (8) update { (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (8) EXPAND --username=%{User-Name} (8) --> --username=mypc-pc\\Administrator (8) EXPAND --calledStationID=%{Called-Station-Id} (8) --> --calledStationID=44-67-47-26-F7-90 (8) EXPAND --callingStationID=%{Calling-Station-Id} (8) --> --callingStationID=44a8-42f7-952d (8) EXPAND --connectInfo=%{Connect-Info} (8) --> --connectInfo= (8) EXPAND --framedMTU=%{Framed-MTU} (8) --> --framedMTU=1500 (8) EXPAND --framedProtocol=%{Framed-Protocol} (8) --> --framedProtocol=PPP (8) EXPAND --nasIdentifier=%{NAS-Identifier} (8) --> --nasIdentifier=S5735_K6_SW1 (8) EXPAND --nasIPAddress=%{NAS-IP-Address} (8) --> --nasIPAddress=172.100.0.60 (8) EXPAND --nasPort=%{NAS-Port} (8) --> --nasPort=20497 (8) EXPAND --nasPortID=%{NAS-Port-Id} (8) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (8) EXPAND --nasPortType=%{NAS-Port-Type} (8) --> --nasPortType=Ethernet (8) EXPAND --serviceType=%{Service-Type} (8) --> --serviceType=Framed-User (8) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (8) --> --tunnelMediumType= (8) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (8) --> --tunnelPrivateGroupID= (8) EXPAND --tunnelType=%{Tunnel-Type} (8) --> --tunnelType= (8) Program returned code (0) and output 'Reply-Message :=""' (8) control::Reply-Message := (8) } # update = noop (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = noop (8) } # policy filter_username = noop (8) [preprocess] = ok (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 171 length 107 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a (8) eap: Finished EAP session with state 0x06df9fcc017486aa (8) eap: Previous EAP request found for state 0x06df9fcc017486aa, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f0000000000000000a380d06457734f2b4a8f544de51831e2a54853305befeb550041646d696e6973747261746f72 (8) eap_peap: Setting User-Name to mypc-pc\Administrator (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f0000000000000000a380d06457734f2b4a8f544de51831e2a54853305befeb550041646d696e6973747261746f72 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "mypc-pc\\Administrator" (8) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f0000000000000000a380d06457734f2b4a8f544de51831e2a54853305befeb550041646d696e6973747261746f72 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "mypc-pc\\Administrator" (8) State = 0xb29197b0b23a8d1abd34b414c2a4601c (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) update { (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --verify=true --control=false: (8) EXPAND --username=%{User-Name} (8) --> --username=mypc-pc\\Administrator (8) Program returned code (0) and output 'Idle-Timeout := "30"' (8) reply::Idle-Timeout := 30 (8) } # update = noop (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = noop (8) } # policy filter_username = noop (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 171 length 72 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a (8) eap: Finished EAP session with state 0xb29197b0b23a8d1a (8) eap: Previous EAP request found for state 0xb29197b0b23a8d1a, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as MS-CHAP Name (Administrator) from EAP-MSCHAPv2 (8) mschap: Creating challenge hash with username: Administrator (8) mschap: Client is using MS-CHAPv2 (8) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (8) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (8) mschap: --> --username=Administrator (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as MS-CHAP Name (Administrator) from EAP-MSCHAPv2 (8) mschap: Creating challenge hash with username: Administrator (8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (8) mschap: --> --challenge=54f8ede55f4a4abb (8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (8) mschap: --> --nt-response=a380d06457734f2b4a8f544de51831e2a54853305befeb55 (8) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)' (8) mschap: ERROR: Reading winbind reply failed! (0xc0000001) (8) mschap: Authentication failed (8) eap_mschapv2: [mschap] = fail (8) eap_mschapv2: } # authenticate = fail (8) eap: Sending EAP Failure (code 4) ID 171 length 4 (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> mypc-pc\\Administrator (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: Program returned code (1) and output \'Reading winbind reply failed! (0xc0000001)\'' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) EAP-Message = 0x04ab0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04ab0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04ab0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 172 length 43 (8) eap: EAP session adding &reply:State = 0x06df9fcc0e7386aa (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (8) TLS-Session-Version = "TLS 1.0" (8) Module-Failure-Message := "mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'" (8) Sent Access-Challenge Id 33 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (8) EAP-Message = 0x01ac002b1900170301002026931b104878a5280e9a66fdc3cfdebbdb1f8246a377c0748067abbfc703e7f7 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x06df9fcc0e7386aa43639075ca7d333a (8) Finished request Waking up in 4.3 seconds. (9) Received Access-Request Id 34 from 172.100.0.60:49947 to 172.16.0.100:1812 length 377 (9) User-Name = "mypc-pc\\Administrator" (9) NAS-Port = 20497 (9) Service-Type = Framed-User (9) Framed-Protocol = PPP (9) Calling-Station-Id = "44a8-42f7-952d" (9) NAS-Identifier = "S5735_K6_SW1" (9) NAS-Port-Type = Ethernet (9) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (9) State = 0x06df9fcc0e7386aa43639075ca7d333a (9) EAP-Message = 0x02ac002b1900170301002002a19fd10d3999b09ff706b3c9a2e1b6f1de661047ec0e47760dd1c38e3479ce (9) Message-Authenticator = 0x9991289c6858191d73f190917ff6d23e (9) Called-Station-Id = "44-67-47-26-F7-90" (9) Login-IP-Host = 0.0.0.0 (9) NAS-IP-Address = 172.100.0.60 (9) Framed-MTU = 1500 (9) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (9) Huawei-Startup-Stamp = 1589932873 (9) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (9) Huawei-Connect-ID = 45 (9) Huawei-Version = "Huawei S5735" (9) Huawei-Product-ID = "S5735" (9) Huawei-User-Mac = "\000\000\000\001" (9) Huawei-Domain-Name = "default" (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (9) &session-state:TLS-Session-Version = "TLS 1.0" (9) &session-state:Module-Failure-Message := "mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'" (9) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (9) authorize { (9) update { (9) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (9) EXPAND --username=%{User-Name} (9) --> --username=mypc-pc\\Administrator (9) EXPAND --calledStationID=%{Called-Station-Id} (9) --> --calledStationID=44-67-47-26-F7-90 (9) EXPAND --callingStationID=%{Calling-Station-Id} (9) --> --callingStationID=44a8-42f7-952d (9) EXPAND --connectInfo=%{Connect-Info} (9) --> --connectInfo= (9) EXPAND --framedMTU=%{Framed-MTU} (9) --> --framedMTU=1500 (9) EXPAND --framedProtocol=%{Framed-Protocol} (9) --> --framedProtocol=PPP (9) EXPAND --nasIdentifier=%{NAS-Identifier} (9) --> --nasIdentifier=S5735_K6_SW1 (9) EXPAND --nasIPAddress=%{NAS-IP-Address} (9) --> --nasIPAddress=172.100.0.60 (9) EXPAND --nasPort=%{NAS-Port} (9) --> --nasPort=20497 (9) EXPAND --nasPortID=%{NAS-Port-Id} (9) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (9) EXPAND --nasPortType=%{NAS-Port-Type} (9) --> --nasPortType=Ethernet (9) EXPAND --serviceType=%{Service-Type} (9) --> --serviceType=Framed-User (9) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (9) --> --tunnelMediumType= (9) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (9) --> --tunnelPrivateGroupID= (9) EXPAND --tunnelType=%{Tunnel-Type} (9) --> --tunnelType= (9) Program returned code (0) and output 'Reply-Message :=""' (9) control::Reply-Message := (9) } # update = noop (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = noop (9) } # policy filter_username = noop (9) [preprocess] = ok (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 172 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x06df9fcc0e7386aa (9) eap: Finished EAP session with state 0x06df9fcc0e7386aa (9) eap: Previous EAP request found for state 0x06df9fcc0e7386aa, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 172 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> mypc-pc\\Administrator (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 34 from 172.16.0.100:1812 to 172.100.0.60:49947 length 44 (9) EAP-Message = 0x04ac0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.3 seconds.
I think you should fix your samba setup first. Your smb.conf is not correctly setup and without that being correctly ntlm_auth is not going to work in free radius Read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member And read : https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Di... For FreeRadius and auth only, RID (or autorid) setup is sufficient Greetz, Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Vertigo Altair Verzonden: maandag 21 juni 2021 21:26 Aan: FreeRadius users mailing list Onderwerp: MSCHAP DC Server Authentication winbind reply failed
Hi FreeRADIUS!
I'm trying to use FreeRADIUS with MSCHAP through a DC server. However, I'm getting an error like "winbind reply failed!"
I'm running on OpenBSD 6.9.
FreeRADIUS version:
# /usr/local/sbin/radiusd -v | head -1 radiusd: FreeRADIUS Version 3.0.21, for host x86_64-unknown-openbsd6.9, built on Apr 20 2021 at 05:14:02 #
My configuration is like that;
=============
# cat /etc/samba/smb.conf [global]
winbind use default domain = no security = ads netbios name = myhost workgroup = MYWORKGROUP realm = zz.example.com password server = zz.example.com
==============
I joined the DC server successfully;
# net join -U myadmin Using short domain name -- XX Joined 'YY' to dns domain 'zz.example.com' No DNS domain configured for myhost. Unable to perform DNS Update.
============= I can make challange based authentication with wbinfo;
# wbinfo -a myuser%mypass plaintext password authentication failed <<< FAIL Could not authenticate user myuser%mypass with plaintext password challenge/response password authentication succeeded #
===============
And also with ntlm_auth;
# ntlm_auth --request-nt-key --username myuser Password: myuser NT_STATUS_OK: The operation completed successfully. (0x0) #
==================
I've created a user named "winbindd_priv" and added this user the _freeradius group to access winbind privileged socket from FreeRADIUS
# cat /etc/group |grep winbind winbindd_priv:*:1000:_freeradius
# ls -la /var/run/samba/winbindd* -rw-r--r-- 1 root winbindd_priv 6 Jun 21 18:39 /var/run/samba/winbindd.pid
/var/run/samba/winbindd: srwxrwxrwx 1 root winbindd_priv 0 Jun 21 18:38 pipe #
===================
I couldn't see anything wrong there, I followed the official documentation properly. I'm getting "winbind reply failed!" error anyway.
The full output from radiusd -X;
======================
(0) Received Access-Request Id 25 from 172.100.0.60:49947 to 172.16.0.100:1812 length 338 (0) User-Name = "mypc-pc\\Administrator" (0) NAS-Port = 20497 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) Calling-Station-Id = "44a8-42f7-952d" (0) NAS-Identifier = "S5735_K6_SW1" (0) NAS-Port-Type = Ethernet (0) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (0) EAP-Message = 0x02a3001c01626c6774656b2d70635c41646d696e6973747261746f72 (0) Message-Authenticator = 0x2da911933329aa455da04b910df9e08e (0) Called-Station-Id = "44-67-47-26-F7-90" (0) NAS-IP-Address = 172.100.0.60 (0) Framed-MTU = 1500 (0) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (0) Huawei-Startup-Stamp = 1589932873 (0) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (0) Huawei-Connect-ID = 45 (0) Huawei-Version = "Huawei S5735" (0) Huawei-Product-ID = "S5735" (0) Huawei-User-Mac = "\000\000\000\001" (0) Huawei-Domain-Name = "default" (0) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (0) authorize { (0) update { (0) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (0) EXPAND --username=%{User-Name} (0) --> --username=mypc-pc\\Administrator (0) EXPAND --calledStationID=%{Called-Station-Id} (0) --> --calledStationID=44-67-47-26-F7-90 (0) EXPAND --callingStationID=%{Calling-Station-Id} (0) --> --callingStationID=44a8-42f7-952d (0) EXPAND --connectInfo=%{Connect-Info} (0) --> --connectInfo= (0) EXPAND --framedMTU=%{Framed-MTU} (0) --> --framedMTU=1500 (0) EXPAND --framedProtocol=%{Framed-Protocol} (0) --> --framedProtocol=PPP (0) EXPAND --nasIdentifier=%{NAS-Identifier} (0) --> --nasIdentifier=S5735_K6_SW1 (0) EXPAND --nasIPAddress=%{NAS-IP-Address} (0) --> --nasIPAddress=172.100.0.60 (0) EXPAND --nasPort=%{NAS-Port} (0) --> --nasPort=20497 (0) EXPAND --nasPortID=%{NAS-Port-Id} (0) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (0) EXPAND --nasPortType=%{NAS-Port-Type} (0) --> --nasPortType=Ethernet (0) EXPAND --serviceType=%{Service-Type} (0) --> --serviceType=Framed-User (0) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (0) --> --tunnelMediumType= (0) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (0) --> --tunnelPrivateGroupID= (0) EXPAND --tunnelType=%{Tunnel-Type} (0) --> --tunnelType= (0) Program returned code (0) and output 'Reply-Message :=""' (0) control::Reply-Message := (0) } # update = noop (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = noop (0) } # policy filter_username = noop (0) [preprocess] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 163 length 28 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 164 length 22 (0) eap: EAP session adding &reply:State = 0x06df9fcc067b9baa (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 25 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (0) EAP-Message = 0x01a400160410fb53358fd5f5bb176cb25434be27dc38 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x06df9fcc067b9baa43639075ca7d333a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 26 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (1) User-Name = "mypc-pc\\Administrator" (1) NAS-Port = 20497 (1) Service-Type = Framed-User (1) Framed-Protocol = PPP (1) Calling-Station-Id = "44a8-42f7-952d" (1) NAS-Identifier = "S5735_K6_SW1" (1) NAS-Port-Type = Ethernet (1) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (1) State = 0x06df9fcc067b9baa43639075ca7d333a (1) EAP-Message = 0x02a400060319 (1) Message-Authenticator = 0xf104c44a25c93bccb28f9f2e00f4333c (1) Called-Station-Id = "44-67-47-26-F7-90" (1) Login-IP-Host = 0.0.0.0 (1) NAS-IP-Address = 172.100.0.60 (1) Framed-MTU = 1500 (1) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (1) Huawei-Startup-Stamp = 1589932873 (1) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (1) Huawei-Connect-ID = 45 (1) Huawei-Version = "Huawei S5735" (1) Huawei-Product-ID = "S5735" (1) Huawei-User-Mac = "\000\000\000\001" (1) Huawei-Domain-Name = "default" (1) session-state: No cached attributes (1) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (1) authorize { (1) update { (1) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (1) EXPAND --username=%{User-Name} (1) --> --username=mypc-pc\\Administrator (1) EXPAND --calledStationID=%{Called-Station-Id} (1) --> --calledStationID=44-67-47-26-F7-90 (1) EXPAND --callingStationID=%{Calling-Station-Id} (1) --> --callingStationID=44a8-42f7-952d (1) EXPAND --connectInfo=%{Connect-Info} (1) --> --connectInfo= (1) EXPAND --framedMTU=%{Framed-MTU} (1) --> --framedMTU=1500 (1) EXPAND --framedProtocol=%{Framed-Protocol} (1) --> --framedProtocol=PPP (1) EXPAND --nasIdentifier=%{NAS-Identifier} (1) --> --nasIdentifier=S5735_K6_SW1 (1) EXPAND --nasIPAddress=%{NAS-IP-Address} (1) --> --nasIPAddress=172.100.0.60 (1) EXPAND --nasPort=%{NAS-Port} (1) --> --nasPort=20497 (1) EXPAND --nasPortID=%{NAS-Port-Id} (1) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (1) EXPAND --nasPortType=%{NAS-Port-Type} (1) --> --nasPortType=Ethernet (1) EXPAND --serviceType=%{Service-Type} (1) --> --serviceType=Framed-User (1) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (1) --> --tunnelMediumType= (1) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (1) --> --tunnelPrivateGroupID= (1) EXPAND --tunnelType=%{Tunnel-Type} (1) --> --tunnelType= (1) Program returned code (0) and output 'Reply-Message :=""' (1) control::Reply-Message := (1) } # update = noop (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = noop (1) } # policy filter_username = noop (1) [preprocess] = ok (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 164 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x06df9fcc067b9baa (1) eap: Finished EAP session with state 0x06df9fcc067b9baa (1) eap: Previous EAP request found for state 0x06df9fcc067b9baa, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 165 length 6 (1) eap: EAP session adding &reply:State = 0x06df9fcc077a86aa (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 26 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (1) EAP-Message = 0x01a500061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x06df9fcc077a86aa43639075ca7d333a (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 27 from 172.100.0.60:49947 to 172.16.0.100:1812 length 447 (2) User-Name = "mypc-pc\\Administrator" (2) NAS-Port = 20497 (2) Service-Type = Framed-User (2) Framed-Protocol = PPP (2) Calling-Station-Id = "44a8-42f7-952d" (2) NAS-Identifier = "S5735_K6_SW1" (2) NAS-Port-Type = Ethernet (2) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (2) State = 0x06df9fcc077a86aa43639075ca7d333a (2) EAP-Message = 0x02a5007119800000006716030100620100005e030160d0e32a6722bce315 95a5e36c093697851bb230673e9d56c34961448f20d9c300001cc014c01300 3900330035002fc00ac00900380032000a00130005000401000019000a0006 000400170018000b0002010000170000ff01000100 (2) Message-Authenticator = 0x8e36104449de451d2f46716428d8d1d0 (2) Called-Station-Id = "44-67-47-26-F7-90" (2) Login-IP-Host = 0.0.0.0 (2) NAS-IP-Address = 172.100.0.60 (2) Framed-MTU = 1500 (2) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (2) Huawei-Startup-Stamp = 1589932873 (2) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (2) Huawei-Connect-ID = 45 (2) Huawei-Version = "Huawei S5735" (2) Huawei-Product-ID = "S5735" (2) Huawei-User-Mac = "\000\000\000\001" (2) Huawei-Domain-Name = "default" (2) session-state: No cached attributes (2) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (2) authorize { (2) update { (2) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (2) EXPAND --username=%{User-Name} (2) --> --username=mypc-pc\\Administrator (2) EXPAND --calledStationID=%{Called-Station-Id} (2) --> --calledStationID=44-67-47-26-F7-90 (2) EXPAND --callingStationID=%{Calling-Station-Id} (2) --> --callingStationID=44a8-42f7-952d (2) EXPAND --connectInfo=%{Connect-Info} (2) --> --connectInfo= (2) EXPAND --framedMTU=%{Framed-MTU} (2) --> --framedMTU=1500 (2) EXPAND --framedProtocol=%{Framed-Protocol} (2) --> --framedProtocol=PPP (2) EXPAND --nasIdentifier=%{NAS-Identifier} (2) --> --nasIdentifier=S5735_K6_SW1 (2) EXPAND --nasIPAddress=%{NAS-IP-Address} (2) --> --nasIPAddress=172.100.0.60 (2) EXPAND --nasPort=%{NAS-Port} (2) --> --nasPort=20497 (2) EXPAND --nasPortID=%{NAS-Port-Id} (2) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (2) EXPAND --nasPortType=%{NAS-Port-Type} (2) --> --nasPortType=Ethernet (2) EXPAND --serviceType=%{Service-Type} (2) --> --serviceType=Framed-User (2) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (2) --> --tunnelMediumType= (2) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (2) --> --tunnelPrivateGroupID= (2) EXPAND --tunnelType=%{Tunnel-Type} (2) --> --tunnelType= (2) Program returned code (0) and output 'Reply-Message :=""' (2) control::Reply-Message := (2) } # update = noop (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = noop (2) } # policy filter_username = noop (2) [preprocess] = ok (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 165 length 113 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x06df9fcc077a86aa (2) eap: Finished EAP session with state 0x06df9fcc077a86aa (2) eap: Previous EAP request found for state 0x06df9fcc077a86aa, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 103 bytes (2) eap_peap: Got complete TLS record (103 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before accept initialization (2) eap_peap: <<< recv UNKNOWN TLS VERSION '0304' [length 0062] (2) eap_peap: TLS_accept: SSLv3 read client hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0037], ServerHello (2) eap_peap: TLS_accept: SSLv3 write server hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 08e5], Certificate (2) eap_peap: TLS_accept: SSLv3 write certificate A (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap: TLS_accept: SSLv3 write key exchange A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap: TLS_accept: SSLv3 write server done A (2) eap_peap: TLS_accept: SSLv3 flush data (2) eap_peap: TLS_accept: SSLv3 read client certificate A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 2687 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 166 length 1004 (2) eap: EAP session adding &reply:State = 0x06df9fcc047986aa (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 27 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (2) EAP-Message = 0x01a603ec19c000000a7f16030100370200003303011069fa543cddfebbc2 a59de247700b31bea216c1570e4080444f574e4752440000c01400000bff01 000100000b0002010016030108e50b0008e10008de0003e8308203e4308202 cca003020102020101300d06092a864886f70d01010b0500308196310b3009 060355040613025452310e300c06035504080c05495a4d4952310d300b0603 5504070c0455524c4131173015060355040a0c0e5061727461204e6574776f 726b733120301e06092a864886f70d0109011611696e666f4070617274612e 636f6d2e7472312d302b06035504030c245061727461204e6574776f726b73 20436572746966696361746520417574686f72697479301e170d3230303333 313131323930385a170d3330303332393131323930385a308182310b300906 0355040613025452310e300c06035504080c05495a4d495231173015060355 040a0c0e5061727461204e6574776f726b733128302606035504030c1f506172746120 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x06df9fcc047986aa43639075ca7d333a (2) Finished request Waking up in 4.7 seconds. (3) Received Access-Request Id 28 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (3) User-Name = "mypc-pc\\Administrator" (3) NAS-Port = 20497 (3) Service-Type = Framed-User (3) Framed-Protocol = PPP (3) Calling-Station-Id = "44a8-42f7-952d" (3) NAS-Identifier = "S5735_K6_SW1" (3) NAS-Port-Type = Ethernet (3) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (3) State = 0x06df9fcc047986aa43639075ca7d333a (3) EAP-Message = 0x02a600061900 (3) Message-Authenticator = 0xcc4d6c36e5459879cc826325ec4d747a (3) Called-Station-Id = "44-67-47-26-F7-90" (3) Login-IP-Host = 0.0.0.0 (3) NAS-IP-Address = 172.100.0.60 (3) Framed-MTU = 1500 (3) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (3) Huawei-Startup-Stamp = 1589932873 (3) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (3) Huawei-Connect-ID = 45 (3) Huawei-Version = "Huawei S5735" (3) Huawei-Product-ID = "S5735" (3) Huawei-User-Mac = "\000\000\000\001" (3) Huawei-Domain-Name = "default" (3) session-state: No cached attributes (3) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (3) authorize { (3) update { (3) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (3) EXPAND --username=%{User-Name} (3) --> --username=mypc-pc\\Administrator (3) EXPAND --calledStationID=%{Called-Station-Id} (3) --> --calledStationID=44-67-47-26-F7-90 (3) EXPAND --callingStationID=%{Calling-Station-Id} (3) --> --callingStationID=44a8-42f7-952d (3) EXPAND --connectInfo=%{Connect-Info} (3) --> --connectInfo= (3) EXPAND --framedMTU=%{Framed-MTU} (3) --> --framedMTU=1500 (3) EXPAND --framedProtocol=%{Framed-Protocol} (3) --> --framedProtocol=PPP (3) EXPAND --nasIdentifier=%{NAS-Identifier} (3) --> --nasIdentifier=S5735_K6_SW1 (3) EXPAND --nasIPAddress=%{NAS-IP-Address} (3) --> --nasIPAddress=172.100.0.60 (3) EXPAND --nasPort=%{NAS-Port} (3) --> --nasPort=20497 (3) EXPAND --nasPortID=%{NAS-Port-Id} (3) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (3) EXPAND --nasPortType=%{NAS-Port-Type} (3) --> --nasPortType=Ethernet (3) EXPAND --serviceType=%{Service-Type} (3) --> --serviceType=Framed-User (3) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (3) --> --tunnelMediumType= (3) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (3) --> --tunnelPrivateGroupID= (3) EXPAND --tunnelType=%{Tunnel-Type} (3) --> --tunnelType= (3) Program returned code (0) and output 'Reply-Message :=""' (3) control::Reply-Message := (3) } # update = noop (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = noop (3) } # policy filter_username = noop (3) [preprocess] = ok (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 166 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x06df9fcc047986aa (3) eap: Finished EAP session with state 0x06df9fcc047986aa (3) eap: Previous EAP request found for state 0x06df9fcc047986aa, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 167 length 1000 (3) eap: EAP session adding &reply:State = 0x06df9fcc057886aa (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 28 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (3) EAP-Message = 0x01a703e81940a73b4534fb54764797d56b51f469ff2e5a5feaf506057dbd fd6af543dfe986febe19c807b89244404cb9503c4a449efd5e8a9e68f31f0f a9b20107d112dde99fabadb55f609fefb8f0cfb09e1bb696330c0004f03082 04ec308203d4a0030201020209008917e4729c9d3b3d300d06092a864886f7 0d01010b0500308196310b3009060355040613025452310e300c0603550408 0c05495a4d4952310d300b06035504070c0455524c4131173015060355040a 0c0e5061727461204e6574776f726b733120301e06092a864886f70d010901 1611696e666f4070617274612e636f6d2e7472312d302b06035504030c2450 61727461204e6574776f726b7320436572746966696361746520417574686f 72697479301e170d3230303333313131323930385a170d3330303332393131 323930385a308196310b3009060355040613025452310e300c06035504080c 05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e506172 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x06df9fcc057886aa43639075ca7d333a (3) Finished request Waking up in 4.7 seconds. (4) Received Access-Request Id 29 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (4) User-Name = "mypc-pc\\Administrator" (4) NAS-Port = 20497 (4) Service-Type = Framed-User (4) Framed-Protocol = PPP (4) Calling-Station-Id = "44a8-42f7-952d" (4) NAS-Identifier = "S5735_K6_SW1" (4) NAS-Port-Type = Ethernet (4) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (4) State = 0x06df9fcc057886aa43639075ca7d333a (4) EAP-Message = 0x02a700061900 (4) Message-Authenticator = 0x345bff17c216eb76264d2dd1836dced4 (4) Called-Station-Id = "44-67-47-26-F7-90" (4) Login-IP-Host = 0.0.0.0 (4) NAS-IP-Address = 172.100.0.60 (4) Framed-MTU = 1500 (4) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (4) Huawei-Startup-Stamp = 1589932873 (4) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (4) Huawei-Connect-ID = 45 (4) Huawei-Version = "Huawei S5735" (4) Huawei-Product-ID = "S5735" (4) Huawei-User-Mac = "\000\000\000\001" (4) Huawei-Domain-Name = "default" (4) session-state: No cached attributes (4) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (4) authorize { (4) update { (4) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (4) EXPAND --username=%{User-Name} (4) --> --username=mypc-pc\\Administrator (4) EXPAND --calledStationID=%{Called-Station-Id} (4) --> --calledStationID=44-67-47-26-F7-90 (4) EXPAND --callingStationID=%{Calling-Station-Id} (4) --> --callingStationID=44a8-42f7-952d (4) EXPAND --connectInfo=%{Connect-Info} (4) --> --connectInfo= (4) EXPAND --framedMTU=%{Framed-MTU} (4) --> --framedMTU=1500 (4) EXPAND --framedProtocol=%{Framed-Protocol} (4) --> --framedProtocol=PPP (4) EXPAND --nasIdentifier=%{NAS-Identifier} (4) --> --nasIdentifier=S5735_K6_SW1 (4) EXPAND --nasIPAddress=%{NAS-IP-Address} (4) --> --nasIPAddress=172.100.0.60 (4) EXPAND --nasPort=%{NAS-Port} (4) --> --nasPort=20497 (4) EXPAND --nasPortID=%{NAS-Port-Id} (4) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (4) EXPAND --nasPortType=%{NAS-Port-Type} (4) --> --nasPortType=Ethernet (4) EXPAND --serviceType=%{Service-Type} (4) --> --serviceType=Framed-User (4) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (4) --> --tunnelMediumType= (4) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (4) --> --tunnelPrivateGroupID= (4) EXPAND --tunnelType=%{Tunnel-Type} (4) --> --tunnelType= (4) Program returned code (0) and output 'Reply-Message :=""' (4) control::Reply-Message := (4) } # update = noop (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = noop (4) } # policy filter_username = noop (4) [preprocess] = ok (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 167 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x06df9fcc057886aa (4) eap: Finished EAP session with state 0x06df9fcc057886aa (4) eap: Previous EAP request found for state 0x06df9fcc057886aa, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 168 length 705 (4) eap: EAP session adding &reply:State = 0x06df9fcc027786aa (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 29 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (4) EAP-Message = 0x01a802c11900e4729c9d3b3d300f0603551d130101ff040530030101ff30 350603551d1f042e302c302aa028a0268624687474703a2f2f7777772e7061 7274612e636f6d2e74722f70617274615f63612e63726c300d06092a864886 f70d01010b0500038201010002a7a685fd8c45441aa4e88edd20fe072c2d6d c2fdf1a70bdfbb4e4d6e447ef63fb83535d1eb1a9b7eb0d8fc177cbe833bcd 8ca72116ebd550b12ab279f5298beb6a8f7e58f38e9943d51a2b9a415f0f7b 6cb3e284f54c181f57eea3ec231ccea3f982602d46374234e262a8a5709816 56b6e991155da7983b5edddd89239eec5c82cbc176541e5e32f2e1fcf783f1 62fbd7de96dbaadafd0e8f56d5f72f4de5ac1254656c6ba349ed7ae5202dfd 20b3dc5e576bbba43c2f10d1b66b764038601b2e23a27a7a3b4b13e4d58343 df004dbd21908c71c0d563f18eec86d5a74bf7b192d4da4ffa036e75462374 8cdfe9ee000c02a3ee75574fa594e9055132d03e160301014b0c0001470300174104a0 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x06df9fcc027786aa43639075ca7d333a (4) Finished request Waking up in 4.6 seconds. (5) Received Access-Request Id 30 from 172.100.0.60:49947 to 172.16.0.100:1812 length 478 (5) User-Name = "mypc-pc\\Administrator" (5) NAS-Port = 20497 (5) Service-Type = Framed-User (5) Framed-Protocol = PPP (5) Calling-Station-Id = "44a8-42f7-952d" (5) NAS-Identifier = "S5735_K6_SW1" (5) NAS-Port-Type = Ethernet (5) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (5) State = 0x06df9fcc027786aa43639075ca7d333a (5) EAP-Message = 0x02a800901980000000861603010046100000424104c7b577ecf031abd558 556c730dea6a62961ef24e63b87df106b9981a6899f04e68a480a2b306f8f1 99787ac538d19bc572f82e277133f9ebbdbd8b3b4d17866e14030100010116 030100301e14570b074715b54215c474e30f4ab9f9bfadb1590f0331598dae f254ac64514ddef71c035306cdc1fea1cbdd58dcce (5) Message-Authenticator = 0x68db217c9425678c6ba8dba10a9679e9 (5) Called-Station-Id = "44-67-47-26-F7-90" (5) Login-IP-Host = 0.0.0.0 (5) NAS-IP-Address = 172.100.0.60 (5) Framed-MTU = 1500 (5) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (5) Huawei-Startup-Stamp = 1589932873 (5) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (5) Huawei-Connect-ID = 45 (5) Huawei-Version = "Huawei S5735" (5) Huawei-Product-ID = "S5735" (5) Huawei-User-Mac = "\000\000\000\001" (5) Huawei-Domain-Name = "default" (5) session-state: No cached attributes (5) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (5) authorize { (5) update { (5) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (5) EXPAND --username=%{User-Name} (5) --> --username=mypc-pc\\Administrator (5) EXPAND --calledStationID=%{Called-Station-Id} (5) --> --calledStationID=44-67-47-26-F7-90 (5) EXPAND --callingStationID=%{Calling-Station-Id} (5) --> --callingStationID=44a8-42f7-952d (5) EXPAND --connectInfo=%{Connect-Info} (5) --> --connectInfo= (5) EXPAND --framedMTU=%{Framed-MTU} (5) --> --framedMTU=1500 (5) EXPAND --framedProtocol=%{Framed-Protocol} (5) --> --framedProtocol=PPP (5) EXPAND --nasIdentifier=%{NAS-Identifier} (5) --> --nasIdentifier=S5735_K6_SW1 (5) EXPAND --nasIPAddress=%{NAS-IP-Address} (5) --> --nasIPAddress=172.100.0.60 (5) EXPAND --nasPort=%{NAS-Port} (5) --> --nasPort=20497 (5) EXPAND --nasPortID=%{NAS-Port-Id} (5) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (5) EXPAND --nasPortType=%{NAS-Port-Type} (5) --> --nasPortType=Ethernet (5) EXPAND --serviceType=%{Service-Type} (5) --> --serviceType=Framed-User (5) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (5) --> --tunnelMediumType= (5) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (5) --> --tunnelPrivateGroupID= (5) EXPAND --tunnelType=%{Tunnel-Type} (5) --> --tunnelType= (5) Program returned code (0) and output 'Reply-Message :=""' (5) control::Reply-Message := (5) } # update = noop (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = noop (5) } # policy filter_username = noop (5) [preprocess] = ok (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 168 length 144 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x06df9fcc027786aa (5) eap: Finished EAP session with state 0x06df9fcc027786aa (5) eap: Previous EAP request found for state 0x06df9fcc027786aa, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer indicated complete TLS record size will be 134 bytes (5) eap_peap: Got complete TLS record (134 bytes) (5) eap_peap: [eaptls verify] = length included (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap: TLS_accept: SSLv3 read client key exchange A (5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 read finished A (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 write finished A (5) eap_peap: TLS_accept: SSLv3 flush data (5) eap_peap: (other): SSL negotiation finished successfully (5) eap_peap: TLS - Connection Established (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) eap_peap: TLS-Session-Version = "TLS 1.0" (5) eap_peap: TLS - got 59 bytes of data (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 169 length 65 (5) eap: EAP session adding &reply:State = 0x06df9fcc037686aa (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) TLS-Session-Version = "TLS 1.0" (5) Sent Access-Challenge Id 30 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (5) EAP-Message = 0x01a90041190014030100010116030100302fe125fbf82aa49c3614c980ad be6cec3d9fcfee716e1ad42f33b3e8d99e997248e974d389d973a61f8d6f2facc5e492 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x06df9fcc037686aa43639075ca7d333a (5) Finished request Waking up in 4.6 seconds. (6) Received Access-Request Id 31 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (6) User-Name = "mypc-pc\\Administrator" (6) NAS-Port = 20497 (6) Service-Type = Framed-User (6) Framed-Protocol = PPP (6) Calling-Station-Id = "44a8-42f7-952d" (6) NAS-Identifier = "S5735_K6_SW1" (6) NAS-Port-Type = Ethernet (6) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (6) State = 0x06df9fcc037686aa43639075ca7d333a (6) EAP-Message = 0x02a900061900 (6) Message-Authenticator = 0x6eae2e14353af6bdf3490d21f430dfbe (6) Called-Station-Id = "44-67-47-26-F7-90" (6) Login-IP-Host = 0.0.0.0 (6) NAS-IP-Address = 172.100.0.60 (6) Framed-MTU = 1500 (6) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (6) Huawei-Startup-Stamp = 1589932873 (6) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (6) Huawei-Connect-ID = 45 (6) Huawei-Version = "Huawei S5735" (6) Huawei-Product-ID = "S5735" (6) Huawei-User-Mac = "\000\000\000\001" (6) Huawei-Domain-Name = "default" (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) &session-state:TLS-Session-Version = "TLS 1.0" (6) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (6) authorize { (6) update { (6) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (6) EXPAND --username=%{User-Name} (6) --> --username=mypc-pc\\Administrator (6) EXPAND --calledStationID=%{Called-Station-Id} (6) --> --calledStationID=44-67-47-26-F7-90 (6) EXPAND --callingStationID=%{Calling-Station-Id} (6) --> --callingStationID=44a8-42f7-952d (6) EXPAND --connectInfo=%{Connect-Info} (6) --> --connectInfo= (6) EXPAND --framedMTU=%{Framed-MTU} (6) --> --framedMTU=1500 (6) EXPAND --framedProtocol=%{Framed-Protocol} (6) --> --framedProtocol=PPP (6) EXPAND --nasIdentifier=%{NAS-Identifier} (6) --> --nasIdentifier=S5735_K6_SW1 (6) EXPAND --nasIPAddress=%{NAS-IP-Address} (6) --> --nasIPAddress=172.100.0.60 (6) EXPAND --nasPort=%{NAS-Port} (6) --> --nasPort=20497 (6) EXPAND --nasPortID=%{NAS-Port-Id} (6) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (6) EXPAND --nasPortType=%{NAS-Port-Type} (6) --> --nasPortType=Ethernet (6) EXPAND --serviceType=%{Service-Type} (6) --> --serviceType=Framed-User (6) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (6) --> --tunnelMediumType= (6) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (6) --> --tunnelPrivateGroupID= (6) EXPAND --tunnelType=%{Tunnel-Type} (6) --> --tunnelType= (6) Program returned code (0) and output 'Reply-Message :=""' (6) control::Reply-Message := (6) } # update = noop (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = noop (6) } # policy filter_username = noop (6) [preprocess] = ok (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 169 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x06df9fcc037686aa (6) eap: Finished EAP session with state 0x06df9fcc037686aa (6) eap: Previous EAP request found for state 0x06df9fcc037686aa, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: [eaptls verify] = success (6) eap_peap: [eaptls process] = success (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 170 length 43 (6) eap: EAP session adding &reply:State = 0x06df9fcc007586aa (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) TLS-Session-Version = "TLS 1.0" (6) Sent Access-Challenge Id 31 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (6) EAP-Message = 0x01aa002b1900170301002039839b1c2d3257209fb27a7353e9e75e31a406 708676f7c33e1183170f61d947 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x06df9fcc007586aa43639075ca7d333a (6) Finished request Waking up in 4.5 seconds. (7) Received Access-Request Id 32 from 172.100.0.60:49947 to 172.16.0.100:1812 length 393 (7) User-Name = "mypc-pc\\Administrator" (7) NAS-Port = 20497 (7) Service-Type = Framed-User (7) Framed-Protocol = PPP (7) Calling-Station-Id = "44a8-42f7-952d" (7) NAS-Identifier = "S5735_K6_SW1" (7) NAS-Port-Type = Ethernet (7) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (7) State = 0x06df9fcc007586aa43639075ca7d333a (7) EAP-Message = 0x02aa003b190017030100303d5c35ae730f2e2172de89948e051cb0b22703 3be363ddea1c384cc141c1593d7ed0251c4ca849138cfdebf0e810852a (7) Message-Authenticator = 0x1a8ae85940fcefdcbc7a0528828a0c77 (7) Called-Station-Id = "44-67-47-26-F7-90" (7) Login-IP-Host = 0.0.0.0 (7) NAS-IP-Address = 172.100.0.60 (7) Framed-MTU = 1500 (7) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (7) Huawei-Startup-Stamp = 1589932873 (7) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (7) Huawei-Connect-ID = 45 (7) Huawei-Version = "Huawei S5735" (7) Huawei-Product-ID = "S5735" (7) Huawei-User-Mac = "\000\000\000\001" (7) Huawei-Domain-Name = "default" (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (7) &session-state:TLS-Session-Version = "TLS 1.0" (7) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (7) authorize { (7) update { (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (7) EXPAND --username=%{User-Name} (7) --> --username=mypc-pc\\Administrator (7) EXPAND --calledStationID=%{Called-Station-Id} (7) --> --calledStationID=44-67-47-26-F7-90 (7) EXPAND --callingStationID=%{Calling-Station-Id} (7) --> --callingStationID=44a8-42f7-952d (7) EXPAND --connectInfo=%{Connect-Info} (7) --> --connectInfo= (7) EXPAND --framedMTU=%{Framed-MTU} (7) --> --framedMTU=1500 (7) EXPAND --framedProtocol=%{Framed-Protocol} (7) --> --framedProtocol=PPP (7) EXPAND --nasIdentifier=%{NAS-Identifier} (7) --> --nasIdentifier=S5735_K6_SW1 (7) EXPAND --nasIPAddress=%{NAS-IP-Address} (7) --> --nasIPAddress=172.100.0.60 (7) EXPAND --nasPort=%{NAS-Port} (7) --> --nasPort=20497 (7) EXPAND --nasPortID=%{NAS-Port-Id} (7) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (7) EXPAND --nasPortType=%{NAS-Port-Type} (7) --> --nasPortType=Ethernet (7) EXPAND --serviceType=%{Service-Type} (7) --> --serviceType=Framed-User (7) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (7) --> --tunnelMediumType= (7) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (7) --> --tunnelPrivateGroupID= (7) EXPAND --tunnelType=%{Tunnel-Type} (7) --> --tunnelType= (7) Program returned code (0) and output 'Reply-Message :=""' (7) control::Reply-Message := (7) } # update = noop (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = noop (7) } # policy filter_username = noop (7) [preprocess] = ok (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 170 length 59 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x06df9fcc007586aa (7) eap: Finished EAP session with state 0x06df9fcc007586aa (7) eap: Previous EAP request found for state 0x06df9fcc007586aa, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - mypc-pc\Administrator (7) eap_peap: Got inner identity 'mypc-pc\Administrator' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) eap_peap: Setting User-Name to mypc-pc\Administrator (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "mypc-pc\\Administrator" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "mypc-pc\\Administrator" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) update { (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --verify=true --control=false: (7) EXPAND --username=%{User-Name} (7) --> --username=mypc-pc\\Administrator (7) Program returned code (0) and output 'Idle-Timeout := "30"' (7) reply::Idle-Timeout := 30 (7) } # update = noop (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = noop (7) } # policy filter_username = noop (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 170 length 28 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) eap: Sending EAP Request (code 1) ID 171 length 43 (7) eap: EAP session adding &reply:State = 0xb29197b0b23a8d1a (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) Idle-Timeout := 30 (7) EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565 7261646975732d332e302e3231 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: Idle-Timeout := 30 (7) eap_peap: EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565 7261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: Idle-Timeout := 30 (7) eap_peap: EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565 7261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 171 length 75 (7) eap: EAP session adding &reply:State = 0x06df9fcc017486aa (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (7) TLS-Session-Version = "TLS 1.0" (7) Sent Access-Challenge Id 32 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (7) EAP-Message = 0x01ab004b19001703010040f117bdd7e2a2d6530a0eebaac5f17a0b3e5846 e1278f4367eeb28499b7d4f60485adaa834a12a2f5fc22b2e4a7b75b2fd584 277bbb9e717bf568d0b7c39b9b21 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x06df9fcc017486aa43639075ca7d333a (7) Finished request Waking up in 4.5 seconds. (8) Received Access-Request Id 33 from 172.100.0.60:49947 to 172.16.0.100:1812 length 441 (8) User-Name = "mypc-pc\\Administrator" (8) NAS-Port = 20497 (8) Service-Type = Framed-User (8) Framed-Protocol = PPP (8) Calling-Station-Id = "44a8-42f7-952d" (8) NAS-Identifier = "S5735_K6_SW1" (8) NAS-Port-Type = Ethernet (8) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (8) State = 0x06df9fcc017486aa43639075ca7d333a (8) EAP-Message = 0x02ab006b1900170301006030a260cec76b817616c8446e917733d195ea67 fcb4cba7ea0c15873eccb189ac0c0482c8d146ae81eaf880b90364036ca514 b87389987c4879b1e21d8c032b74a3adf543509c62b5cc1e85d7f556043d22 e8f68156c08b94226c0358519793f0 (8) Message-Authenticator = 0x99f47b6e04e6c7df9ba0bad3ad23a0dc (8) Called-Station-Id = "44-67-47-26-F7-90" (8) Login-IP-Host = 0.0.0.0 (8) NAS-IP-Address = 172.100.0.60 (8) Framed-MTU = 1500 (8) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (8) Huawei-Startup-Stamp = 1589932873 (8) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (8) Huawei-Connect-ID = 45 (8) Huawei-Version = "Huawei S5735" (8) Huawei-Product-ID = "S5735" (8) Huawei-User-Mac = "\000\000\000\001" (8) Huawei-Domain-Name = "default" (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (8) &session-state:TLS-Session-Version = "TLS 1.0" (8) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (8) authorize { (8) update { (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (8) EXPAND --username=%{User-Name} (8) --> --username=mypc-pc\\Administrator (8) EXPAND --calledStationID=%{Called-Station-Id} (8) --> --calledStationID=44-67-47-26-F7-90 (8) EXPAND --callingStationID=%{Calling-Station-Id} (8) --> --callingStationID=44a8-42f7-952d (8) EXPAND --connectInfo=%{Connect-Info} (8) --> --connectInfo= (8) EXPAND --framedMTU=%{Framed-MTU} (8) --> --framedMTU=1500 (8) EXPAND --framedProtocol=%{Framed-Protocol} (8) --> --framedProtocol=PPP (8) EXPAND --nasIdentifier=%{NAS-Identifier} (8) --> --nasIdentifier=S5735_K6_SW1 (8) EXPAND --nasIPAddress=%{NAS-IP-Address} (8) --> --nasIPAddress=172.100.0.60 (8) EXPAND --nasPort=%{NAS-Port} (8) --> --nasPort=20497 (8) EXPAND --nasPortID=%{NAS-Port-Id} (8) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (8) EXPAND --nasPortType=%{NAS-Port-Type} (8) --> --nasPortType=Ethernet (8) EXPAND --serviceType=%{Service-Type} (8) --> --serviceType=Framed-User (8) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (8) --> --tunnelMediumType= (8) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (8) --> --tunnelPrivateGroupID= (8) EXPAND --tunnelType=%{Tunnel-Type} (8) --> --tunnelType= (8) Program returned code (0) and output 'Reply-Message :=""' (8) control::Reply-Message := (8) } # update = noop (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = noop (8) } # policy filter_username = noop (8) [preprocess] = ok (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 171 length 107 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a (8) eap: Finished EAP session with state 0x06df9fcc017486aa (8) eap: Previous EAP request found for state 0x06df9fcc017486aa, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164 6d696e6973747261746f72 (8) eap_peap: Setting User-Name to mypc-pc\Administrator (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164 6d696e6973747261746f72 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "mypc-pc\\Administrator" (8) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164 6d696e6973747261746f72 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "mypc-pc\\Administrator" (8) State = 0xb29197b0b23a8d1abd34b414c2a4601c (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) update { (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --verify=true --control=false: (8) EXPAND --username=%{User-Name} (8) --> --username=mypc-pc\\Administrator (8) Program returned code (0) and output 'Idle-Timeout := "30"' (8) reply::Idle-Timeout := 30 (8) } # update = noop (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = noop (8) } # policy filter_username = noop (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 171 length 72 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a (8) eap: Finished EAP session with state 0xb29197b0b23a8d1a (8) eap: Previous EAP request found for state 0xb29197b0b23a8d1a, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as MS-CHAP Name (Administrator) from EAP-MSCHAPv2 (8) mschap: Creating challenge hash with username: Administrator (8) mschap: Client is using MS-CHAPv2 (8) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (8) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (8) mschap: --> --username=Administrator (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as MS-CHAP Name (Administrator) from EAP-MSCHAPv2 (8) mschap: Creating challenge hash with username: Administrator (8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (8) mschap: --> --challenge=54f8ede55f4a4abb (8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (8) mschap: --> --nt-response=a380d06457734f2b4a8f544de51831e2a54853305befeb55 (8) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)' (8) mschap: ERROR: Reading winbind reply failed! (0xc0000001) (8) mschap: Authentication failed (8) eap_mschapv2: [mschap] = fail (8) eap_mschapv2: } # authenticate = fail (8) eap: Sending EAP Failure (code 4) ID 171 length 4 (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> mypc-pc\\Administrator (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: Program returned code (1) and output \'Reading winbind reply failed! (0xc0000001)\'' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) EAP-Message = 0x04ab0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04ab0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04ab0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 172 length 43 (8) eap: EAP session adding &reply:State = 0x06df9fcc0e7386aa (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (8) TLS-Session-Version = "TLS 1.0" (8) Module-Failure-Message := "mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'" (8) Sent Access-Challenge Id 33 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (8) EAP-Message = 0x01ac002b1900170301002026931b104878a5280e9a66fdc3cfdebbdb1f82 46a377c0748067abbfc703e7f7 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x06df9fcc0e7386aa43639075ca7d333a (8) Finished request Waking up in 4.3 seconds. (9) Received Access-Request Id 34 from 172.100.0.60:49947 to 172.16.0.100:1812 length 377 (9) User-Name = "mypc-pc\\Administrator" (9) NAS-Port = 20497 (9) Service-Type = Framed-User (9) Framed-Protocol = PPP (9) Calling-Station-Id = "44a8-42f7-952d" (9) NAS-Identifier = "S5735_K6_SW1" (9) NAS-Port-Type = Ethernet (9) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (9) State = 0x06df9fcc0e7386aa43639075ca7d333a (9) EAP-Message = 0x02ac002b1900170301002002a19fd10d3999b09ff706b3c9a2e1b6f1de66 1047ec0e47760dd1c38e3479ce (9) Message-Authenticator = 0x9991289c6858191d73f190917ff6d23e (9) Called-Station-Id = "44-67-47-26-F7-90" (9) Login-IP-Host = 0.0.0.0 (9) NAS-IP-Address = 172.100.0.60 (9) Framed-MTU = 1500 (9) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (9) Huawei-Startup-Stamp = 1589932873 (9) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (9) Huawei-Connect-ID = 45 (9) Huawei-Version = "Huawei S5735" (9) Huawei-Product-ID = "S5735" (9) Huawei-User-Mac = "\000\000\000\001" (9) Huawei-Domain-Name = "default" (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (9) &session-state:TLS-Session-Version = "TLS 1.0" (9) &session-state:Module-Failure-Message := "mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'" (9) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (9) authorize { (9) update { (9) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (9) EXPAND --username=%{User-Name} (9) --> --username=mypc-pc\\Administrator (9) EXPAND --calledStationID=%{Called-Station-Id} (9) --> --calledStationID=44-67-47-26-F7-90 (9) EXPAND --callingStationID=%{Calling-Station-Id} (9) --> --callingStationID=44a8-42f7-952d (9) EXPAND --connectInfo=%{Connect-Info} (9) --> --connectInfo= (9) EXPAND --framedMTU=%{Framed-MTU} (9) --> --framedMTU=1500 (9) EXPAND --framedProtocol=%{Framed-Protocol} (9) --> --framedProtocol=PPP (9) EXPAND --nasIdentifier=%{NAS-Identifier} (9) --> --nasIdentifier=S5735_K6_SW1 (9) EXPAND --nasIPAddress=%{NAS-IP-Address} (9) --> --nasIPAddress=172.100.0.60 (9) EXPAND --nasPort=%{NAS-Port} (9) --> --nasPort=20497 (9) EXPAND --nasPortID=%{NAS-Port-Id} (9) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (9) EXPAND --nasPortType=%{NAS-Port-Type} (9) --> --nasPortType=Ethernet (9) EXPAND --serviceType=%{Service-Type} (9) --> --serviceType=Framed-User (9) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (9) --> --tunnelMediumType= (9) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (9) --> --tunnelPrivateGroupID= (9) EXPAND --tunnelType=%{Tunnel-Type} (9) --> --tunnelType= (9) Program returned code (0) and output 'Reply-Message :=""' (9) control::Reply-Message := (9) } # update = noop (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = noop (9) } # policy filter_username = noop (9) [preprocess] = ok (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 172 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x06df9fcc0e7386aa (9) eap: Finished EAP session with state 0x06df9fcc0e7386aa (9) eap: Previous EAP request found for state 0x06df9fcc0e7386aa, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 172 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> mypc-pc\\Administrator (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 34 from 172.16.0.100:1812 to 172.100.0.60:49947 length 44 (9) EAP-Message = 0x04ac0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.3 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for your help, but when I run ntlm_auth and wbinfo manually, there is no problem. Therefore I thought I might have misconfigured something on the FreeRADIUS side. On Tue, 22 Jun 2021 at 10:12, L.P.H. van Belle via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
I think you should fix your samba setup first.
Your smb.conf is not correctly setup and without that being correctly ntlm_auth is not going to work in free radius
Read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
And read :
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Di...
For FreeRadius and auth only, RID (or autorid) setup is sufficient
Greetz,
Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Vertigo Altair Verzonden: maandag 21 juni 2021 21:26 Aan: FreeRadius users mailing list Onderwerp: MSCHAP DC Server Authentication winbind reply failed
Hi FreeRADIUS!
I'm trying to use FreeRADIUS with MSCHAP through a DC server. However, I'm getting an error like "winbind reply failed!"
I'm running on OpenBSD 6.9.
FreeRADIUS version:
# /usr/local/sbin/radiusd -v | head -1 radiusd: FreeRADIUS Version 3.0.21, for host x86_64-unknown-openbsd6.9, built on Apr 20 2021 at 05:14:02 #
My configuration is like that;
=============
# cat /etc/samba/smb.conf [global]
winbind use default domain = no security = ads netbios name = myhost workgroup = MYWORKGROUP realm = zz.example.com password server = zz.example.com
==============
I joined the DC server successfully;
# net join -U myadmin Using short domain name -- XX Joined 'YY' to dns domain 'zz.example.com' No DNS domain configured for myhost. Unable to perform DNS Update.
============= I can make challange based authentication with wbinfo;
# wbinfo -a myuser%mypass plaintext password authentication failed <<< FAIL Could not authenticate user myuser%mypass with plaintext password challenge/response password authentication succeeded #
===============
And also with ntlm_auth;
# ntlm_auth --request-nt-key --username myuser Password: myuser NT_STATUS_OK: The operation completed successfully. (0x0) #
==================
I've created a user named "winbindd_priv" and added this user the _freeradius group to access winbind privileged socket from FreeRADIUS
# cat /etc/group |grep winbind winbindd_priv:*:1000:_freeradius
# ls -la /var/run/samba/winbindd* -rw-r--r-- 1 root winbindd_priv 6 Jun 21 18:39 /var/run/samba/winbindd.pid
/var/run/samba/winbindd: srwxrwxrwx 1 root winbindd_priv 0 Jun 21 18:38 pipe #
===================
I couldn't see anything wrong there, I followed the official documentation properly. I'm getting "winbind reply failed!" error anyway.
The full output from radiusd -X;
======================
(0) Received Access-Request Id 25 from 172.100.0.60:49947 to 172.16.0.100:1812 length 338 (0) User-Name = "mypc-pc\\Administrator" (0) NAS-Port = 20497 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) Calling-Station-Id = "44a8-42f7-952d" (0) NAS-Identifier = "S5735_K6_SW1" (0) NAS-Port-Type = Ethernet (0) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (0) EAP-Message = 0x02a3001c01626c6774656b2d70635c41646d696e6973747261746f72 (0) Message-Authenticator = 0x2da911933329aa455da04b910df9e08e (0) Called-Station-Id = "44-67-47-26-F7-90" (0) NAS-IP-Address = 172.100.0.60 (0) Framed-MTU = 1500 (0) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (0) Huawei-Startup-Stamp = 1589932873 (0) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (0) Huawei-Connect-ID = 45 (0) Huawei-Version = "Huawei S5735" (0) Huawei-Product-ID = "S5735" (0) Huawei-User-Mac = "\000\000\000\001" (0) Huawei-Domain-Name = "default" (0) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (0) authorize { (0) update { (0) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (0) EXPAND --username=%{User-Name} (0) --> --username=mypc-pc\\Administrator (0) EXPAND --calledStationID=%{Called-Station-Id} (0) --> --calledStationID=44-67-47-26-F7-90 (0) EXPAND --callingStationID=%{Calling-Station-Id} (0) --> --callingStationID=44a8-42f7-952d (0) EXPAND --connectInfo=%{Connect-Info} (0) --> --connectInfo= (0) EXPAND --framedMTU=%{Framed-MTU} (0) --> --framedMTU=1500 (0) EXPAND --framedProtocol=%{Framed-Protocol} (0) --> --framedProtocol=PPP (0) EXPAND --nasIdentifier=%{NAS-Identifier} (0) --> --nasIdentifier=S5735_K6_SW1 (0) EXPAND --nasIPAddress=%{NAS-IP-Address} (0) --> --nasIPAddress=172.100.0.60 (0) EXPAND --nasPort=%{NAS-Port} (0) --> --nasPort=20497 (0) EXPAND --nasPortID=%{NAS-Port-Id} (0) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (0) EXPAND --nasPortType=%{NAS-Port-Type} (0) --> --nasPortType=Ethernet (0) EXPAND --serviceType=%{Service-Type} (0) --> --serviceType=Framed-User (0) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (0) --> --tunnelMediumType= (0) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (0) --> --tunnelPrivateGroupID= (0) EXPAND --tunnelType=%{Tunnel-Type} (0) --> --tunnelType= (0) Program returned code (0) and output 'Reply-Message :=""' (0) control::Reply-Message := (0) } # update = noop (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = noop (0) } # policy filter_username = noop (0) [preprocess] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 163 length 28 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 164 length 22 (0) eap: EAP session adding &reply:State = 0x06df9fcc067b9baa (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 25 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (0) EAP-Message = 0x01a400160410fb53358fd5f5bb176cb25434be27dc38 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x06df9fcc067b9baa43639075ca7d333a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 26 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (1) User-Name = "mypc-pc\\Administrator" (1) NAS-Port = 20497 (1) Service-Type = Framed-User (1) Framed-Protocol = PPP (1) Calling-Station-Id = "44a8-42f7-952d" (1) NAS-Identifier = "S5735_K6_SW1" (1) NAS-Port-Type = Ethernet (1) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (1) State = 0x06df9fcc067b9baa43639075ca7d333a (1) EAP-Message = 0x02a400060319 (1) Message-Authenticator = 0xf104c44a25c93bccb28f9f2e00f4333c (1) Called-Station-Id = "44-67-47-26-F7-90" (1) Login-IP-Host = 0.0.0.0 (1) NAS-IP-Address = 172.100.0.60 (1) Framed-MTU = 1500 (1) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (1) Huawei-Startup-Stamp = 1589932873 (1) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (1) Huawei-Connect-ID = 45 (1) Huawei-Version = "Huawei S5735" (1) Huawei-Product-ID = "S5735" (1) Huawei-User-Mac = "\000\000\000\001" (1) Huawei-Domain-Name = "default" (1) session-state: No cached attributes (1) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (1) authorize { (1) update { (1) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (1) EXPAND --username=%{User-Name} (1) --> --username=mypc-pc\\Administrator (1) EXPAND --calledStationID=%{Called-Station-Id} (1) --> --calledStationID=44-67-47-26-F7-90 (1) EXPAND --callingStationID=%{Calling-Station-Id} (1) --> --callingStationID=44a8-42f7-952d (1) EXPAND --connectInfo=%{Connect-Info} (1) --> --connectInfo= (1) EXPAND --framedMTU=%{Framed-MTU} (1) --> --framedMTU=1500 (1) EXPAND --framedProtocol=%{Framed-Protocol} (1) --> --framedProtocol=PPP (1) EXPAND --nasIdentifier=%{NAS-Identifier} (1) --> --nasIdentifier=S5735_K6_SW1 (1) EXPAND --nasIPAddress=%{NAS-IP-Address} (1) --> --nasIPAddress=172.100.0.60 (1) EXPAND --nasPort=%{NAS-Port} (1) --> --nasPort=20497 (1) EXPAND --nasPortID=%{NAS-Port-Id} (1) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (1) EXPAND --nasPortType=%{NAS-Port-Type} (1) --> --nasPortType=Ethernet (1) EXPAND --serviceType=%{Service-Type} (1) --> --serviceType=Framed-User (1) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (1) --> --tunnelMediumType= (1) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (1) --> --tunnelPrivateGroupID= (1) EXPAND --tunnelType=%{Tunnel-Type} (1) --> --tunnelType= (1) Program returned code (0) and output 'Reply-Message :=""' (1) control::Reply-Message := (1) } # update = noop (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = noop (1) } # policy filter_username = noop (1) [preprocess] = ok (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 164 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x06df9fcc067b9baa (1) eap: Finished EAP session with state 0x06df9fcc067b9baa (1) eap: Previous EAP request found for state 0x06df9fcc067b9baa, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 165 length 6 (1) eap: EAP session adding &reply:State = 0x06df9fcc077a86aa (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 26 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (1) EAP-Message = 0x01a500061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x06df9fcc077a86aa43639075ca7d333a (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 27 from 172.100.0.60:49947 to 172.16.0.100:1812 length 447 (2) User-Name = "mypc-pc\\Administrator" (2) NAS-Port = 20497 (2) Service-Type = Framed-User (2) Framed-Protocol = PPP (2) Calling-Station-Id = "44a8-42f7-952d" (2) NAS-Identifier = "S5735_K6_SW1" (2) NAS-Port-Type = Ethernet (2) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (2) State = 0x06df9fcc077a86aa43639075ca7d333a (2) EAP-Message = 0x02a5007119800000006716030100620100005e030160d0e32a6722bce315 95a5e36c093697851bb230673e9d56c34961448f20d9c300001cc014c01300 3900330035002fc00ac00900380032000a00130005000401000019000a0006 000400170018000b0002010000170000ff01000100 (2) Message-Authenticator = 0x8e36104449de451d2f46716428d8d1d0 (2) Called-Station-Id = "44-67-47-26-F7-90" (2) Login-IP-Host = 0.0.0.0 (2) NAS-IP-Address = 172.100.0.60 (2) Framed-MTU = 1500 (2) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (2) Huawei-Startup-Stamp = 1589932873 (2) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (2) Huawei-Connect-ID = 45 (2) Huawei-Version = "Huawei S5735" (2) Huawei-Product-ID = "S5735" (2) Huawei-User-Mac = "\000\000\000\001" (2) Huawei-Domain-Name = "default" (2) session-state: No cached attributes (2) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (2) authorize { (2) update { (2) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (2) EXPAND --username=%{User-Name} (2) --> --username=mypc-pc\\Administrator (2) EXPAND --calledStationID=%{Called-Station-Id} (2) --> --calledStationID=44-67-47-26-F7-90 (2) EXPAND --callingStationID=%{Calling-Station-Id} (2) --> --callingStationID=44a8-42f7-952d (2) EXPAND --connectInfo=%{Connect-Info} (2) --> --connectInfo= (2) EXPAND --framedMTU=%{Framed-MTU} (2) --> --framedMTU=1500 (2) EXPAND --framedProtocol=%{Framed-Protocol} (2) --> --framedProtocol=PPP (2) EXPAND --nasIdentifier=%{NAS-Identifier} (2) --> --nasIdentifier=S5735_K6_SW1 (2) EXPAND --nasIPAddress=%{NAS-IP-Address} (2) --> --nasIPAddress=172.100.0.60 (2) EXPAND --nasPort=%{NAS-Port} (2) --> --nasPort=20497 (2) EXPAND --nasPortID=%{NAS-Port-Id} (2) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (2) EXPAND --nasPortType=%{NAS-Port-Type} (2) --> --nasPortType=Ethernet (2) EXPAND --serviceType=%{Service-Type} (2) --> --serviceType=Framed-User (2) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (2) --> --tunnelMediumType= (2) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (2) --> --tunnelPrivateGroupID= (2) EXPAND --tunnelType=%{Tunnel-Type} (2) --> --tunnelType= (2) Program returned code (0) and output 'Reply-Message :=""' (2) control::Reply-Message := (2) } # update = noop (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = noop (2) } # policy filter_username = noop (2) [preprocess] = ok (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 165 length 113 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x06df9fcc077a86aa (2) eap: Finished EAP session with state 0x06df9fcc077a86aa (2) eap: Previous EAP request found for state 0x06df9fcc077a86aa, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 103 bytes (2) eap_peap: Got complete TLS record (103 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before accept initialization (2) eap_peap: <<< recv UNKNOWN TLS VERSION '0304' [length 0062] (2) eap_peap: TLS_accept: SSLv3 read client hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0037], ServerHello (2) eap_peap: TLS_accept: SSLv3 write server hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 08e5], Certificate (2) eap_peap: TLS_accept: SSLv3 write certificate A (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap: TLS_accept: SSLv3 write key exchange A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap: TLS_accept: SSLv3 write server done A (2) eap_peap: TLS_accept: SSLv3 flush data (2) eap_peap: TLS_accept: SSLv3 read client certificate A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 2687 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 166 length 1004 (2) eap: EAP session adding &reply:State = 0x06df9fcc047986aa (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 27 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (2) EAP-Message = 0x01a603ec19c000000a7f16030100370200003303011069fa543cddfebbc2 a59de247700b31bea216c1570e4080444f574e4752440000c01400000bff01 000100000b0002010016030108e50b0008e10008de0003e8308203e4308202 cca003020102020101300d06092a864886f70d01010b0500308196310b3009 060355040613025452310e300c06035504080c05495a4d4952310d300b0603 5504070c0455524c4131173015060355040a0c0e5061727461204e6574776f 726b733120301e06092a864886f70d0109011611696e666f4070617274612e 636f6d2e7472312d302b06035504030c245061727461204e6574776f726b73 20436572746966696361746520417574686f72697479301e170d3230303333 313131323930385a170d3330303332393131323930385a308182310b300906 0355040613025452310e300c06035504080c05495a4d495231173015060355 040a0c0e5061727461204e6574776f726b733128302606035504030c1f506172746120 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x06df9fcc047986aa43639075ca7d333a (2) Finished request Waking up in 4.7 seconds. (3) Received Access-Request Id 28 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (3) User-Name = "mypc-pc\\Administrator" (3) NAS-Port = 20497 (3) Service-Type = Framed-User (3) Framed-Protocol = PPP (3) Calling-Station-Id = "44a8-42f7-952d" (3) NAS-Identifier = "S5735_K6_SW1" (3) NAS-Port-Type = Ethernet (3) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (3) State = 0x06df9fcc047986aa43639075ca7d333a (3) EAP-Message = 0x02a600061900 (3) Message-Authenticator = 0xcc4d6c36e5459879cc826325ec4d747a (3) Called-Station-Id = "44-67-47-26-F7-90" (3) Login-IP-Host = 0.0.0.0 (3) NAS-IP-Address = 172.100.0.60 (3) Framed-MTU = 1500 (3) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (3) Huawei-Startup-Stamp = 1589932873 (3) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (3) Huawei-Connect-ID = 45 (3) Huawei-Version = "Huawei S5735" (3) Huawei-Product-ID = "S5735" (3) Huawei-User-Mac = "\000\000\000\001" (3) Huawei-Domain-Name = "default" (3) session-state: No cached attributes (3) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (3) authorize { (3) update { (3) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (3) EXPAND --username=%{User-Name} (3) --> --username=mypc-pc\\Administrator (3) EXPAND --calledStationID=%{Called-Station-Id} (3) --> --calledStationID=44-67-47-26-F7-90 (3) EXPAND --callingStationID=%{Calling-Station-Id} (3) --> --callingStationID=44a8-42f7-952d (3) EXPAND --connectInfo=%{Connect-Info} (3) --> --connectInfo= (3) EXPAND --framedMTU=%{Framed-MTU} (3) --> --framedMTU=1500 (3) EXPAND --framedProtocol=%{Framed-Protocol} (3) --> --framedProtocol=PPP (3) EXPAND --nasIdentifier=%{NAS-Identifier} (3) --> --nasIdentifier=S5735_K6_SW1 (3) EXPAND --nasIPAddress=%{NAS-IP-Address} (3) --> --nasIPAddress=172.100.0.60 (3) EXPAND --nasPort=%{NAS-Port} (3) --> --nasPort=20497 (3) EXPAND --nasPortID=%{NAS-Port-Id} (3) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (3) EXPAND --nasPortType=%{NAS-Port-Type} (3) --> --nasPortType=Ethernet (3) EXPAND --serviceType=%{Service-Type} (3) --> --serviceType=Framed-User (3) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (3) --> --tunnelMediumType= (3) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (3) --> --tunnelPrivateGroupID= (3) EXPAND --tunnelType=%{Tunnel-Type} (3) --> --tunnelType= (3) Program returned code (0) and output 'Reply-Message :=""' (3) control::Reply-Message := (3) } # update = noop (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = noop (3) } # policy filter_username = noop (3) [preprocess] = ok (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 166 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x06df9fcc047986aa (3) eap: Finished EAP session with state 0x06df9fcc047986aa (3) eap: Previous EAP request found for state 0x06df9fcc047986aa, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 167 length 1000 (3) eap: EAP session adding &reply:State = 0x06df9fcc057886aa (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 28 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (3) EAP-Message = 0x01a703e81940a73b4534fb54764797d56b51f469ff2e5a5feaf506057dbd fd6af543dfe986febe19c807b89244404cb9503c4a449efd5e8a9e68f31f0f a9b20107d112dde99fabadb55f609fefb8f0cfb09e1bb696330c0004f03082 04ec308203d4a0030201020209008917e4729c9d3b3d300d06092a864886f7 0d01010b0500308196310b3009060355040613025452310e300c0603550408 0c05495a4d4952310d300b06035504070c0455524c4131173015060355040a 0c0e5061727461204e6574776f726b733120301e06092a864886f70d010901 1611696e666f4070617274612e636f6d2e7472312d302b06035504030c2450 61727461204e6574776f726b7320436572746966696361746520417574686f 72697479301e170d3230303333313131323930385a170d3330303332393131 323930385a308196310b3009060355040613025452310e300c06035504080c 05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e506172 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x06df9fcc057886aa43639075ca7d333a (3) Finished request Waking up in 4.7 seconds. (4) Received Access-Request Id 29 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (4) User-Name = "mypc-pc\\Administrator" (4) NAS-Port = 20497 (4) Service-Type = Framed-User (4) Framed-Protocol = PPP (4) Calling-Station-Id = "44a8-42f7-952d" (4) NAS-Identifier = "S5735_K6_SW1" (4) NAS-Port-Type = Ethernet (4) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (4) State = 0x06df9fcc057886aa43639075ca7d333a (4) EAP-Message = 0x02a700061900 (4) Message-Authenticator = 0x345bff17c216eb76264d2dd1836dced4 (4) Called-Station-Id = "44-67-47-26-F7-90" (4) Login-IP-Host = 0.0.0.0 (4) NAS-IP-Address = 172.100.0.60 (4) Framed-MTU = 1500 (4) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (4) Huawei-Startup-Stamp = 1589932873 (4) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (4) Huawei-Connect-ID = 45 (4) Huawei-Version = "Huawei S5735" (4) Huawei-Product-ID = "S5735" (4) Huawei-User-Mac = "\000\000\000\001" (4) Huawei-Domain-Name = "default" (4) session-state: No cached attributes (4) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (4) authorize { (4) update { (4) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (4) EXPAND --username=%{User-Name} (4) --> --username=mypc-pc\\Administrator (4) EXPAND --calledStationID=%{Called-Station-Id} (4) --> --calledStationID=44-67-47-26-F7-90 (4) EXPAND --callingStationID=%{Calling-Station-Id} (4) --> --callingStationID=44a8-42f7-952d (4) EXPAND --connectInfo=%{Connect-Info} (4) --> --connectInfo= (4) EXPAND --framedMTU=%{Framed-MTU} (4) --> --framedMTU=1500 (4) EXPAND --framedProtocol=%{Framed-Protocol} (4) --> --framedProtocol=PPP (4) EXPAND --nasIdentifier=%{NAS-Identifier} (4) --> --nasIdentifier=S5735_K6_SW1 (4) EXPAND --nasIPAddress=%{NAS-IP-Address} (4) --> --nasIPAddress=172.100.0.60 (4) EXPAND --nasPort=%{NAS-Port} (4) --> --nasPort=20497 (4) EXPAND --nasPortID=%{NAS-Port-Id} (4) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (4) EXPAND --nasPortType=%{NAS-Port-Type} (4) --> --nasPortType=Ethernet (4) EXPAND --serviceType=%{Service-Type} (4) --> --serviceType=Framed-User (4) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (4) --> --tunnelMediumType= (4) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (4) --> --tunnelPrivateGroupID= (4) EXPAND --tunnelType=%{Tunnel-Type} (4) --> --tunnelType= (4) Program returned code (0) and output 'Reply-Message :=""' (4) control::Reply-Message := (4) } # update = noop (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = noop (4) } # policy filter_username = noop (4) [preprocess] = ok (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 167 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x06df9fcc057886aa (4) eap: Finished EAP session with state 0x06df9fcc057886aa (4) eap: Previous EAP request found for state 0x06df9fcc057886aa, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 168 length 705 (4) eap: EAP session adding &reply:State = 0x06df9fcc027786aa (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 29 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (4) EAP-Message = 0x01a802c11900e4729c9d3b3d300f0603551d130101ff040530030101ff30 350603551d1f042e302c302aa028a0268624687474703a2f2f7777772e7061 7274612e636f6d2e74722f70617274615f63612e63726c300d06092a864886 f70d01010b0500038201010002a7a685fd8c45441aa4e88edd20fe072c2d6d c2fdf1a70bdfbb4e4d6e447ef63fb83535d1eb1a9b7eb0d8fc177cbe833bcd 8ca72116ebd550b12ab279f5298beb6a8f7e58f38e9943d51a2b9a415f0f7b 6cb3e284f54c181f57eea3ec231ccea3f982602d46374234e262a8a5709816 56b6e991155da7983b5edddd89239eec5c82cbc176541e5e32f2e1fcf783f1 62fbd7de96dbaadafd0e8f56d5f72f4de5ac1254656c6ba349ed7ae5202dfd 20b3dc5e576bbba43c2f10d1b66b764038601b2e23a27a7a3b4b13e4d58343 df004dbd21908c71c0d563f18eec86d5a74bf7b192d4da4ffa036e75462374 8cdfe9ee000c02a3ee75574fa594e9055132d03e160301014b0c0001470300174104a0 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x06df9fcc027786aa43639075ca7d333a (4) Finished request Waking up in 4.6 seconds. (5) Received Access-Request Id 30 from 172.100.0.60:49947 to 172.16.0.100:1812 length 478 (5) User-Name = "mypc-pc\\Administrator" (5) NAS-Port = 20497 (5) Service-Type = Framed-User (5) Framed-Protocol = PPP (5) Calling-Station-Id = "44a8-42f7-952d" (5) NAS-Identifier = "S5735_K6_SW1" (5) NAS-Port-Type = Ethernet (5) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (5) State = 0x06df9fcc027786aa43639075ca7d333a (5) EAP-Message = 0x02a800901980000000861603010046100000424104c7b577ecf031abd558 556c730dea6a62961ef24e63b87df106b9981a6899f04e68a480a2b306f8f1 99787ac538d19bc572f82e277133f9ebbdbd8b3b4d17866e14030100010116 030100301e14570b074715b54215c474e30f4ab9f9bfadb1590f0331598dae f254ac64514ddef71c035306cdc1fea1cbdd58dcce (5) Message-Authenticator = 0x68db217c9425678c6ba8dba10a9679e9 (5) Called-Station-Id = "44-67-47-26-F7-90" (5) Login-IP-Host = 0.0.0.0 (5) NAS-IP-Address = 172.100.0.60 (5) Framed-MTU = 1500 (5) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (5) Huawei-Startup-Stamp = 1589932873 (5) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (5) Huawei-Connect-ID = 45 (5) Huawei-Version = "Huawei S5735" (5) Huawei-Product-ID = "S5735" (5) Huawei-User-Mac = "\000\000\000\001" (5) Huawei-Domain-Name = "default" (5) session-state: No cached attributes (5) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (5) authorize { (5) update { (5) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (5) EXPAND --username=%{User-Name} (5) --> --username=mypc-pc\\Administrator (5) EXPAND --calledStationID=%{Called-Station-Id} (5) --> --calledStationID=44-67-47-26-F7-90 (5) EXPAND --callingStationID=%{Calling-Station-Id} (5) --> --callingStationID=44a8-42f7-952d (5) EXPAND --connectInfo=%{Connect-Info} (5) --> --connectInfo= (5) EXPAND --framedMTU=%{Framed-MTU} (5) --> --framedMTU=1500 (5) EXPAND --framedProtocol=%{Framed-Protocol} (5) --> --framedProtocol=PPP (5) EXPAND --nasIdentifier=%{NAS-Identifier} (5) --> --nasIdentifier=S5735_K6_SW1 (5) EXPAND --nasIPAddress=%{NAS-IP-Address} (5) --> --nasIPAddress=172.100.0.60 (5) EXPAND --nasPort=%{NAS-Port} (5) --> --nasPort=20497 (5) EXPAND --nasPortID=%{NAS-Port-Id} (5) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (5) EXPAND --nasPortType=%{NAS-Port-Type} (5) --> --nasPortType=Ethernet (5) EXPAND --serviceType=%{Service-Type} (5) --> --serviceType=Framed-User (5) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (5) --> --tunnelMediumType= (5) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (5) --> --tunnelPrivateGroupID= (5) EXPAND --tunnelType=%{Tunnel-Type} (5) --> --tunnelType= (5) Program returned code (0) and output 'Reply-Message :=""' (5) control::Reply-Message := (5) } # update = noop (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = noop (5) } # policy filter_username = noop (5) [preprocess] = ok (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 168 length 144 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x06df9fcc027786aa (5) eap: Finished EAP session with state 0x06df9fcc027786aa (5) eap: Previous EAP request found for state 0x06df9fcc027786aa, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer indicated complete TLS record size will be 134 bytes (5) eap_peap: Got complete TLS record (134 bytes) (5) eap_peap: [eaptls verify] = length included (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap: TLS_accept: SSLv3 read client key exchange A (5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 read finished A (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 write finished A (5) eap_peap: TLS_accept: SSLv3 flush data (5) eap_peap: (other): SSL negotiation finished successfully (5) eap_peap: TLS - Connection Established (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) eap_peap: TLS-Session-Version = "TLS 1.0" (5) eap_peap: TLS - got 59 bytes of data (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 169 length 65 (5) eap: EAP session adding &reply:State = 0x06df9fcc037686aa (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) TLS-Session-Version = "TLS 1.0" (5) Sent Access-Challenge Id 30 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (5) EAP-Message = 0x01a90041190014030100010116030100302fe125fbf82aa49c3614c980ad be6cec3d9fcfee716e1ad42f33b3e8d99e997248e974d389d973a61f8d6f2facc5e492 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x06df9fcc037686aa43639075ca7d333a (5) Finished request Waking up in 4.6 seconds. (6) Received Access-Request Id 31 from 172.100.0.60:49947 to 172.16.0.100:1812 length 340 (6) User-Name = "mypc-pc\\Administrator" (6) NAS-Port = 20497 (6) Service-Type = Framed-User (6) Framed-Protocol = PPP (6) Calling-Station-Id = "44a8-42f7-952d" (6) NAS-Identifier = "S5735_K6_SW1" (6) NAS-Port-Type = Ethernet (6) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (6) State = 0x06df9fcc037686aa43639075ca7d333a (6) EAP-Message = 0x02a900061900 (6) Message-Authenticator = 0x6eae2e14353af6bdf3490d21f430dfbe (6) Called-Station-Id = "44-67-47-26-F7-90" (6) Login-IP-Host = 0.0.0.0 (6) NAS-IP-Address = 172.100.0.60 (6) Framed-MTU = 1500 (6) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (6) Huawei-Startup-Stamp = 1589932873 (6) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (6) Huawei-Connect-ID = 45 (6) Huawei-Version = "Huawei S5735" (6) Huawei-Product-ID = "S5735" (6) Huawei-User-Mac = "\000\000\000\001" (6) Huawei-Domain-Name = "default" (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) &session-state:TLS-Session-Version = "TLS 1.0" (6) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (6) authorize { (6) update { (6) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (6) EXPAND --username=%{User-Name} (6) --> --username=mypc-pc\\Administrator (6) EXPAND --calledStationID=%{Called-Station-Id} (6) --> --calledStationID=44-67-47-26-F7-90 (6) EXPAND --callingStationID=%{Calling-Station-Id} (6) --> --callingStationID=44a8-42f7-952d (6) EXPAND --connectInfo=%{Connect-Info} (6) --> --connectInfo= (6) EXPAND --framedMTU=%{Framed-MTU} (6) --> --framedMTU=1500 (6) EXPAND --framedProtocol=%{Framed-Protocol} (6) --> --framedProtocol=PPP (6) EXPAND --nasIdentifier=%{NAS-Identifier} (6) --> --nasIdentifier=S5735_K6_SW1 (6) EXPAND --nasIPAddress=%{NAS-IP-Address} (6) --> --nasIPAddress=172.100.0.60 (6) EXPAND --nasPort=%{NAS-Port} (6) --> --nasPort=20497 (6) EXPAND --nasPortID=%{NAS-Port-Id} (6) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (6) EXPAND --nasPortType=%{NAS-Port-Type} (6) --> --nasPortType=Ethernet (6) EXPAND --serviceType=%{Service-Type} (6) --> --serviceType=Framed-User (6) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (6) --> --tunnelMediumType= (6) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (6) --> --tunnelPrivateGroupID= (6) EXPAND --tunnelType=%{Tunnel-Type} (6) --> --tunnelType= (6) Program returned code (0) and output 'Reply-Message :=""' (6) control::Reply-Message := (6) } # update = noop (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = noop (6) } # policy filter_username = noop (6) [preprocess] = ok (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 169 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x06df9fcc037686aa (6) eap: Finished EAP session with state 0x06df9fcc037686aa (6) eap: Previous EAP request found for state 0x06df9fcc037686aa, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: [eaptls verify] = success (6) eap_peap: [eaptls process] = success (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 170 length 43 (6) eap: EAP session adding &reply:State = 0x06df9fcc007586aa (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) TLS-Session-Version = "TLS 1.0" (6) Sent Access-Challenge Id 31 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (6) EAP-Message = 0x01aa002b1900170301002039839b1c2d3257209fb27a7353e9e75e31a406 708676f7c33e1183170f61d947 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x06df9fcc007586aa43639075ca7d333a (6) Finished request Waking up in 4.5 seconds. (7) Received Access-Request Id 32 from 172.100.0.60:49947 to 172.16.0.100:1812 length 393 (7) User-Name = "mypc-pc\\Administrator" (7) NAS-Port = 20497 (7) Service-Type = Framed-User (7) Framed-Protocol = PPP (7) Calling-Station-Id = "44a8-42f7-952d" (7) NAS-Identifier = "S5735_K6_SW1" (7) NAS-Port-Type = Ethernet (7) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (7) State = 0x06df9fcc007586aa43639075ca7d333a (7) EAP-Message = 0x02aa003b190017030100303d5c35ae730f2e2172de89948e051cb0b22703 3be363ddea1c384cc141c1593d7ed0251c4ca849138cfdebf0e810852a (7) Message-Authenticator = 0x1a8ae85940fcefdcbc7a0528828a0c77 (7) Called-Station-Id = "44-67-47-26-F7-90" (7) Login-IP-Host = 0.0.0.0 (7) NAS-IP-Address = 172.100.0.60 (7) Framed-MTU = 1500 (7) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (7) Huawei-Startup-Stamp = 1589932873 (7) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (7) Huawei-Connect-ID = 45 (7) Huawei-Version = "Huawei S5735" (7) Huawei-Product-ID = "S5735" (7) Huawei-User-Mac = "\000\000\000\001" (7) Huawei-Domain-Name = "default" (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (7) &session-state:TLS-Session-Version = "TLS 1.0" (7) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (7) authorize { (7) update { (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (7) EXPAND --username=%{User-Name} (7) --> --username=mypc-pc\\Administrator (7) EXPAND --calledStationID=%{Called-Station-Id} (7) --> --calledStationID=44-67-47-26-F7-90 (7) EXPAND --callingStationID=%{Calling-Station-Id} (7) --> --callingStationID=44a8-42f7-952d (7) EXPAND --connectInfo=%{Connect-Info} (7) --> --connectInfo= (7) EXPAND --framedMTU=%{Framed-MTU} (7) --> --framedMTU=1500 (7) EXPAND --framedProtocol=%{Framed-Protocol} (7) --> --framedProtocol=PPP (7) EXPAND --nasIdentifier=%{NAS-Identifier} (7) --> --nasIdentifier=S5735_K6_SW1 (7) EXPAND --nasIPAddress=%{NAS-IP-Address} (7) --> --nasIPAddress=172.100.0.60 (7) EXPAND --nasPort=%{NAS-Port} (7) --> --nasPort=20497 (7) EXPAND --nasPortID=%{NAS-Port-Id} (7) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (7) EXPAND --nasPortType=%{NAS-Port-Type} (7) --> --nasPortType=Ethernet (7) EXPAND --serviceType=%{Service-Type} (7) --> --serviceType=Framed-User (7) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (7) --> --tunnelMediumType= (7) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (7) --> --tunnelPrivateGroupID= (7) EXPAND --tunnelType=%{Tunnel-Type} (7) --> --tunnelType= (7) Program returned code (0) and output 'Reply-Message :=""' (7) control::Reply-Message := (7) } # update = noop (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = noop (7) } # policy filter_username = noop (7) [preprocess] = ok (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 170 length 59 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x06df9fcc007586aa (7) eap: Finished EAP session with state 0x06df9fcc007586aa (7) eap: Previous EAP request found for state 0x06df9fcc007586aa, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - mypc-pc\Administrator (7) eap_peap: Got inner identity 'mypc-pc\Administrator' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) eap_peap: Setting User-Name to mypc-pc\Administrator (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "mypc-pc\\Administrator" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "mypc-pc\\Administrator" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) update { (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --verify=true --control=false: (7) EXPAND --username=%{User-Name} (7) --> --username=mypc-pc\\Administrator (7) Program returned code (0) and output 'Idle-Timeout := "30"' (7) reply::Idle-Timeout := 30 (7) } # update = noop (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = noop (7) } # policy filter_username = noop (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 170 length 28 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) eap: Sending EAP Request (code 1) ID 171 length 43 (7) eap: EAP session adding &reply:State = 0xb29197b0b23a8d1a (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) Idle-Timeout := 30 (7) EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565 7261646975732d332e302e3231 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: Idle-Timeout := 30 (7) eap_peap: EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565 7261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: Idle-Timeout := 30 (7) eap_peap: EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565 7261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 171 length 75 (7) eap: EAP session adding &reply:State = 0x06df9fcc017486aa (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (7) TLS-Session-Version = "TLS 1.0" (7) Sent Access-Challenge Id 32 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (7) EAP-Message = 0x01ab004b19001703010040f117bdd7e2a2d6530a0eebaac5f17a0b3e5846 e1278f4367eeb28499b7d4f60485adaa834a12a2f5fc22b2e4a7b75b2fd584 277bbb9e717bf568d0b7c39b9b21 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x06df9fcc017486aa43639075ca7d333a (7) Finished request Waking up in 4.5 seconds. (8) Received Access-Request Id 33 from 172.100.0.60:49947 to 172.16.0.100:1812 length 441 (8) User-Name = "mypc-pc\\Administrator" (8) NAS-Port = 20497 (8) Service-Type = Framed-User (8) Framed-Protocol = PPP (8) Calling-Station-Id = "44a8-42f7-952d" (8) NAS-Identifier = "S5735_K6_SW1" (8) NAS-Port-Type = Ethernet (8) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (8) State = 0x06df9fcc017486aa43639075ca7d333a (8) EAP-Message = 0x02ab006b1900170301006030a260cec76b817616c8446e917733d195ea67 fcb4cba7ea0c15873eccb189ac0c0482c8d146ae81eaf880b90364036ca514 b87389987c4879b1e21d8c032b74a3adf543509c62b5cc1e85d7f556043d22 e8f68156c08b94226c0358519793f0 (8) Message-Authenticator = 0x99f47b6e04e6c7df9ba0bad3ad23a0dc (8) Called-Station-Id = "44-67-47-26-F7-90" (8) Login-IP-Host = 0.0.0.0 (8) NAS-IP-Address = 172.100.0.60 (8) Framed-MTU = 1500 (8) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (8) Huawei-Startup-Stamp = 1589932873 (8) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (8) Huawei-Connect-ID = 45 (8) Huawei-Version = "Huawei S5735" (8) Huawei-Product-ID = "S5735" (8) Huawei-User-Mac = "\000\000\000\001" (8) Huawei-Domain-Name = "default" (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (8) &session-state:TLS-Session-Version = "TLS 1.0" (8) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (8) authorize { (8) update { (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (8) EXPAND --username=%{User-Name} (8) --> --username=mypc-pc\\Administrator (8) EXPAND --calledStationID=%{Called-Station-Id} (8) --> --calledStationID=44-67-47-26-F7-90 (8) EXPAND --callingStationID=%{Calling-Station-Id} (8) --> --callingStationID=44a8-42f7-952d (8) EXPAND --connectInfo=%{Connect-Info} (8) --> --connectInfo= (8) EXPAND --framedMTU=%{Framed-MTU} (8) --> --framedMTU=1500 (8) EXPAND --framedProtocol=%{Framed-Protocol} (8) --> --framedProtocol=PPP (8) EXPAND --nasIdentifier=%{NAS-Identifier} (8) --> --nasIdentifier=S5735_K6_SW1 (8) EXPAND --nasIPAddress=%{NAS-IP-Address} (8) --> --nasIPAddress=172.100.0.60 (8) EXPAND --nasPort=%{NAS-Port} (8) --> --nasPort=20497 (8) EXPAND --nasPortID=%{NAS-Port-Id} (8) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (8) EXPAND --nasPortType=%{NAS-Port-Type} (8) --> --nasPortType=Ethernet (8) EXPAND --serviceType=%{Service-Type} (8) --> --serviceType=Framed-User (8) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (8) --> --tunnelMediumType= (8) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (8) --> --tunnelPrivateGroupID= (8) EXPAND --tunnelType=%{Tunnel-Type} (8) --> --tunnelType= (8) Program returned code (0) and output 'Reply-Message :=""' (8) control::Reply-Message := (8) } # update = noop (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = noop (8) } # policy filter_username = noop (8) [preprocess] = ok (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 171 length 107 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a (8) eap: Finished EAP session with state 0x06df9fcc017486aa (8) eap: Previous EAP request found for state 0x06df9fcc017486aa, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164 6d696e6973747261746f72 (8) eap_peap: Setting User-Name to mypc-pc\Administrator (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164 6d696e6973747261746f72 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "mypc-pc\\Administrator" (8) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164 6d696e6973747261746f72 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "mypc-pc\\Administrator" (8) State = 0xb29197b0b23a8d1abd34b414c2a4601c (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) update { (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --verify=true --control=false: (8) EXPAND --username=%{User-Name} (8) --> --username=mypc-pc\\Administrator (8) Program returned code (0) and output 'Idle-Timeout := "30"' (8) reply::Idle-Timeout := 30 (8) } # update = noop (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = noop (8) } # policy filter_username = noop (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 171 length 72 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a (8) eap: Finished EAP session with state 0xb29197b0b23a8d1a (8) eap: Previous EAP request found for state 0xb29197b0b23a8d1a, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as MS-CHAP Name (Administrator) from EAP-MSCHAPv2 (8) mschap: Creating challenge hash with username: Administrator (8) mschap: Client is using MS-CHAPv2 (8) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (8) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (8) mschap: --> --username=Administrator (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as MS-CHAP Name (Administrator) from EAP-MSCHAPv2 (8) mschap: Creating challenge hash with username: Administrator (8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (8) mschap: --> --challenge=54f8ede55f4a4abb (8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (8) mschap: --> --nt-response=a380d06457734f2b4a8f544de51831e2a54853305befeb55 (8) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)' (8) mschap: ERROR: Reading winbind reply failed! (0xc0000001) (8) mschap: Authentication failed (8) eap_mschapv2: [mschap] = fail (8) eap_mschapv2: } # authenticate = fail (8) eap: Sending EAP Failure (code 4) ID 171 length 4 (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> mypc-pc\\Administrator (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: Program returned code (1) and output \'Reading winbind reply failed! (0xc0000001)\'' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) EAP-Message = 0x04ab0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04ab0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04ab0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 172 length 43 (8) eap: EAP session adding &reply:State = 0x06df9fcc0e7386aa (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (8) TLS-Session-Version = "TLS 1.0" (8) Module-Failure-Message := "mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'" (8) Sent Access-Challenge Id 33 from 172.16.0.100:1812 to 172.100.0.60:49947 length 0 (8) EAP-Message = 0x01ac002b1900170301002026931b104878a5280e9a66fdc3cfdebbdb1f82 46a377c0748067abbfc703e7f7 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x06df9fcc0e7386aa43639075ca7d333a (8) Finished request Waking up in 4.3 seconds. (9) Received Access-Request Id 34 from 172.100.0.60:49947 to 172.16.0.100:1812 length 377 (9) User-Name = "mypc-pc\\Administrator" (9) NAS-Port = 20497 (9) Service-Type = Framed-User (9) Framed-Protocol = PPP (9) Calling-Station-Id = "44a8-42f7-952d" (9) NAS-Identifier = "S5735_K6_SW1" (9) NAS-Port-Type = Ethernet (9) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (9) State = 0x06df9fcc0e7386aa43639075ca7d333a (9) EAP-Message = 0x02ac002b1900170301002002a19fd10d3999b09ff706b3c9a2e1b6f1de66 1047ec0e47760dd1c38e3479ce (9) Message-Authenticator = 0x9991289c6858191d73f190917ff6d23e (9) Called-Station-Id = "44-67-47-26-F7-90" (9) Login-IP-Host = 0.0.0.0 (9) NAS-IP-Address = 172.100.0.60 (9) Framed-MTU = 1500 (9) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (9) Huawei-Startup-Stamp = 1589932873 (9) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (9) Huawei-Connect-ID = 45 (9) Huawei-Version = "Huawei S5735" (9) Huawei-Product-ID = "S5735" (9) Huawei-User-Mac = "\000\000\000\001" (9) Huawei-Domain-Name = "default" (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (9) &session-state:TLS-Session-Version = "TLS 1.0" (9) &session-state:Module-Failure-Message := "mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'" (9) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (9) authorize { (9) update { (9) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (9) EXPAND --username=%{User-Name} (9) --> --username=mypc-pc\\Administrator (9) EXPAND --calledStationID=%{Called-Station-Id} (9) --> --calledStationID=44-67-47-26-F7-90 (9) EXPAND --callingStationID=%{Calling-Station-Id} (9) --> --callingStationID=44a8-42f7-952d (9) EXPAND --connectInfo=%{Connect-Info} (9) --> --connectInfo= (9) EXPAND --framedMTU=%{Framed-MTU} (9) --> --framedMTU=1500 (9) EXPAND --framedProtocol=%{Framed-Protocol} (9) --> --framedProtocol=PPP (9) EXPAND --nasIdentifier=%{NAS-Identifier} (9) --> --nasIdentifier=S5735_K6_SW1 (9) EXPAND --nasIPAddress=%{NAS-IP-Address} (9) --> --nasIPAddress=172.100.0.60 (9) EXPAND --nasPort=%{NAS-Port} (9) --> --nasPort=20497 (9) EXPAND --nasPortID=%{NAS-Port-Id} (9) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (9) EXPAND --nasPortType=%{NAS-Port-Type} (9) --> --nasPortType=Ethernet (9) EXPAND --serviceType=%{Service-Type} (9) --> --serviceType=Framed-User (9) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (9) --> --tunnelMediumType= (9) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (9) --> --tunnelPrivateGroupID= (9) EXPAND --tunnelType=%{Tunnel-Type} (9) --> --tunnelType= (9) Program returned code (0) and output 'Reply-Message :=""' (9) control::Reply-Message := (9) } # update = noop (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = noop (9) } # policy filter_username = noop (9) [preprocess] = ok (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 172 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x06df9fcc0e7386aa (9) eap: Finished EAP session with state 0x06df9fcc0e7386aa (9) eap: Previous EAP request found for state 0x06df9fcc0e7386aa, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 172 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> mypc-pc\\Administrator (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 34 from 172.16.0.100:1812 to 172.100.0.60:49947 length 44 (9) EAP-Message = 0x04ac0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.3 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Therefore I thought I might have misconfigured something on the FreeRADIUS side yes, that is correct, your missing there parts also..
Both links how what you need. its mainly these 2. ntlm auth = mschapv2-and-ntlmv2-only and ntlm_auth = "/path/to/ntlm_auth --allow-mschapv2 --request-nt-key but please read the sites and follow the instructions in the radius config, then it will "just" work ;-) Greetz, Louis Van: Vertigo Altair [mailto:vertigo.altair@gmail.com] Verzonden: dinsdag 22 juni 2021 9:29 Aan: FreeRadius users mailing list CC: L.P.H. van Belle Onderwerp: Re: MSCHAP DC Server Authentication winbind reply failed Thanks for your help, but when I run ntlm_auth and wbinfo manually, there is no problem. Therefore I thought I might have misconfigured something on the FreeRADIUS side. On Tue, 22 Jun 2021 at 10:12, L.P.H. van Belle via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: I think you should fix your samba setup first. Your smb.conf is not correctly setup and without that being correctly ntlm_auth is not going to work in free radius Read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member And read : https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Di... For FreeRadius and auth only, RID (or autorid) setup is sufficient Greetz, Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Vertigo Altair Verzonden: maandag 21 juni 2021 21:26 Aan: FreeRadius users mailing list Onderwerp: MSCHAP DC Server Authentication winbind reply failed
Hi FreeRADIUS!
I'm trying to use FreeRADIUS with MSCHAP through a DC server. However, I'm getting an error like "winbind reply failed!"
I'm running on OpenBSD 6.9.
FreeRADIUS version:
# /usr/local/sbin/radiusd -v | head -1 radiusd: FreeRADIUS Version 3.0.21, for host x86_64-unknown-openbsd6.9, built on Apr 20 2021 at 05:14:02 #
My configuration is like that;
=============
# cat /etc/samba/smb.conf [global]
winbind use default domain = no security = ads netbios name = myhost workgroup = MYWORKGROUP realm = zz.example.com password server = zz.example.com
==============
I joined the DC server successfully;
# net join -U myadmin Using short domain name -- XX Joined 'YY' to dns domain 'zz.example.com' No DNS domain configured for myhost. Unable to perform DNS Update.
============= I can make challange based authentication with wbinfo;
# wbinfo -a myuser%mypass plaintext password authentication failed <<< FAIL Could not authenticate user myuser%mypass with plaintext password challenge/response password authentication succeeded #
===============
And also with ntlm_auth;
# ntlm_auth --request-nt-key --username myuser Password: myuser NT_STATUS_OK: The operation completed successfully. (0x0) #
==================
I've created a user named "winbindd_priv" and added this user the _freeradius group to access winbind privileged socket from FreeRADIUS
# cat /etc/group |grep winbind winbindd_priv:*:1000:_freeradius
# ls -la /var/run/samba/winbindd* -rw-r--r-- 1 root winbindd_priv 6 Jun 21 18:39 /var/run/samba/winbindd.pid
/var/run/samba/winbindd: srwxrwxrwx 1 root winbindd_priv 0 Jun 21 18:38 pipe #
===================
I couldn't see anything wrong there, I followed the official documentation properly. I'm getting "winbind reply failed!" error anyway.
The full output from radiusd -X;
======================
(0) Received Access-Request Id 25 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 338 (0) User-Name = "mypc-pc\\Administrator" (0) NAS-Port = 20497 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) Calling-Station-Id = "44a8-42f7-952d" (0) NAS-Identifier = "S5735_K6_SW1" (0) NAS-Port-Type = Ethernet (0) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (0) EAP-Message = 0x02a3001c01626c6774656b2d70635c41646d696e6973747261746f72 (0) Message-Authenticator = 0x2da911933329aa455da04b910df9e08e (0) Called-Station-Id = "44-67-47-26-F7-90" (0) NAS-IP-Address = 172.100.0.60 (0) Framed-MTU = 1500 (0) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (0) Huawei-Startup-Stamp = 1589932873 (0) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (0) Huawei-Connect-ID = 45 (0) Huawei-Version = "Huawei S5735" (0) Huawei-Product-ID = "S5735" (0) Huawei-User-Mac = "\000\000\000\001" (0) Huawei-Domain-Name = "default" (0) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (0) authorize { (0) update { (0) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (0) EXPAND --username=%{User-Name} (0) --> --username=mypc-pc\\Administrator (0) EXPAND --calledStationID=%{Called-Station-Id} (0) --> --calledStationID=44-67-47-26-F7-90 (0) EXPAND --callingStationID=%{Calling-Station-Id} (0) --> --callingStationID=44a8-42f7-952d (0) EXPAND --connectInfo=%{Connect-Info} (0) --> --connectInfo= (0) EXPAND --framedMTU=%{Framed-MTU} (0) --> --framedMTU=1500 (0) EXPAND --framedProtocol=%{Framed-Protocol} (0) --> --framedProtocol=PPP (0) EXPAND --nasIdentifier=%{NAS-Identifier} (0) --> --nasIdentifier=S5735_K6_SW1 (0) EXPAND --nasIPAddress=%{NAS-IP-Address} (0) --> --nasIPAddress=172.100.0.60 (0) EXPAND --nasPort=%{NAS-Port} (0) --> --nasPort=20497 (0) EXPAND --nasPortID=%{NAS-Port-Id} (0) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (0) EXPAND --nasPortType=%{NAS-Port-Type} (0) --> --nasPortType=Ethernet (0) EXPAND --serviceType=%{Service-Type} (0) --> --serviceType=Framed-User (0) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (0) --> --tunnelMediumType= (0) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (0) --> --tunnelPrivateGroupID= (0) EXPAND --tunnelType=%{Tunnel-Type} (0) --> --tunnelType= (0) Program returned code (0) and output 'Reply-Message :=""' (0) control::Reply-Message := (0) } # update = noop (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = noop (0) } # policy filter_username = noop (0) [preprocess] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 163 length 28 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 164 length 22 (0) eap: EAP session adding &reply:State = 0x06df9fcc067b9baa (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 25 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 0 (0) EAP-Message = 0x01a400160410fb53358fd5f5bb176cb25434be27dc38 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x06df9fcc067b9baa43639075ca7d333a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 26 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 340 (1) User-Name = "mypc-pc\\Administrator" (1) NAS-Port = 20497 (1) Service-Type = Framed-User (1) Framed-Protocol = PPP (1) Calling-Station-Id = "44a8-42f7-952d" (1) NAS-Identifier = "S5735_K6_SW1" (1) NAS-Port-Type = Ethernet (1) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (1) State = 0x06df9fcc067b9baa43639075ca7d333a (1) EAP-Message = 0x02a400060319 (1) Message-Authenticator = 0xf104c44a25c93bccb28f9f2e00f4333c (1) Called-Station-Id = "44-67-47-26-F7-90" (1) Login-IP-Host = 0.0.0.0 (1) NAS-IP-Address = 172.100.0.60 (1) Framed-MTU = 1500 (1) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (1) Huawei-Startup-Stamp = 1589932873 (1) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (1) Huawei-Connect-ID = 45 (1) Huawei-Version = "Huawei S5735" (1) Huawei-Product-ID = "S5735" (1) Huawei-User-Mac = "\000\000\000\001" (1) Huawei-Domain-Name = "default" (1) session-state: No cached attributes (1) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (1) authorize { (1) update { (1) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (1) EXPAND --username=%{User-Name} (1) --> --username=mypc-pc\\Administrator (1) EXPAND --calledStationID=%{Called-Station-Id} (1) --> --calledStationID=44-67-47-26-F7-90 (1) EXPAND --callingStationID=%{Calling-Station-Id} (1) --> --callingStationID=44a8-42f7-952d (1) EXPAND --connectInfo=%{Connect-Info} (1) --> --connectInfo= (1) EXPAND --framedMTU=%{Framed-MTU} (1) --> --framedMTU=1500 (1) EXPAND --framedProtocol=%{Framed-Protocol} (1) --> --framedProtocol=PPP (1) EXPAND --nasIdentifier=%{NAS-Identifier} (1) --> --nasIdentifier=S5735_K6_SW1 (1) EXPAND --nasIPAddress=%{NAS-IP-Address} (1) --> --nasIPAddress=172.100.0.60 (1) EXPAND --nasPort=%{NAS-Port} (1) --> --nasPort=20497 (1) EXPAND --nasPortID=%{NAS-Port-Id} (1) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (1) EXPAND --nasPortType=%{NAS-Port-Type} (1) --> --nasPortType=Ethernet (1) EXPAND --serviceType=%{Service-Type} (1) --> --serviceType=Framed-User (1) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (1) --> --tunnelMediumType= (1) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (1) --> --tunnelPrivateGroupID= (1) EXPAND --tunnelType=%{Tunnel-Type} (1) --> --tunnelType= (1) Program returned code (0) and output 'Reply-Message :=""' (1) control::Reply-Message := (1) } # update = noop (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = noop (1) } # policy filter_username = noop (1) [preprocess] = ok (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 164 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x06df9fcc067b9baa (1) eap: Finished EAP session with state 0x06df9fcc067b9baa (1) eap: Previous EAP request found for state 0x06df9fcc067b9baa, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 165 length 6 (1) eap: EAP session adding &reply:State = 0x06df9fcc077a86aa (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 26 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 0 (1) EAP-Message = 0x01a500061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x06df9fcc077a86aa43639075ca7d333a (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 27 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 447 (2) User-Name = "mypc-pc\\Administrator" (2) NAS-Port = 20497 (2) Service-Type = Framed-User (2) Framed-Protocol = PPP (2) Calling-Station-Id = "44a8-42f7-952d" (2) NAS-Identifier = "S5735_K6_SW1" (2) NAS-Port-Type = Ethernet (2) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (2) State = 0x06df9fcc077a86aa43639075ca7d333a (2) EAP-Message = 0x02a5007119800000006716030100620100005e030160d0e32a6722bce315 95a5e36c093697851bb230673e9d56c34961448f20d9c300001cc014c01300 3900330035002fc00ac00900380032000a00130005000401000019000a0006 000400170018000b0002010000170000ff01000100 (2) Message-Authenticator = 0x8e36104449de451d2f46716428d8d1d0 (2) Called-Station-Id = "44-67-47-26-F7-90" (2) Login-IP-Host = 0.0.0.0 (2) NAS-IP-Address = 172.100.0.60 (2) Framed-MTU = 1500 (2) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (2) Huawei-Startup-Stamp = 1589932873 (2) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (2) Huawei-Connect-ID = 45 (2) Huawei-Version = "Huawei S5735" (2) Huawei-Product-ID = "S5735" (2) Huawei-User-Mac = "\000\000\000\001" (2) Huawei-Domain-Name = "default" (2) session-state: No cached attributes (2) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (2) authorize { (2) update { (2) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (2) EXPAND --username=%{User-Name} (2) --> --username=mypc-pc\\Administrator (2) EXPAND --calledStationID=%{Called-Station-Id} (2) --> --calledStationID=44-67-47-26-F7-90 (2) EXPAND --callingStationID=%{Calling-Station-Id} (2) --> --callingStationID=44a8-42f7-952d (2) EXPAND --connectInfo=%{Connect-Info} (2) --> --connectInfo= (2) EXPAND --framedMTU=%{Framed-MTU} (2) --> --framedMTU=1500 (2) EXPAND --framedProtocol=%{Framed-Protocol} (2) --> --framedProtocol=PPP (2) EXPAND --nasIdentifier=%{NAS-Identifier} (2) --> --nasIdentifier=S5735_K6_SW1 (2) EXPAND --nasIPAddress=%{NAS-IP-Address} (2) --> --nasIPAddress=172.100.0.60 (2) EXPAND --nasPort=%{NAS-Port} (2) --> --nasPort=20497 (2) EXPAND --nasPortID=%{NAS-Port-Id} (2) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (2) EXPAND --nasPortType=%{NAS-Port-Type} (2) --> --nasPortType=Ethernet (2) EXPAND --serviceType=%{Service-Type} (2) --> --serviceType=Framed-User (2) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (2) --> --tunnelMediumType= (2) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (2) --> --tunnelPrivateGroupID= (2) EXPAND --tunnelType=%{Tunnel-Type} (2) --> --tunnelType= (2) Program returned code (0) and output 'Reply-Message :=""' (2) control::Reply-Message := (2) } # update = noop (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = noop (2) } # policy filter_username = noop (2) [preprocess] = ok (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 165 length 113 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x06df9fcc077a86aa (2) eap: Finished EAP session with state 0x06df9fcc077a86aa (2) eap: Previous EAP request found for state 0x06df9fcc077a86aa, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 103 bytes (2) eap_peap: Got complete TLS record (103 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before accept initialization (2) eap_peap: <<< recv UNKNOWN TLS VERSION '0304' [length 0062] (2) eap_peap: TLS_accept: SSLv3 read client hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0037], ServerHello (2) eap_peap: TLS_accept: SSLv3 write server hello A (2) eap_peap: >>> send TLS 1.0 Handshake [length 08e5], Certificate (2) eap_peap: TLS_accept: SSLv3 write certificate A (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap: TLS_accept: SSLv3 write key exchange A (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap: TLS_accept: SSLv3 write server done A (2) eap_peap: TLS_accept: SSLv3 flush data (2) eap_peap: TLS_accept: SSLv3 read client certificate A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 2687 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 166 length 1004 (2) eap: EAP session adding &reply:State = 0x06df9fcc047986aa (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 27 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 0 (2) EAP-Message = 0x01a603ec19c000000a7f16030100370200003303011069fa543cddfebbc2 a59de247700b31bea216c1570e4080444f574e4752440000c01400000bff01 000100000b0002010016030108e50b0008e10008de0003e8308203e4308202 cca003020102020101300d06092a864886f70d01010b0500308196310b3009 060355040613025452310e300c06035504080c05495a4d4952310d300b0603 5504070c0455524c4131173015060355040a0c0e5061727461204e6574776f 726b733120301e06092a864886f70d0109011611696e666f4070617274612e 636f6d2e7472312d302b06035504030c245061727461204e6574776f726b73 20436572746966696361746520417574686f72697479301e170d3230303333 313131323930385a170d3330303332393131323930385a308182310b300906 0355040613025452310e300c06035504080c05495a4d495231173015060355 040a0c0e5061727461204e6574776f726b733128302606035504030c1f506172746120 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x06df9fcc047986aa43639075ca7d333a (2) Finished request Waking up in 4.7 seconds. (3) Received Access-Request Id 28 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 340 (3) User-Name = "mypc-pc\\Administrator" (3) NAS-Port = 20497 (3) Service-Type = Framed-User (3) Framed-Protocol = PPP (3) Calling-Station-Id = "44a8-42f7-952d" (3) NAS-Identifier = "S5735_K6_SW1" (3) NAS-Port-Type = Ethernet (3) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (3) State = 0x06df9fcc047986aa43639075ca7d333a (3) EAP-Message = 0x02a600061900 (3) Message-Authenticator = 0xcc4d6c36e5459879cc826325ec4d747a (3) Called-Station-Id = "44-67-47-26-F7-90" (3) Login-IP-Host = 0.0.0.0 (3) NAS-IP-Address = 172.100.0.60 (3) Framed-MTU = 1500 (3) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (3) Huawei-Startup-Stamp = 1589932873 (3) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (3) Huawei-Connect-ID = 45 (3) Huawei-Version = "Huawei S5735" (3) Huawei-Product-ID = "S5735" (3) Huawei-User-Mac = "\000\000\000\001" (3) Huawei-Domain-Name = "default" (3) session-state: No cached attributes (3) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (3) authorize { (3) update { (3) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (3) EXPAND --username=%{User-Name} (3) --> --username=mypc-pc\\Administrator (3) EXPAND --calledStationID=%{Called-Station-Id} (3) --> --calledStationID=44-67-47-26-F7-90 (3) EXPAND --callingStationID=%{Calling-Station-Id} (3) --> --callingStationID=44a8-42f7-952d (3) EXPAND --connectInfo=%{Connect-Info} (3) --> --connectInfo= (3) EXPAND --framedMTU=%{Framed-MTU} (3) --> --framedMTU=1500 (3) EXPAND --framedProtocol=%{Framed-Protocol} (3) --> --framedProtocol=PPP (3) EXPAND --nasIdentifier=%{NAS-Identifier} (3) --> --nasIdentifier=S5735_K6_SW1 (3) EXPAND --nasIPAddress=%{NAS-IP-Address} (3) --> --nasIPAddress=172.100.0.60 (3) EXPAND --nasPort=%{NAS-Port} (3) --> --nasPort=20497 (3) EXPAND --nasPortID=%{NAS-Port-Id} (3) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (3) EXPAND --nasPortType=%{NAS-Port-Type} (3) --> --nasPortType=Ethernet (3) EXPAND --serviceType=%{Service-Type} (3) --> --serviceType=Framed-User (3) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (3) --> --tunnelMediumType= (3) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (3) --> --tunnelPrivateGroupID= (3) EXPAND --tunnelType=%{Tunnel-Type} (3) --> --tunnelType= (3) Program returned code (0) and output 'Reply-Message :=""' (3) control::Reply-Message := (3) } # update = noop (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = noop (3) } # policy filter_username = noop (3) [preprocess] = ok (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 166 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x06df9fcc047986aa (3) eap: Finished EAP session with state 0x06df9fcc047986aa (3) eap: Previous EAP request found for state 0x06df9fcc047986aa, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 167 length 1000 (3) eap: EAP session adding &reply:State = 0x06df9fcc057886aa (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 28 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 0 (3) EAP-Message = 0x01a703e81940a73b4534fb54764797d56b51f469ff2e5a5feaf506057dbd fd6af543dfe986febe19c807b89244404cb9503c4a449efd5e8a9e68f31f0f a9b20107d112dde99fabadb55f609fefb8f0cfb09e1bb696330c0004f03082 04ec308203d4a0030201020209008917e4729c9d3b3d300d06092a864886f7 0d01010b0500308196310b3009060355040613025452310e300c0603550408 0c05495a4d4952310d300b06035504070c0455524c4131173015060355040a 0c0e5061727461204e6574776f726b733120301e06092a864886f70d010901 1611696e666f4070617274612e636f6d2e7472312d302b06035504030c2450 61727461204e6574776f726b7320436572746966696361746520417574686f 72697479301e170d3230303333313131323930385a170d3330303332393131 323930385a308196310b3009060355040613025452310e300c06035504080c 05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e506172 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x06df9fcc057886aa43639075ca7d333a (3) Finished request Waking up in 4.7 seconds. (4) Received Access-Request Id 29 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 340 (4) User-Name = "mypc-pc\\Administrator" (4) NAS-Port = 20497 (4) Service-Type = Framed-User (4) Framed-Protocol = PPP (4) Calling-Station-Id = "44a8-42f7-952d" (4) NAS-Identifier = "S5735_K6_SW1" (4) NAS-Port-Type = Ethernet (4) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (4) State = 0x06df9fcc057886aa43639075ca7d333a (4) EAP-Message = 0x02a700061900 (4) Message-Authenticator = 0x345bff17c216eb76264d2dd1836dced4 (4) Called-Station-Id = "44-67-47-26-F7-90" (4) Login-IP-Host = 0.0.0.0 (4) NAS-IP-Address = 172.100.0.60 (4) Framed-MTU = 1500 (4) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (4) Huawei-Startup-Stamp = 1589932873 (4) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (4) Huawei-Connect-ID = 45 (4) Huawei-Version = "Huawei S5735" (4) Huawei-Product-ID = "S5735" (4) Huawei-User-Mac = "\000\000\000\001" (4) Huawei-Domain-Name = "default" (4) session-state: No cached attributes (4) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (4) authorize { (4) update { (4) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (4) EXPAND --username=%{User-Name} (4) --> --username=mypc-pc\\Administrator (4) EXPAND --calledStationID=%{Called-Station-Id} (4) --> --calledStationID=44-67-47-26-F7-90 (4) EXPAND --callingStationID=%{Calling-Station-Id} (4) --> --callingStationID=44a8-42f7-952d (4) EXPAND --connectInfo=%{Connect-Info} (4) --> --connectInfo= (4) EXPAND --framedMTU=%{Framed-MTU} (4) --> --framedMTU=1500 (4) EXPAND --framedProtocol=%{Framed-Protocol} (4) --> --framedProtocol=PPP (4) EXPAND --nasIdentifier=%{NAS-Identifier} (4) --> --nasIdentifier=S5735_K6_SW1 (4) EXPAND --nasIPAddress=%{NAS-IP-Address} (4) --> --nasIPAddress=172.100.0.60 (4) EXPAND --nasPort=%{NAS-Port} (4) --> --nasPort=20497 (4) EXPAND --nasPortID=%{NAS-Port-Id} (4) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (4) EXPAND --nasPortType=%{NAS-Port-Type} (4) --> --nasPortType=Ethernet (4) EXPAND --serviceType=%{Service-Type} (4) --> --serviceType=Framed-User (4) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (4) --> --tunnelMediumType= (4) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (4) --> --tunnelPrivateGroupID= (4) EXPAND --tunnelType=%{Tunnel-Type} (4) --> --tunnelType= (4) Program returned code (0) and output 'Reply-Message :=""' (4) control::Reply-Message := (4) } # update = noop (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = noop (4) } # policy filter_username = noop (4) [preprocess] = ok (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 167 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x06df9fcc057886aa (4) eap: Finished EAP session with state 0x06df9fcc057886aa (4) eap: Previous EAP request found for state 0x06df9fcc057886aa, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 168 length 705 (4) eap: EAP session adding &reply:State = 0x06df9fcc027786aa (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 29 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 0 (4) EAP-Message = 0x01a802c11900e4729c9d3b3d300f0603551d130101ff040530030101ff30 350603551d1f042e302c302aa028a0268624687474703a2f2f7777772e7061 7274612e636f6d2e74722f70617274615f63612e63726c300d06092a864886 f70d01010b0500038201010002a7a685fd8c45441aa4e88edd20fe072c2d6d c2fdf1a70bdfbb4e4d6e447ef63fb83535d1eb1a9b7eb0d8fc177cbe833bcd 8ca72116ebd550b12ab279f5298beb6a8f7e58f38e9943d51a2b9a415f0f7b 6cb3e284f54c181f57eea3ec231ccea3f982602d46374234e262a8a5709816 56b6e991155da7983b5edddd89239eec5c82cbc176541e5e32f2e1fcf783f1 62fbd7de96dbaadafd0e8f56d5f72f4de5ac1254656c6ba349ed7ae5202dfd 20b3dc5e576bbba43c2f10d1b66b764038601b2e23a27a7a3b4b13e4d58343 df004dbd21908c71c0d563f18eec86d5a74bf7b192d4da4ffa036e75462374 8cdfe9ee000c02a3ee75574fa594e9055132d03e160301014b0c0001470300174104a0 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x06df9fcc027786aa43639075ca7d333a (4) Finished request Waking up in 4.6 seconds. (5) Received Access-Request Id 30 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 478 (5) User-Name = "mypc-pc\\Administrator" (5) NAS-Port = 20497 (5) Service-Type = Framed-User (5) Framed-Protocol = PPP (5) Calling-Station-Id = "44a8-42f7-952d" (5) NAS-Identifier = "S5735_K6_SW1" (5) NAS-Port-Type = Ethernet (5) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (5) State = 0x06df9fcc027786aa43639075ca7d333a (5) EAP-Message = 0x02a800901980000000861603010046100000424104c7b577ecf031abd558 556c730dea6a62961ef24e63b87df106b9981a6899f04e68a480a2b306f8f1 99787ac538d19bc572f82e277133f9ebbdbd8b3b4d17866e14030100010116 030100301e14570b074715b54215c474e30f4ab9f9bfadb1590f0331598dae f254ac64514ddef71c035306cdc1fea1cbdd58dcce (5) Message-Authenticator = 0x68db217c9425678c6ba8dba10a9679e9 (5) Called-Station-Id = "44-67-47-26-F7-90" (5) Login-IP-Host = 0.0.0.0 (5) NAS-IP-Address = 172.100.0.60 (5) Framed-MTU = 1500 (5) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (5) Huawei-Startup-Stamp = 1589932873 (5) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (5) Huawei-Connect-ID = 45 (5) Huawei-Version = "Huawei S5735" (5) Huawei-Product-ID = "S5735" (5) Huawei-User-Mac = "\000\000\000\001" (5) Huawei-Domain-Name = "default" (5) session-state: No cached attributes (5) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (5) authorize { (5) update { (5) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (5) EXPAND --username=%{User-Name} (5) --> --username=mypc-pc\\Administrator (5) EXPAND --calledStationID=%{Called-Station-Id} (5) --> --calledStationID=44-67-47-26-F7-90 (5) EXPAND --callingStationID=%{Calling-Station-Id} (5) --> --callingStationID=44a8-42f7-952d (5) EXPAND --connectInfo=%{Connect-Info} (5) --> --connectInfo= (5) EXPAND --framedMTU=%{Framed-MTU} (5) --> --framedMTU=1500 (5) EXPAND --framedProtocol=%{Framed-Protocol} (5) --> --framedProtocol=PPP (5) EXPAND --nasIdentifier=%{NAS-Identifier} (5) --> --nasIdentifier=S5735_K6_SW1 (5) EXPAND --nasIPAddress=%{NAS-IP-Address} (5) --> --nasIPAddress=172.100.0.60 (5) EXPAND --nasPort=%{NAS-Port} (5) --> --nasPort=20497 (5) EXPAND --nasPortID=%{NAS-Port-Id} (5) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (5) EXPAND --nasPortType=%{NAS-Port-Type} (5) --> --nasPortType=Ethernet (5) EXPAND --serviceType=%{Service-Type} (5) --> --serviceType=Framed-User (5) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (5) --> --tunnelMediumType= (5) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (5) --> --tunnelPrivateGroupID= (5) EXPAND --tunnelType=%{Tunnel-Type} (5) --> --tunnelType= (5) Program returned code (0) and output 'Reply-Message :=""' (5) control::Reply-Message := (5) } # update = noop (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = noop (5) } # policy filter_username = noop (5) [preprocess] = ok (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 168 length 144 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x06df9fcc027786aa (5) eap: Finished EAP session with state 0x06df9fcc027786aa (5) eap: Previous EAP request found for state 0x06df9fcc027786aa, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer indicated complete TLS record size will be 134 bytes (5) eap_peap: Got complete TLS record (134 bytes) (5) eap_peap: [eaptls verify] = length included (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap: TLS_accept: SSLv3 read client key exchange A (5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 read finished A (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (5) eap_peap: TLS_accept: SSLv3 write finished A (5) eap_peap: TLS_accept: SSLv3 flush data (5) eap_peap: (other): SSL negotiation finished successfully (5) eap_peap: TLS - Connection Established (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) eap_peap: TLS-Session-Version = "TLS 1.0" (5) eap_peap: TLS - got 59 bytes of data (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 169 length 65 (5) eap: EAP session adding &reply:State = 0x06df9fcc037686aa (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) TLS-Session-Version = "TLS 1.0" (5) Sent Access-Challenge Id 30 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 0 (5) EAP-Message = 0x01a90041190014030100010116030100302fe125fbf82aa49c3614c980ad be6cec3d9fcfee716e1ad42f33b3e8d99e997248e974d389d973a61f8d6f2facc5e492 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x06df9fcc037686aa43639075ca7d333a (5) Finished request Waking up in 4.6 seconds. (6) Received Access-Request Id 31 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 340 (6) User-Name = "mypc-pc\\Administrator" (6) NAS-Port = 20497 (6) Service-Type = Framed-User (6) Framed-Protocol = PPP (6) Calling-Station-Id = "44a8-42f7-952d" (6) NAS-Identifier = "S5735_K6_SW1" (6) NAS-Port-Type = Ethernet (6) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (6) State = 0x06df9fcc037686aa43639075ca7d333a (6) EAP-Message = 0x02a900061900 (6) Message-Authenticator = 0x6eae2e14353af6bdf3490d21f430dfbe (6) Called-Station-Id = "44-67-47-26-F7-90" (6) Login-IP-Host = 0.0.0.0 (6) NAS-IP-Address = 172.100.0.60 (6) Framed-MTU = 1500 (6) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (6) Huawei-Startup-Stamp = 1589932873 (6) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (6) Huawei-Connect-ID = 45 (6) Huawei-Version = "Huawei S5735" (6) Huawei-Product-ID = "S5735" (6) Huawei-User-Mac = "\000\000\000\001" (6) Huawei-Domain-Name = "default" (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) &session-state:TLS-Session-Version = "TLS 1.0" (6) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (6) authorize { (6) update { (6) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (6) EXPAND --username=%{User-Name} (6) --> --username=mypc-pc\\Administrator (6) EXPAND --calledStationID=%{Called-Station-Id} (6) --> --calledStationID=44-67-47-26-F7-90 (6) EXPAND --callingStationID=%{Calling-Station-Id} (6) --> --callingStationID=44a8-42f7-952d (6) EXPAND --connectInfo=%{Connect-Info} (6) --> --connectInfo= (6) EXPAND --framedMTU=%{Framed-MTU} (6) --> --framedMTU=1500 (6) EXPAND --framedProtocol=%{Framed-Protocol} (6) --> --framedProtocol=PPP (6) EXPAND --nasIdentifier=%{NAS-Identifier} (6) --> --nasIdentifier=S5735_K6_SW1 (6) EXPAND --nasIPAddress=%{NAS-IP-Address} (6) --> --nasIPAddress=172.100.0.60 (6) EXPAND --nasPort=%{NAS-Port} (6) --> --nasPort=20497 (6) EXPAND --nasPortID=%{NAS-Port-Id} (6) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (6) EXPAND --nasPortType=%{NAS-Port-Type} (6) --> --nasPortType=Ethernet (6) EXPAND --serviceType=%{Service-Type} (6) --> --serviceType=Framed-User (6) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (6) --> --tunnelMediumType= (6) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (6) --> --tunnelPrivateGroupID= (6) EXPAND --tunnelType=%{Tunnel-Type} (6) --> --tunnelType= (6) Program returned code (0) and output 'Reply-Message :=""' (6) control::Reply-Message := (6) } # update = noop (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = noop (6) } # policy filter_username = noop (6) [preprocess] = ok (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 169 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x06df9fcc037686aa (6) eap: Finished EAP session with state 0x06df9fcc037686aa (6) eap: Previous EAP request found for state 0x06df9fcc037686aa, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: [eaptls verify] = success (6) eap_peap: [eaptls process] = success (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 170 length 43 (6) eap: EAP session adding &reply:State = 0x06df9fcc007586aa (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) TLS-Session-Version = "TLS 1.0" (6) Sent Access-Challenge Id 31 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 0 (6) EAP-Message = 0x01aa002b1900170301002039839b1c2d3257209fb27a7353e9e75e31a406 708676f7c33e1183170f61d947 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x06df9fcc007586aa43639075ca7d333a (6) Finished request Waking up in 4.5 seconds. (7) Received Access-Request Id 32 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 393 (7) User-Name = "mypc-pc\\Administrator" (7) NAS-Port = 20497 (7) Service-Type = Framed-User (7) Framed-Protocol = PPP (7) Calling-Station-Id = "44a8-42f7-952d" (7) NAS-Identifier = "S5735_K6_SW1" (7) NAS-Port-Type = Ethernet (7) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (7) State = 0x06df9fcc007586aa43639075ca7d333a (7) EAP-Message = 0x02aa003b190017030100303d5c35ae730f2e2172de89948e051cb0b22703 3be363ddea1c384cc141c1593d7ed0251c4ca849138cfdebf0e810852a (7) Message-Authenticator = 0x1a8ae85940fcefdcbc7a0528828a0c77 (7) Called-Station-Id = "44-67-47-26-F7-90" (7) Login-IP-Host = 0.0.0.0 (7) NAS-IP-Address = 172.100.0.60 (7) Framed-MTU = 1500 (7) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (7) Huawei-Startup-Stamp = 1589932873 (7) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (7) Huawei-Connect-ID = 45 (7) Huawei-Version = "Huawei S5735" (7) Huawei-Product-ID = "S5735" (7) Huawei-User-Mac = "\000\000\000\001" (7) Huawei-Domain-Name = "default" (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (7) &session-state:TLS-Session-Version = "TLS 1.0" (7) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (7) authorize { (7) update { (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (7) EXPAND --username=%{User-Name} (7) --> --username=mypc-pc\\Administrator (7) EXPAND --calledStationID=%{Called-Station-Id} (7) --> --calledStationID=44-67-47-26-F7-90 (7) EXPAND --callingStationID=%{Calling-Station-Id} (7) --> --callingStationID=44a8-42f7-952d (7) EXPAND --connectInfo=%{Connect-Info} (7) --> --connectInfo= (7) EXPAND --framedMTU=%{Framed-MTU} (7) --> --framedMTU=1500 (7) EXPAND --framedProtocol=%{Framed-Protocol} (7) --> --framedProtocol=PPP (7) EXPAND --nasIdentifier=%{NAS-Identifier} (7) --> --nasIdentifier=S5735_K6_SW1 (7) EXPAND --nasIPAddress=%{NAS-IP-Address} (7) --> --nasIPAddress=172.100.0.60 (7) EXPAND --nasPort=%{NAS-Port} (7) --> --nasPort=20497 (7) EXPAND --nasPortID=%{NAS-Port-Id} (7) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (7) EXPAND --nasPortType=%{NAS-Port-Type} (7) --> --nasPortType=Ethernet (7) EXPAND --serviceType=%{Service-Type} (7) --> --serviceType=Framed-User (7) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (7) --> --tunnelMediumType= (7) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (7) --> --tunnelPrivateGroupID= (7) EXPAND --tunnelType=%{Tunnel-Type} (7) --> --tunnelType= (7) Program returned code (0) and output 'Reply-Message :=""' (7) control::Reply-Message := (7) } # update = noop (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = noop (7) } # policy filter_username = noop (7) [preprocess] = ok (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 170 length 59 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x06df9fcc007586aa (7) eap: Finished EAP session with state 0x06df9fcc007586aa (7) eap: Previous EAP request found for state 0x06df9fcc007586aa, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - mypc-pc\Administrator (7) eap_peap: Got inner identity 'mypc-pc\Administrator' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) eap_peap: Setting User-Name to mypc-pc\Administrator (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "mypc-pc\\Administrator" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "mypc-pc\\Administrator" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) update { (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --verify=true --control=false: (7) EXPAND --username=%{User-Name} (7) --> --username=mypc-pc\\Administrator (7) Program returned code (0) and output 'Idle-Timeout := "30"' (7) reply::Idle-Timeout := 30 (7) } # update = noop (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = noop (7) } # policy filter_username = noop (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 170 length 28 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) eap: Sending EAP Request (code 1) ID 171 length 43 (7) eap: EAP session adding &reply:State = 0xb29197b0b23a8d1a (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) Idle-Timeout := 30 (7) EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565 7261646975732d332e302e3231 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: Idle-Timeout := 30 (7) eap_peap: EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565 7261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: Idle-Timeout := 30 (7) eap_peap: EAP-Message = 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565 7261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 171 length 75 (7) eap: EAP session adding &reply:State = 0x06df9fcc017486aa (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (7) TLS-Session-Version = "TLS 1.0" (7) Sent Access-Challenge Id 32 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 0 (7) EAP-Message = 0x01ab004b19001703010040f117bdd7e2a2d6530a0eebaac5f17a0b3e5846 e1278f4367eeb28499b7d4f60485adaa834a12a2f5fc22b2e4a7b75b2fd584 277bbb9e717bf568d0b7c39b9b21 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x06df9fcc017486aa43639075ca7d333a (7) Finished request Waking up in 4.5 seconds. (8) Received Access-Request Id 33 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 441 (8) User-Name = "mypc-pc\\Administrator" (8) NAS-Port = 20497 (8) Service-Type = Framed-User (8) Framed-Protocol = PPP (8) Calling-Station-Id = "44a8-42f7-952d" (8) NAS-Identifier = "S5735_K6_SW1" (8) NAS-Port-Type = Ethernet (8) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (8) State = 0x06df9fcc017486aa43639075ca7d333a (8) EAP-Message = 0x02ab006b1900170301006030a260cec76b817616c8446e917733d195ea67 fcb4cba7ea0c15873eccb189ac0c0482c8d146ae81eaf880b90364036ca514 b87389987c4879b1e21d8c032b74a3adf543509c62b5cc1e85d7f556043d22 e8f68156c08b94226c0358519793f0 (8) Message-Authenticator = 0x99f47b6e04e6c7df9ba0bad3ad23a0dc (8) Called-Station-Id = "44-67-47-26-F7-90" (8) Login-IP-Host = 0.0.0.0 (8) NAS-IP-Address = 172.100.0.60 (8) Framed-MTU = 1500 (8) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (8) Huawei-Startup-Stamp = 1589932873 (8) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (8) Huawei-Connect-ID = 45 (8) Huawei-Version = "Huawei S5735" (8) Huawei-Product-ID = "S5735" (8) Huawei-User-Mac = "\000\000\000\001" (8) Huawei-Domain-Name = "default" (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (8) &session-state:TLS-Session-Version = "TLS 1.0" (8) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (8) authorize { (8) update { (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (8) EXPAND --username=%{User-Name} (8) --> --username=mypc-pc\\Administrator (8) EXPAND --calledStationID=%{Called-Station-Id} (8) --> --calledStationID=44-67-47-26-F7-90 (8) EXPAND --callingStationID=%{Calling-Station-Id} (8) --> --callingStationID=44a8-42f7-952d (8) EXPAND --connectInfo=%{Connect-Info} (8) --> --connectInfo= (8) EXPAND --framedMTU=%{Framed-MTU} (8) --> --framedMTU=1500 (8) EXPAND --framedProtocol=%{Framed-Protocol} (8) --> --framedProtocol=PPP (8) EXPAND --nasIdentifier=%{NAS-Identifier} (8) --> --nasIdentifier=S5735_K6_SW1 (8) EXPAND --nasIPAddress=%{NAS-IP-Address} (8) --> --nasIPAddress=172.100.0.60 (8) EXPAND --nasPort=%{NAS-Port} (8) --> --nasPort=20497 (8) EXPAND --nasPortID=%{NAS-Port-Id} (8) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (8) EXPAND --nasPortType=%{NAS-Port-Type} (8) --> --nasPortType=Ethernet (8) EXPAND --serviceType=%{Service-Type} (8) --> --serviceType=Framed-User (8) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (8) --> --tunnelMediumType= (8) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (8) --> --tunnelPrivateGroupID= (8) EXPAND --tunnelType=%{Tunnel-Type} (8) --> --tunnelType= (8) Program returned code (0) and output 'Reply-Message :=""' (8) control::Reply-Message := (8) } # update = noop (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = noop (8) } # policy filter_username = noop (8) [preprocess] = ok (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 171 length 107 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a (8) eap: Finished EAP session with state 0x06df9fcc017486aa (8) eap: Previous EAP request found for state 0x06df9fcc017486aa, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164 6d696e6973747261746f72 (8) eap_peap: Setting User-Name to mypc-pc\Administrator (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164 6d696e6973747261746f72 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "mypc-pc\\Administrator" (8) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164 6d696e6973747261746f72 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "mypc-pc\\Administrator" (8) State = 0xb29197b0b23a8d1abd34b414c2a4601c (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) update { (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --verify=true --control=false: (8) EXPAND --username=%{User-Name} (8) --> --username=mypc-pc\\Administrator (8) Program returned code (0) and output 'Idle-Timeout := "30"' (8) reply::Idle-Timeout := 30 (8) } # update = noop (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = noop (8) } # policy filter_username = noop (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 171 length 72 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a (8) eap: Finished EAP session with state 0xb29197b0b23a8d1a (8) eap: Previous EAP request found for state 0xb29197b0b23a8d1a, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as MS-CHAP Name (Administrator) from EAP-MSCHAPv2 (8) mschap: Creating challenge hash with username: Administrator (8) mschap: Client is using MS-CHAPv2 (8) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (8) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (8) mschap: --> --username=Administrator (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as MS-CHAP Name (Administrator) from EAP-MSCHAPv2 (8) mschap: Creating challenge hash with username: Administrator (8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (8) mschap: --> --challenge=54f8ede55f4a4abb (8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (8) mschap: --> --nt-response=a380d06457734f2b4a8f544de51831e2a54853305befeb55 (8) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)' (8) mschap: ERROR: Reading winbind reply failed! (0xc0000001) (8) mschap: Authentication failed (8) eap_mschapv2: [mschap] = fail (8) eap_mschapv2: } # authenticate = fail (8) eap: Sending EAP Failure (code 4) ID 171 length 4 (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /mydir/etc/raddb/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> mypc-pc\\Administrator (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: Program returned code (1) and output \'Reading winbind reply failed! (0xc0000001)\'' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) EAP-Message = 0x04ab0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04ab0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04ab0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 172 length 43 (8) eap: EAP session adding &reply:State = 0x06df9fcc0e7386aa (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (8) TLS-Session-Version = "TLS 1.0" (8) Module-Failure-Message := "mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'" (8) Sent Access-Challenge Id 33 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 0 (8) EAP-Message = 0x01ac002b1900170301002026931b104878a5280e9a66fdc3cfdebbdb1f82 46a377c0748067abbfc703e7f7 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x06df9fcc0e7386aa43639075ca7d333a (8) Finished request Waking up in 4.3 seconds. (9) Received Access-Request Id 34 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 377 (9) User-Name = "mypc-pc\\Administrator" (9) NAS-Port = 20497 (9) Service-Type = Framed-User (9) Framed-Protocol = PPP (9) Calling-Station-Id = "44a8-42f7-952d" (9) NAS-Identifier = "S5735_K6_SW1" (9) NAS-Port-Type = Ethernet (9) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17" (9) State = 0x06df9fcc0e7386aa43639075ca7d333a (9) EAP-Message = 0x02ac002b1900170301002002a19fd10d3999b09ff706b3c9a2e1b6f1de66 1047ec0e47760dd1c38e3479ce (9) Message-Authenticator = 0x9991289c6858191d73f190917ff6d23e (9) Called-Station-Id = "44-67-47-26-F7-90" (9) Login-IP-Host = 0.0.0.0 (9) NAS-IP-Address = 172.100.0.60 (9) Framed-MTU = 1500 (9) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d" (9) Huawei-Startup-Stamp = 1589932873 (9) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d" (9) Huawei-Connect-ID = 45 (9) Huawei-Version = "Huawei S5735" (9) Huawei-Product-ID = "S5735" (9) Huawei-User-Mac = "\000\000\000\001" (9) Huawei-Domain-Name = "default" (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (9) &session-state:TLS-Session-Version = "TLS 1.0" (9) &session-state:Module-Failure-Message := "mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'" (9) # Executing section authorize from file /mydir/etc/raddb/sites-enabled/default (9) authorize { (9) update { (9) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}' --calledStationID='%{Called-Station-Id}' --callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}' --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}' --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}' --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}' --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}' --tunnelMediumType='%{Tunnel-Medium-Type}' --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}' --tunnelType='%{Tunnel-Type}' --control=false --verify=false --logging=true: (9) EXPAND --username=%{User-Name} (9) --> --username=mypc-pc\\Administrator (9) EXPAND --calledStationID=%{Called-Station-Id} (9) --> --calledStationID=44-67-47-26-F7-90 (9) EXPAND --callingStationID=%{Calling-Station-Id} (9) --> --callingStationID=44a8-42f7-952d (9) EXPAND --connectInfo=%{Connect-Info} (9) --> --connectInfo= (9) EXPAND --framedMTU=%{Framed-MTU} (9) --> --framedMTU=1500 (9) EXPAND --framedProtocol=%{Framed-Protocol} (9) --> --framedProtocol=PPP (9) EXPAND --nasIdentifier=%{NAS-Identifier} (9) --> --nasIdentifier=S5735_K6_SW1 (9) EXPAND --nasIPAddress=%{NAS-IP-Address} (9) --> --nasIPAddress=172.100.0.60 (9) EXPAND --nasPort=%{NAS-Port} (9) --> --nasPort=20497 (9) EXPAND --nasPortID=%{NAS-Port-Id} (9) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17 (9) EXPAND --nasPortType=%{NAS-Port-Type} (9) --> --nasPortType=Ethernet (9) EXPAND --serviceType=%{Service-Type} (9) --> --serviceType=Framed-User (9) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type} (9) --> --tunnelMediumType= (9) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID} (9) --> --tunnelPrivateGroupID= (9) EXPAND --tunnelType=%{Tunnel-Type} (9) --> --tunnelType= (9) Program returned code (0) and output 'Reply-Message :=""' (9) control::Reply-Message := (9) } # update = noop (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = noop (9) } # policy filter_username = noop (9) [preprocess] = ok (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 172 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x06df9fcc0e7386aa (9) eap: Finished EAP session with state 0x06df9fcc0e7386aa (9) eap: Previous EAP request found for state 0x06df9fcc0e7386aa, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 172 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> mypc-pc\\Administrator (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 34 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length 44 (9) EAP-Message = 0x04ac0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.3 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
L.P.H. van Belle -
Vertigo Altair