Not able to receive inner identity in Access-Accept (Problem revisited)
Hi, I am trying in configure my FR v3.0.4 to pass inner identity to outer in eap-peap setup. I read some of the old mails with similar issues, like the following: http://lists.freeradius.org/pipermail/freeradius-users/2014-August/073458.ht... I made the following setting as suggested in the mail: 1. Update outer reply in file inner-tunnel, post auth: update outer.reply { User-Name = "%{request:User-Name}" } 2. Set "use_tunneled_reply=yes" in file eap With the above setting, I still couldn't get it working. I compared my debug with that of above article. I see the difference at this line: eap_peap : Using saved attributes from the original Access-Accept Stripped-User-Name = 'bob' The above article uses "User-Name". Is this the difference? I use "Stripped-User-Name" for actual authentication against ldap, but want "User-Name" (with domain) for logging and accounting. I am not sure when they are used in different phases. At near the end of the debug, I even see: Stripped-User-Name = 'bigman' which is obviously wrong, as 'bigman' is the name I made up for "Anonymous Identity". Can anyone give me a clue what I have done wrong? Thanks in advance. Debug log follows. Fu-Keung Received Access-Request Id 23 from 10.10.1.1:3406 to 10.80.1.1:1812 length 234 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x0201000b016269676d616e Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 (1) Received Access-Request packet from host 10.10.1.1 port 3406, id=23, length=234 (1) User-Name = 'bigman' (1) Framed-MTU = 1450 (1) EAP-Message = 0x0201000b016269676d616e (1) Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06 (1) Chargeable-User-Identity = 0x00 (1) NAS-IP-Address = 10.10.1.1 (1) NAS-Identifier = 'WiFi-Controller-7' (1) NAS-Port = 33558758 (1) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Framed-Protocol = PPP (1) Calling-Station-Id = '00-18-60-68-03-EC' (1) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (1) Acct-Session-Id = '115001511383b5ab70' (1) Framed-IP-Address = 202.189.123.194 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (1) authorize { (1) filter_username filter_username { (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (1) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (1) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (1) auth_log : EXPAND %t (1) auth_log : --> Thu Jan 15 11:38:41 2015 (1) [auth_log] = ok (1) [chap] = noop (1) [mschap] = noop (1) suffix : Checking for suffix after "@" (1) suffix : No '@' in User-Name = "bigman", looking up realm NULL (1) suffix : Found realm "NULL" (1) suffix : Adding Stripped-User-Name = "bigman" (1) suffix : Adding Realm = "NULL" (1) suffix : Authentication realm is LOCAL (1) [suffix] = ok (1) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (1) EXPAND %{Realm} (1) --> NULL (1) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (1) eap : Peer sent code Response (2) ID 1 length 11 (1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (1) authenticate { (1) eap : Peer sent method Identity (1) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : Flushing SSL sessions (of #0) (1) eap_peap : Initiate (1) eap_peap : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c45dc8f5 (1) [eap] = handled (1) } # authenticate = handled (1) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=23, length=0 (1) EAP-Message = 0x010200061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xc45fd1a2c45dc8f54b145a25fcad284d Sending Access-Challenge Id 23 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c45dc8f54b145a25fcad284d (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 24 from 10.10.1.1:3406 to 10.80.1.1:1812 length 481 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976 ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060 00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500 120013000100020003000f00100011 Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c45dc8f54b145a25fcad284d (2) Received Access-Request packet from host 10.10.1.1 port 3406, id=24, length=481 (2) User-Name = 'bigman' (2) Framed-MTU = 1450 (2) EAP-Message = 0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976 ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060 00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500 120013000100020003000f00100011 (2) Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7 (2) Chargeable-User-Identity = 0x00 (2) NAS-IP-Address = 10.10.1.1 (2) NAS-Identifier = 'WiFi-Controller-7' (2) NAS-Port = 33558758 (2) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Framed-Protocol = PPP (2) Calling-Station-Id = '00-18-60-68-03-EC' (2) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (2) Acct-Session-Id = '115001511383b5ab70' (2) Framed-IP-Address = 202.189.123.194 (2) State = 0xc45fd1a2c45dc8f54b145a25fcad284d (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (2) authorize { (2) filter_username filter_username { (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (2) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (2) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (2) auth_log : EXPAND %t (2) auth_log : --> Thu Jan 15 11:38:41 2015 (2) [auth_log] = ok (2) [chap] = noop (2) [mschap] = noop (2) suffix : Checking for suffix after "@" (2) suffix : No '@' in User-Name = "bigman", looking up realm NULL (2) suffix : Found realm "NULL" (2) suffix : Adding Stripped-User-Name = "bigman" (2) suffix : Adding Realm = "NULL" (2) suffix : Authentication realm is LOCAL (2) [suffix] = ok (2) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (2) EXPAND %{Realm} (2) --> NULL (2) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (2) eap : Peer sent code Response (2) ID 2 length 240 (2) eap : Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (2) authenticate { (2) eap : Expiring EAP session with state 0xc45fd1a2c45dc8f5 (2) eap : Finished EAP session with state 0xc45fd1a2c45dc8f5 (2) eap : Previous EAP request found for state 0xc45fd1a2c45dc8f5, released from the list (2) eap : Peer sent method PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS TLS Length 230 (2) eap_peap : Length Included (2) eap_peap : eaptls_verify returned 11 (2) eap_peap : (other): before/accept initialization (2) eap_peap : TLS_accept: before/accept initialization (2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello SSL: Client requested cached session 976ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e74 (2) eap_peap : TLS_accept: SSLv3 read client hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (2) eap_peap : TLS_accept: SSLv3 write server hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0cb2], Certificate (2) eap_peap : TLS_accept: SSLv3 write certificate A (2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap : TLS_accept: SSLv3 write key exchange A (2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap : TLS_accept: SSLv3 write server done A (2) eap_peap : TLS_accept: SSLv3 flush data (2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c55cc8f5 (2) [eap] = handled (2) } # authenticate = handled (2) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=24, length=0 (2) EAP-Message = 0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1 732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311 63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30 190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333 95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b 130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707 320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920 5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d01010105000382 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xc45fd1a2c55cc8f54b145a25fcad284d Sending Access-Challenge Id 24 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1 732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311 63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30 190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333 95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b 130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707 320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920 5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d0101010500038 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c55cc8f54b145a25fcad284d (2) Finished request Waking up in 0.2 seconds. Received Access-Request Id 25 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020300061900 Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c55cc8f54b145a25fcad284d (3) Received Access-Request packet from host 10.10.1.1 port 3406, id=25, length=247 (3) User-Name = 'bigman' (3) Framed-MTU = 1450 (3) EAP-Message = 0x020300061900 (3) Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e (3) Chargeable-User-Identity = 0x00 (3) NAS-IP-Address = 10.10.1.1 (3) NAS-Identifier = 'WiFi-Controller-7' (3) NAS-Port = 33558758 (3) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Framed-Protocol = PPP (3) Calling-Station-Id = '00-18-60-68-03-EC' (3) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (3) Acct-Session-Id = '115001511383b5ab70' (3) Framed-IP-Address = 202.189.123.194 (3) State = 0xc45fd1a2c55cc8f54b145a25fcad284d (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (3) authorize { (3) filter_username filter_username { (3) if (&User-Name =~ / /) (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\\.\\./ ) (3) if (&User-Name =~ /\\.\\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\\.$/) (3) if (&User-Name =~ /\\.$/) -> FALSE (3) if (&User-Name =~ /@\\./) (3) if (&User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (3) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (3) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (3) auth_log : EXPAND %t (3) auth_log : --> Thu Jan 15 11:38:41 2015 (3) [auth_log] = ok (3) [chap] = noop (3) [mschap] = noop (3) suffix : Checking for suffix after "@" (3) suffix : No '@' in User-Name = "bigman", looking up realm NULL (3) suffix : Found realm "NULL" (3) suffix : Adding Stripped-User-Name = "bigman" (3) suffix : Adding Realm = "NULL" (3) suffix : Authentication realm is LOCAL (3) [suffix] = ok (3) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (3) EXPAND %{Realm} (3) --> NULL (3) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (3) eap : Peer sent code Response (2) ID 3 length 6 (3) eap : Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (3) authenticate { (3) eap : Expiring EAP session with state 0xc45fd1a2c55cc8f5 (3) eap : Finished EAP session with state 0xc45fd1a2c55cc8f5 (3) eap : Previous EAP request found for state 0xc45fd1a2c55cc8f5, released from the list (3) eap : Peer sent method PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c65bc8f5 (3) [eap] = handled (3) } # authenticate = handled (3) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=25, length=0 (3) EAP-Message = 0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676 56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f 677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703 a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d 46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3 88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663 c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0 0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092a (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xc45fd1a2c65bc8f54b145a25fcad284d Sending Access-Challenge Id 25 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676 56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f 677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703 a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d 46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3 88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663 c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0 0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c65bc8f54b145a25fcad284d (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 26 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020400061900 Message-Authenticator = 0x07909351500113863860a840942c0c81 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c65bc8f54b145a25fcad284d (4) Received Access-Request packet from host 10.10.1.1 port 3406, id=26, length=247 (4) User-Name = 'bigman' (4) Framed-MTU = 1450 (4) EAP-Message = 0x020400061900 (4) Message-Authenticator = 0x07909351500113863860a840942c0c81 (4) Chargeable-User-Identity = 0x00 (4) NAS-IP-Address = 10.10.1.1 (4) NAS-Identifier = 'WiFi-Controller-7' (4) NAS-Port = 33558758 (4) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Framed-Protocol = PPP (4) Calling-Station-Id = '00-18-60-68-03-EC' (4) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (4) Acct-Session-Id = '115001511383b5ab70' (4) Framed-IP-Address = 202.189.123.194 (4) State = 0xc45fd1a2c65bc8f54b145a25fcad284d (4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (4) authorize { (4) filter_username filter_username { (4) if (&User-Name =~ / /) (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\\.\\./ ) (4) if (&User-Name =~ /\\.\\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\\.$/) (4) if (&User-Name =~ /\\.$/) -> FALSE (4) if (&User-Name =~ /@\\./) (4) if (&User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (4) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (4) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (4) auth_log : EXPAND %t (4) auth_log : --> Thu Jan 15 11:38:41 2015 (4) [auth_log] = ok (4) [chap] = noop (4) [mschap] = noop (4) suffix : Checking for suffix after "@" (4) suffix : No '@' in User-Name = "bigman", looking up realm NULL (4) suffix : Found realm "NULL" (4) suffix : Adding Stripped-User-Name = "bigman" (4) suffix : Adding Realm = "NULL" (4) suffix : Authentication realm is LOCAL (4) [suffix] = ok (4) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (4) EXPAND %{Realm} (4) --> NULL (4) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (4) eap : Peer sent code Response (2) ID 4 length 6 (4) eap : Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (4) authenticate { (4) eap : Expiring EAP session with state 0xc45fd1a2c65bc8f5 (4) eap : Finished EAP session with state 0xc45fd1a2c65bc8f5 (4) eap : Previous EAP request found for state 0xc45fd1a2c65bc8f5, released from the list (4) eap : Peer sent method PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c75ac8f5 (4) [eap] = handled (4) } # authenticate = handled (4) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=26, length=0 (4) EAP-Message = 0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006 0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746 76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472 7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495 f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61 ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312 b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069 c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8e (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xc45fd1a2c75ac8f54b145a25fcad284d Sending Access-Challenge Id 26 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006 0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746 76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472 7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495 f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61 ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312 b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069 c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c75ac8f54b145a25fcad284d (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 27 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020500061900 Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c75ac8f54b145a25fcad284d (5) Received Access-Request packet from host 10.10.1.1 port 3406, id=27, length=247 (5) User-Name = 'bigman' (5) Framed-MTU = 1450 (5) EAP-Message = 0x020500061900 (5) Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38 (5) Chargeable-User-Identity = 0x00 (5) NAS-IP-Address = 10.10.1.1 (5) NAS-Identifier = 'WiFi-Controller-7' (5) NAS-Port = 33558758 (5) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Framed-Protocol = PPP (5) Calling-Station-Id = '00-18-60-68-03-EC' (5) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (5) Acct-Session-Id = '115001511383b5ab70' (5) Framed-IP-Address = 202.189.123.194 (5) State = 0xc45fd1a2c75ac8f54b145a25fcad284d (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (5) authorize { (5) filter_username filter_username { (5) if (&User-Name =~ / /) (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\\.\\./ ) (5) if (&User-Name =~ /\\.\\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\\.$/) (5) if (&User-Name =~ /\\.$/) -> FALSE (5) if (&User-Name =~ /@\\./) (5) if (&User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (5) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (5) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (5) auth_log : EXPAND %t (5) auth_log : --> Thu Jan 15 11:38:41 2015 (5) [auth_log] = ok (5) [chap] = noop (5) [mschap] = noop (5) suffix : Checking for suffix after "@" (5) suffix : No '@' in User-Name = "bigman", looking up realm NULL (5) suffix : Found realm "NULL" (5) suffix : Adding Stripped-User-Name = "bigman" (5) suffix : Adding Realm = "NULL" (5) suffix : Authentication realm is LOCAL (5) [suffix] = ok (5) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (5) EXPAND %{Realm} (5) --> NULL (5) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (5) eap : Peer sent code Response (2) ID 5 length 6 (5) eap : Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (5) authenticate { (5) eap : Expiring EAP session with state 0xc45fd1a2c75ac8f5 (5) eap : Finished EAP session with state 0xc45fd1a2c75ac8f5 (5) eap : Previous EAP request found for state 0xc45fd1a2c75ac8f5, released from the list (5) eap : Peer sent method PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS (5) eap_peap : Received TLS ACK (5) eap_peap : Received TLS ACK (5) eap_peap : ACK handshake fragment handler (5) eap_peap : eaptls_verify returned 1 (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c059c8f5 (5) [eap] = handled (5) } # authenticate = handled (5) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=27, length=0 (5) EAP-Message = 0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1 17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500 038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13 70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5 eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911 35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed 0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751ac (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xc45fd1a2c059c8f54b145a25fcad284d Sending Access-Challenge Id 27 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1 17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500 038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13 70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5 eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911 35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed 0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c059c8f54b145a25fcad284d (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 28 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb 6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04 886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471 Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c059c8f54b145a25fcad284d (6) Received Access-Request packet from host 10.10.1.1 port 3406, id=28, length=385 (6) User-Name = 'bigman' (6) Framed-MTU = 1450 (6) EAP-Message = 0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb 6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04 886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471 (6) Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4 (6) Chargeable-User-Identity = 0x00 (6) NAS-IP-Address = 10.10.1.1 (6) NAS-Identifier = 'WiFi-Controller-7' (6) NAS-Port = 33558758 (6) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Framed-Protocol = PPP (6) Calling-Station-Id = '00-18-60-68-03-EC' (6) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (6) Acct-Session-Id = '115001511383b5ab70' (6) Framed-IP-Address = 202.189.123.194 (6) State = 0xc45fd1a2c059c8f54b145a25fcad284d (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (6) authorize { (6) filter_username filter_username { (6) if (&User-Name =~ / /) (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\\.\\./ ) (6) if (&User-Name =~ /\\.\\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\\.$/) (6) if (&User-Name =~ /\\.$/) -> FALSE (6) if (&User-Name =~ /@\\./) (6) if (&User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (6) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (6) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (6) auth_log : EXPAND %t (6) auth_log : --> Thu Jan 15 11:38:42 2015 (6) [auth_log] = ok (6) [chap] = noop (6) [mschap] = noop (6) suffix : Checking for suffix after "@" (6) suffix : No '@' in User-Name = "bigman", looking up realm NULL (6) suffix : Found realm "NULL" (6) suffix : Adding Stripped-User-Name = "bigman" (6) suffix : Adding Realm = "NULL" (6) suffix : Authentication realm is LOCAL (6) [suffix] = ok (6) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (6) EXPAND %{Realm} (6) --> NULL (6) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (6) eap : Peer sent code Response (2) ID 6 length 144 (6) eap : Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (6) authenticate { (6) eap : Expiring EAP session with state 0xc45fd1a2c059c8f5 (6) eap : Finished EAP session with state 0xc45fd1a2c059c8f5 (6) eap : Previous EAP request found for state 0xc45fd1a2c059c8f5, released from the list (6) eap : Peer sent method PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS TLS Length 134 (6) eap_peap : Length Included (6) eap_peap : eaptls_verify returned 11 (6) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (6) eap_peap : TLS_accept: SSLv3 read client key exchange A (6) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (6) eap_peap : TLS_accept: SSLv3 read finished A (6) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_peap : TLS_accept: SSLv3 write change cipher spec A (6) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (6) eap_peap : TLS_accept: SSLv3 write finished A (6) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 to cache (6) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (6) eap_peap : eaptls_process returned 13 (6) eap_peap : FR_TLS_HANDLED (6) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c158c8f5 (6) [eap] = handled (6) } # authenticate = handled (6) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=28, length=0 (6) EAP-Message = 0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96 da21b4bfc6fc733123a (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xc45fd1a2c158c8f54b145a25fcad284d Sending Access-Challenge Id 28 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96 da21b4bfc6fc733123a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c158c8f54b145a25fcad284d (6) Finished request Received Access-Request Id 29 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020700061900 Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c158c8f54b145a25fcad284d (7) Received Access-Request packet from host 10.10.1.1 port 3406, id=29, length=247 (7) User-Name = 'bigman' (7) Framed-MTU = 1450 (7) EAP-Message = 0x020700061900 (7) Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde (7) Chargeable-User-Identity = 0x00 (7) NAS-IP-Address = 10.10.1.1 (7) NAS-Identifier = 'WiFi-Controller-7' (7) NAS-Port = 33558758 (7) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Framed-Protocol = PPP (7) Calling-Station-Id = '00-18-60-68-03-EC' (7) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (7) Acct-Session-Id = '115001511383b5ab70' (7) Framed-IP-Address = 202.189.123.194 (7) State = 0xc45fd1a2c158c8f54b145a25fcad284d (7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (7) authorize { (7) filter_username filter_username { (7) if (&User-Name =~ / /) (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\\.\\./ ) (7) if (&User-Name =~ /\\.\\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\\.$/) (7) if (&User-Name =~ /\\.$/) -> FALSE (7) if (&User-Name =~ /@\\./) (7) if (&User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (7) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (7) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (7) auth_log : EXPAND %t (7) auth_log : --> Thu Jan 15 11:38:42 2015 (7) [auth_log] = ok (7) [chap] = noop (7) [mschap] = noop (7) suffix : Checking for suffix after "@" (7) suffix : No '@' in User-Name = "bigman", looking up realm NULL (7) suffix : Found realm "NULL" (7) suffix : Adding Stripped-User-Name = "bigman" (7) suffix : Adding Realm = "NULL" (7) suffix : Authentication realm is LOCAL (7) [suffix] = ok (7) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (7) EXPAND %{Realm} (7) --> NULL (7) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (7) eap : Peer sent code Response (2) ID 7 length 6 (7) eap : Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (7) authenticate { (7) eap : Expiring EAP session with state 0xc45fd1a2c158c8f5 (7) eap : Finished EAP session with state 0xc45fd1a2c158c8f5 (7) eap : Previous EAP request found for state 0xc45fd1a2c158c8f5, released from the list (7) eap : Peer sent method PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : Received TLS ACK (7) eap_peap : Received TLS ACK (7) eap_peap : ACK handshake is finished (7) eap_peap : eaptls_verify returned 3 (7) eap_peap : eaptls_process returned 3 (7) eap_peap : FR_TLS_SUCCESS (7) eap_peap : Session established. Decoding tunneled attributes (7) eap_peap : Peap state TUNNEL ESTABLISHED (7) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c257c8f5 (7) [eap] = handled (7) } # authenticate = handled (7) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=29, length=0 (7) EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xc45fd1a2c257c8f54b145a25fcad284d Sending Access-Challenge Id 29 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c257c8f54b145a25fcad284d (7) Finished request Received Access-Request Id 30 from 10.10.1.1:3406 to 10.80.1.1:1812 length 337 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11 6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452 Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c257c8f54b145a25fcad284d (8) Received Access-Request packet from host 10.10.1.1 port 3406, id=30, length=337 (8) User-Name = 'bigman' (8) Framed-MTU = 1450 (8) EAP-Message = 0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11 6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452 (8) Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b (8) Chargeable-User-Identity = 0x00 (8) NAS-IP-Address = 10.10.1.1 (8) NAS-Identifier = 'WiFi-Controller-7' (8) NAS-Port = 33558758 (8) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Framed-Protocol = PPP (8) Calling-Station-Id = '00-18-60-68-03-EC' (8) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (8) Acct-Session-Id = '115001511383b5ab70' (8) Framed-IP-Address = 202.189.123.194 (8) State = 0xc45fd1a2c257c8f54b145a25fcad284d (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (8) authorize { (8) filter_username filter_username { (8) if (&User-Name =~ / /) (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@.*@/ ) (8) if (&User-Name =~ /@.*@/ ) -> FALSE (8) if (&User-Name =~ /\\.\\./ ) (8) if (&User-Name =~ /\\.\\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\\.$/) (8) if (&User-Name =~ /\\.$/) -> FALSE (8) if (&User-Name =~ /@\\./) (8) if (&User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (8) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (8) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (8) auth_log : EXPAND %t (8) auth_log : --> Thu Jan 15 11:38:42 2015 (8) [auth_log] = ok (8) [chap] = noop (8) [mschap] = noop (8) suffix : Checking for suffix after "@" (8) suffix : No '@' in User-Name = "bigman", looking up realm NULL (8) suffix : Found realm "NULL" (8) suffix : Adding Stripped-User-Name = "bigman" (8) suffix : Adding Realm = "NULL" (8) suffix : Authentication realm is LOCAL (8) [suffix] = ok (8) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (8) EXPAND %{Realm} (8) --> NULL (8) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (8) eap : Peer sent code Response (2) ID 8 length 96 (8) eap : Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (8) authenticate { (8) eap : Expiring EAP session with state 0xc45fd1a2c257c8f5 (8) eap : Finished EAP session with state 0xc45fd1a2c257c8f5 (8) eap : Previous EAP request found for state 0xc45fd1a2c257c8f5, released from the list (8) eap : Peer sent method PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes (8) eap_peap : Peap state WAITING FOR INNER IDENTITY (8) eap_peap : Identity - bob@abc.com (8) eap_peap : Got inner identity 'bob@abc.com' (8) eap_peap : Setting default EAP type for tunneled EAP session (8) eap_peap : Got tunneled request EAP-Message = 0x020800120174666b6c616940686b752e686b server Local-WiFi { (8) eap_peap : Setting User-Name to bob@abc.com Sending tunneled request EAP-Message = 0x020800120174666b6c616940686b752e686b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 server inner-tunnel { (8) server inner-tunnel { (8) Request: EAP-Message = 0x020800120174666b6c616940686b752e686b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : Checking for suffix after "@" (8) suffix : Looking up realm "abc.com" for User-Name = "bob@abc.com" (8) suffix : Found realm "abc.com" (8) suffix : Adding Stripped-User-Name = "bob" (8) suffix : Adding Realm = "abc.com" (8) suffix : Authentication realm is LOCAL (8) [suffix] = ok (8) update control { (8) &Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : Peer sent code Response (2) ID 8 length 18 (8) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Peer sent method Identity (1) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : Issuing Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xde946618de9d7cad (8) [eap] = handled (8) } # authenticate = handled (8) Reply: EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618de9d7cad0c64434fd93f0777 (8) } # server inner-tunnel } # server inner-tunnel (8) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618de9d7cad0c64434fd93f0777 (8) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618de9d7cad0c64434fd93f0777 (8) eap_peap : Got tunneled Access-Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c356c8f5 (8) [eap] = handled (8) } # authenticate = handled (8) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=30, length=0 (8) EAP-Message = 0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c ec006126ddbd781a3811c45a43cc665fa6e6b88 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xc45fd1a2c356c8f54b145a25fcad284d Sending Access-Challenge Id 30 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c ec006126ddbd781a3811c45a43cc665fa6e6b88 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2c356c8f54b145a25fcad284d (8) Finished request Received Access-Request Id 31 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506 f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017 3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4 Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2c356c8f54b145a25fcad284d (9) Received Access-Request packet from host 10.10.1.1 port 3406, id=31, length=385 (9) User-Name = 'bigman' (9) Framed-MTU = 1450 (9) EAP-Message = 0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506 f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017 3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4 (9) Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba (9) Chargeable-User-Identity = 0x00 (9) NAS-IP-Address = 10.10.1.1 (9) NAS-Identifier = 'WiFi-Controller-7' (9) NAS-Port = 33558758 (9) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Framed-Protocol = PPP (9) Calling-Station-Id = '00-18-60-68-03-EC' (9) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (9) Acct-Session-Id = '115001511383b5ab70' (9) Framed-IP-Address = 202.189.123.194 (9) State = 0xc45fd1a2c356c8f54b145a25fcad284d (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (9) authorize { (9) filter_username filter_username { (9) if (&User-Name =~ / /) (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\\.\\./ ) (9) if (&User-Name =~ /\\.\\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\\.$/) (9) if (&User-Name =~ /\\.$/) -> FALSE (9) if (&User-Name =~ /@\\./) (9) if (&User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (9) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (9) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (9) auth_log : EXPAND %t (9) auth_log : --> Thu Jan 15 11:38:42 2015 (9) [auth_log] = ok (9) [chap] = noop (9) [mschap] = noop (9) suffix : Checking for suffix after "@" (9) suffix : No '@' in User-Name = "bigman", looking up realm NULL (9) suffix : Found realm "NULL" (9) suffix : Adding Stripped-User-Name = "bigman" (9) suffix : Adding Realm = "NULL" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (9) EXPAND %{Realm} (9) --> NULL (9) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (9) eap : Peer sent code Response (2) ID 9 length 144 (9) eap : Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (9) authenticate { (9) eap : Expiring EAP session with state 0xde946618de9d7cad (9) eap : Finished EAP session with state 0xc45fd1a2c356c8f5 (9) eap : Previous EAP request found for state 0xc45fd1a2c356c8f5, released from the list (9) eap : Peer sent method PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes (9) eap_peap : Peap state phase2 (9) eap_peap : EAP type MSCHAPv2 (26) (9) eap_peap : Got tunneled request EAP-Message = 0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016 36d8f0074666b6c616940686b752e686b server Local-WiFi { (9) eap_peap : Setting User-Name to bob@abc.com Sending tunneled request EAP-Message = 0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016 36d8f0074666b6c616940686b752e686b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' State = 0xde946618de9d7cad0c64434fd93f0777 Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 server inner-tunnel { (9) server inner-tunnel { (9) Request: EAP-Message = 0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016 36d8f0074666b6c616940686b752e686b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' State = 0xde946618de9d7cad0c64434fd93f0777 Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : Checking for suffix after "@" (9) suffix : Looking up realm "abc.com" for User-Name = "bob@abc.com" (9) suffix : Found realm "abc.com" (9) suffix : Adding Stripped-User-Name = "bob" (9) suffix : Adding Realm = "abc.com" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) update control { (9) &Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : Peer sent code Response (2) ID 9 length 72 (9) eap : No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) if (&EAP-Message) (9) if (&EAP-Message) -> TRUE (9) if (&EAP-Message) { (9) load-balance ldap_Portal_redundant { (9) redundant-load-balance group ldap_Portal_redundant { rlm_ldap (ldap_PortalPwd_2): Reserved connection (4) (9) ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(! (postOfficeBox=nowifi)))) (9) ldap_PortalPwd_2 : --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi)))) (9) ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk (9) ldap_PortalPwd_2 : --> ou=802.1x,o=hku,c=hk (9) ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(! (givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub' (9) ldap_PortalPwd_2 : Waiting for search result... (9) ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk" (9) ldap_PortalPwd_2 : Processing user attributes (9) ldap_PortalPwd_2 : &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg' (9) ldap_PortalPwd_2 : &control:NT-Password := 0x4433343845383035444432323934453241424435424438433732303143334345 rlm_ldap (ldap_PortalPwd_2): Released connection (4) (9) [ldap_PortalPwd_2] = ok (9) } # redundant-load-balance ldap_Portal_redundant = ok (9) if (notfound) (9) if (notfound) -> FALSE (9) } # if (&EAP-Message) = ok (9) ... skipping else for request 9: Preceding "if" was taken (9) [expiration] = noop (9) [logintime] = noop (9) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (9) WARNING: pap : Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0xde946618de9d7cad (9) eap : Finished EAP session with state 0xde946618de9d7cad (9) eap : Previous EAP request found for state 0xde946618de9d7cad, released from the list (9) eap : Peer sent method MSCHAPv2 (26) (9) eap : EAP MSCHAPv2 (26) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap_mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2 : Auth-Type MS-CHAP { (9) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (9) mschap : Found NT-Password (9) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password (9) mschap : Creating challenge hash with username: bob@abc.com (9) mschap : Client is using MS-CHAPv2 (9) mschap : Adding MS-CHAPv2 MPPE keys (9) [mschap] = ok (9) } # Auth-Type MS-CHAP = ok MSCHAP Success (9) eap : New EAP session, adding 'State' attribute to reply 0xde946618df9e7cad (9) [eap] = handled (9) } # authenticate = handled (9) Reply: EAP-Message = 0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618df9e7cad0c64434fd93f0777 (9) } # server inner-tunnel } # server inner-tunnel (9) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618df9e7cad0c64434fd93f0777 (9) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde946618df9e7cad0c64434fd93f0777 (9) eap_peap : Got tunneled Access-Challenge (9) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cc55c8f5 (9) [eap] = handled (9) } # authenticate = handled (9) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=31, length=0 (9) EAP-Message = 0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961 0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xc45fd1a2cc55c8f54b145a25fcad284d Sending Access-Challenge Id 31 from 10.80.1.1:1812 to 10.10.1.1:3406 EAP-Message = 0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961 0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2cc55c8f54b145a25fcad284d (9) Finished request Received Access-Request Id 32 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a 27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1 Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2cc55c8f54b145a25fcad284d (10) Received Access-Request packet from host 10.10.1.1 port 3406, id=32, length=321 (10) User-Name = 'bigman' (10) Framed-MTU = 1450 (10) EAP-Message = 0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a 27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1 (10) Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35 (10) Chargeable-User-Identity = 0x00 (10) NAS-IP-Address = 10.10.1.1 (10) NAS-Identifier = 'WiFi-Controller-7' (10) NAS-Port = 33558758 (10) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Framed-Protocol = PPP (10) Calling-Station-Id = '00-18-60-68-03-EC' (10) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (10) Acct-Session-Id = '115001511383b5ab70' (10) Framed-IP-Address = 202.189.123.194 (10) State = 0xc45fd1a2cc55c8f54b145a25fcad284d (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (10) authorize { (10) filter_username filter_username { (10) if (&User-Name =~ / /) (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@.*@/ ) (10) if (&User-Name =~ /@.*@/ ) -> FALSE (10) if (&User-Name =~ /\\.\\./ ) (10) if (&User-Name =~ /\\.\\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\\.$/) (10) if (&User-Name =~ /\\.$/) -> FALSE (10) if (&User-Name =~ /@\\./) (10) if (&User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (10) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (10) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (10) auth_log : EXPAND %t (10) auth_log : --> Thu Jan 15 11:38:42 2015 (10) [auth_log] = ok (10) [chap] = noop (10) [mschap] = noop (10) suffix : Checking for suffix after "@" (10) suffix : No '@' in User-Name = "bigman", looking up realm NULL (10) suffix : Found realm "NULL" (10) suffix : Adding Stripped-User-Name = "bigman" (10) suffix : Adding Realm = "NULL" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (10) EXPAND %{Realm} (10) --> NULL (10) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (10) eap : Peer sent code Response (2) ID 10 length 80 (10) eap : Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (10) authenticate { (10) eap : Expiring EAP session with state 0xde946618df9e7cad (10) eap : Finished EAP session with state 0xc45fd1a2cc55c8f5 (10) eap : Previous EAP request found for state 0xc45fd1a2cc55c8f5, released from the list (10) eap : Peer sent method PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes (10) eap_peap : Peap state phase2 (10) eap_peap : EAP type MSCHAPv2 (26) (10) eap_peap : Got tunneled request EAP-Message = 0x020a00061a03 server Local-WiFi { (10) eap_peap : Setting User-Name to bob@abc.com Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' State = 0xde946618df9e7cad0c64434fd93f0777 Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 server inner-tunnel { (10) server inner-tunnel { (10) Request: EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'bob@abc.com' State = 0xde946618df9e7cad0c64434fd93f0777 Framed-MTU = 1450 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (10) authorize { (10) [chap] = noop (10) [mschap] = noop (10) suffix : Checking for suffix after "@" (10) suffix : Looking up realm "abc.com" for User-Name = "bob@abc.com" (10) suffix : Found realm "abc.com" (10) suffix : Adding Stripped-User-Name = "bob" (10) suffix : Adding Realm = "abc.com" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) update control { (10) &Proxy-To-Realm := 'LOCAL' (10) } # update control = noop (10) eap : Peer sent code Response (2) ID 10 length 6 (10) eap : No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) if (&EAP-Message) (10) if (&EAP-Message) -> TRUE (10) if (&EAP-Message) { (10) load-balance ldap_Portal_redundant { (10) redundant-load-balance group ldap_Portal_redundant { rlm_ldap (ldap_PortalPwd_2): Reserved connection (4) (10) ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(! (postOfficeBox=nowifi)))) (10) ldap_PortalPwd_2 : --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi)))) (10) ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk (10) ldap_PortalPwd_2 : --> ou=802.1x,o=hku,c=hk (10) ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(! (givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub' (10) ldap_PortalPwd_2 : Waiting for search result... (10) ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk" (10) ldap_PortalPwd_2 : Processing user attributes (10) ldap_PortalPwd_2 : &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg' (10) ldap_PortalPwd_2 : &control:NT-Password := 0x4433343845383035444432323934453241424435424438433732303143334345 rlm_ldap (ldap_PortalPwd_2): Released connection (4) (10) [ldap_PortalPwd_2] = ok (10) } # redundant-load-balance ldap_Portal_redundant = ok (10) if (notfound) (10) if (notfound) -> FALSE (10) } # if (&EAP-Message) = ok (10) ... skipping else for request 10: Preceding "if" was taken (10) [expiration] = noop (10) [logintime] = noop (10) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (10) WARNING: pap : Auth-Type already set. Not setting to PAP (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = EAP (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (10) authenticate { (10) eap : Expiring EAP session with state 0xde946618df9e7cad (10) eap : Finished EAP session with state 0xde946618df9e7cad (10) eap : Previous EAP request found for state 0xde946618df9e7cad, released from the list (10) eap : Peer sent method MSCHAPv2 (26) (10) eap : EAP MSCHAPv2 (26) (10) eap : Calling eap_mschapv2 to process EAP data (10) eap : Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) Login OK: [bob@abc.com] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC via TLS tunnel) (10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (10) post-auth { (10) update outer.reply { (10) EXPAND %{request:User-Name} (10) --> bob@abc.com (10) User-Name = "bob@abc.com" (10) } # update outer.reply = noop (10) } # post-auth = noop (10) Reply: MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7 MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'bob' (10) } # server inner-tunnel } # server inner-tunnel (10) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7 MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'bob' (10) eap_peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7 MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'bob' (10) eap_peap : Tunneled authentication was successful (10) eap_peap : SUCCESS (10) eap_peap : Saving tunneled attributes for later (10) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cd54c8f5 (10) [eap] = handled (10) } # authenticate = handled (10) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=32, length=0 (10) User-Name = 'bob@abc.com' (10) EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xc45fd1a2cd54c8f54b145a25fcad284d Sending Access-Challenge Id 32 from 10.80.1.1:1812 to 10.10.1.1:3406 User-Name = 'bob@abc.com' EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45fd1a2cd54c8f54b145a25fcad284d (10) Finished request Waking up in 0.2 seconds. Received Access-Request Id 33 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321 User-Name = 'bigman' Framed-MTU = 1450 EAP-Message = 0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778 261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9 Chargeable-User-Identity = 0x00 NAS-IP-Address = 10.10.1.1 NAS-Identifier = 'WiFi-Controller-7' NAS-Port = 33558758 NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = '00-18-60-68-03-EC' Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' Acct-Session-Id = '115001511383b5ab70' Framed-IP-Address = 202.189.123.194 State = 0xc45fd1a2cd54c8f54b145a25fcad284d (11) Received Access-Request packet from host 10.10.1.1 port 3406, id=33, length=321 (11) User-Name = 'bigman' (11) Framed-MTU = 1450 (11) EAP-Message = 0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778 261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf (11) Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9 (11) Chargeable-User-Identity = 0x00 (11) NAS-IP-Address = 10.10.1.1 (11) NAS-Identifier = 'WiFi-Controller-7' (11) NAS-Port = 33558758 (11) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230' (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) Framed-Protocol = PPP (11) Calling-Station-Id = '00-18-60-68-03-EC' (11) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID' (11) Acct-Session-Id = '115001511383b5ab70' (11) Framed-IP-Address = 202.189.123.194 (11) State = 0xc45fd1a2cd54c8f54b145a25fcad284d (11) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (11) authorize { (11) filter_username filter_username { (11) if (&User-Name =~ / /) (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@.*@/ ) (11) if (&User-Name =~ /@.*@/ ) -> FALSE (11) if (&User-Name =~ /\\.\\./ ) (11) if (&User-Name =~ /\\.\\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\\.$/) (11) if (&User-Name =~ /\\.$/) -> FALSE (11) if (&User-Name =~ /@\\./) (11) if (&User-Name =~ /@\\./) -> FALSE (11) } # filter_username filter_username = notfound (11) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d (11) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (11) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115 (11) auth_log : EXPAND %t (11) auth_log : --> Thu Jan 15 11:38:42 2015 (11) [auth_log] = ok (11) [chap] = noop (11) [mschap] = noop (11) suffix : Checking for suffix after "@" (11) suffix : No '@' in User-Name = "bigman", looking up realm NULL (11) suffix : Found realm "NULL" (11) suffix : Adding Stripped-User-Name = "bigman" (11) suffix : Adding Realm = "NULL" (11) suffix : Authentication realm is LOCAL (11) [suffix] = ok (11) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') (11) EXPAND %{Realm} (11) --> NULL (11) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE (11) eap : Peer sent code Response (2) ID 11 length 80 (11) eap : Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = EAP (11) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (11) authenticate { (11) eap : Expiring EAP session with state 0xc45fd1a2cd54c8f5 (11) eap : Finished EAP session with state 0xc45fd1a2cd54c8f5 (11) eap : Previous EAP request found for state 0xc45fd1a2cd54c8f5, released from the list (11) eap : Peer sent method PEAP (25) (11) eap : EAP PEAP (25) (11) eap : Calling eap_peap to process EAP data (11) eap_peap : processing EAP-TLS (11) eap_peap : eaptls_verify returned 7 (11) eap_peap : Done initial handshake (11) eap_peap : eaptls_process returned 7 (11) eap_peap : FR_TLS_OK (11) eap_peap : Session established. Decoding tunneled attributes (11) eap_peap : Peap state send tlv success (11) eap_peap : Received EAP-TLV response (11) eap_peap : Success (11) eap_peap : Using saved attributes from the original Access-Accept Stripped-User-Name = 'bob' (11) eap_peap : Saving session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 vps 0xdb9b50 in the cache (11) eap : Freeing handler (11) [eap] = ok (11) } # authenticate = ok (11) Login OK: [bigman] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC) (11) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/Local-WiFi (11) post-auth { (11) [exec] = noop (11) remove_reply_message_if_eap remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else else { (11) [noop] = noop (11) } # else else = noop (11) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (11) } # post-auth = noop (11) Sending Access-Accept packet to host 10.10.1.1 port 3406, id=33, length=0 (11) Stripped-User-Name = 'bob' (11) MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf (11) MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19 (11) EAP-MSK = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbfdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a1 7134fe0b843a3bb19 (11) EAP-EMSK = 0x7a6b367b28793e34682cef71b58ec94c2f9dc00044d0e0a83b3b574158756196e40940146e5bbcba4d03755a09bc9ceafe3305b3da7bfe9 bffd812066bea9cbb (11) EAP-Session-Id = 0x1954b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16754b73641e3caf729409a814c4e2c0f4c4522113a1cbfd 2509d86377e80e55ca3 (11) EAP-Message = 0x030b0004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) Stripped-User-Name = 'bigman' Sending Access-Accept Id 33 from 10.80.1.1:1812 to 10.10.1.1:3406 MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 (11) Finished request Waking up in 0.2 seconds.
Hi, On Thu, Jan 15, 2015, at 5:49, Lai Fu Keung <tfklai@hku.hk> wrote:
Hi,
I am trying in configure my FR v3.0.4 to pass inner identity to outer in eap-peap setup. I read some of the old mails with similar issues, like the following:
http://lists.freeradius.org/pipermail/freeradius-users/2014-August/073458.ht ml
I made the following setting as suggested in the mail:
1. Update outer reply in file inner-tunnel, post auth: update outer.reply { User-Name = "%{request:User-Name}" } 2. Set "use_tunneled_reply=yes" in file eap
IIRC, when you set use_tunneled_reply to yes, all updates to outer.reply are ignored and the outer reply is filled with attributes from the original Access-Request. That's why you get User-Name filled with the outer anonymous identity. Try setting that to no and filling the outer reply with any other attributes you need in that update outer.reply block.
With the above setting, I still couldn't get it working. I compared my
debug with that of above article. I see the difference at this line:
eap_peap : Using saved attributes from the original Access-Accept Stripped-User-Name = 'bob'
The above article uses "User-Name". Is this the difference?
I use "Stripped-User-Name" for actual authentication against ldap, but
want "User-Name" (with domain) for logging and accounting. I am not sure when they are used in different phases.
At near the end of the debug, I even see:
Stripped-User-Name = 'bigman'
which is obviously wrong, as 'bigman' is the name I made up for "Anonymous Identity".
Can anyone give me a clue what I have done wrong? Thanks in advance. Debug log follows.
Fu-Keung
Enrique Sainz Baixauli
Hello Lai Fu Keung The recipe is simple: 1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section 2. Make inner Access-Accept contain User-Name. For example # sites-available/inner-tunnel postauth { update reply { User-Name := "%{request:User-Name}" } } rlm_eap_peap saves inner reply attributes when use_tunneled_reply=yes. rlm_eap_peap clears reply list and copy over saved reply attributes when it constructs outer Access-Accept. So User-Name added to inner reply will be copied into outer reply. On 15.01.2015 11:42, Enrique Sainz Baixauli wrote:
Hi,
On Thu, Jan 15, 2015, at 5:49, Lai Fu Keung <tfklai@hku.hk> wrote:
Hi,
I am trying in configure my FR v3.0.4 to pass inner identity to outer in eap-peap setup. I read some of the old mails with similar issues, like the following:
http://lists.freeradius.org/pipermail/freeradius-users/2014-August/073458.ht ml
I made the following setting as suggested in the mail:
1. Update outer reply in file inner-tunnel, post auth: update outer.reply { User-Name = "%{request:User-Name}" } 2. Set "use_tunneled_reply=yes" in file eap
IIRC, when you set use_tunneled_reply to yes, all updates to outer.reply are ignored and the outer reply is filled with attributes from the original Access-Request. That's why you get User-Name filled with the outer anonymous identity. Try setting that to no and filling the outer reply with any other attributes you need in that update outer.reply block.
With the above setting, I still couldn't get it working. I compared my
debug with that of above article. I see the difference at this line:
eap_peap : Using saved attributes from the original Access-Accept Stripped-User-Name = 'bob'
The above article uses "User-Name". Is this the difference?
I use "Stripped-User-Name" for actual authentication against ldap, but
want "User-Name" (with domain) for logging and accounting. I am not sure when they are used in different phases.
At near the end of the debug, I even see:
Stripped-User-Name = 'bigman'
which is obviously wrong, as 'bigman' is the name I made up for "Anonymous Identity".
Can anyone give me a clue what I have done wrong? Thanks in advance. Debug log follows.
Fu-Keung
Enrique Sainz Baixauli
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The recipe is simple:
1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section
2. Make inner Access-Accept contain User-Name. For example
# sites-available/inner-tunnel postauth { update reply { User-Name := "%{request:User-Name}" } }
rlm_eap_peap saves inner reply attributes when use_tunneled_reply=yes. rlm_eap_peap clears reply list and copy over saved reply attributes when it constructs outer >Access-Accept. So User-Name added to inner reply will be copied into outer reply.
I followed exactly your configuration and it worked finally. Thanks very much. I was using the example from the comment in inner-tunnel, post-auth without much thought (sorry, my fault): update outer.reply { User-Name = "%{request:User-Name}" } It doesn't work for me. To recap, the following settings reply the inner identity to outer in my setup: 1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section 2. Add the following in sites-available/inner-tunnel: postauth { update reply { User-Name := "%{request:User-Name}" } } (Note the change from outer.reply to reply and '=' to ':=' in the original example). However, my next problem is: even though FR replies NAS with the inner-identity User-Name at the end, NAS still uses the outer-identity (i.e. the "anonymous identity") to send the accounting packet to FR. I guess it is the problem with the NAS, right? Fu-Keung
On 16.01.2015 10:40, Lai Fu Keung wrote:
However, my next problem is: even though FR replies NAS with the inner-identity User-Name at the end, NAS still uses the outer-identity (i.e. the "anonymous identity") to send the accounting packet to FR. I guess it is the problem with the NAS, right?
Yes, your NAS is broken. NAS should use User-Name received in Access-Accept message in Accounting-Request messages for the session. You can try to put username into Chargeable-User-Identity or Class of Access-Accept message and look would it be mirrored in Accounting-Request.
On 16.01.2015 10:40, Lai Fu Keung wrote:
However, my next problem is: even though FR replies NAS with the inner-identity User-Name at the end, NAS still uses the outer-identity (i.e. the "anonymous identity") to send the accounting packet to FR. I guess it is the problem with the NAS, right?
Yes, your NAS is broken. NAS should use User-Name received in Access-Accept message in Accounting-Request messages for the session.
You can try to put username into Chargeable-User-Identity or Class of Access-Accept message and look would it be mirrored in Accounting-Request.
Your suggestion is good. Thanks. I am also thinking something similar. Fu-Keung
I made the following setting as suggested in the mail:
1. Update outer reply in file inner-tunnel, post auth: update outer.reply { User-Name = "%{request:User-Name}" } 2. Set "use_tunneled_reply=yes" in file eap
IIRC, when you set use_tunneled_reply to yes, all updates to outer.reply are ignored and the >outer reply is filled with attributes from the original Access-Request. That's why you get User->Name filled with the outer anonymous identity. Try setting that to no and filling the outer reply >with any other attributes you need in that update outer.reply block.
It doesn't work with "use_tunneled_reply=no" in my case, no matter what I set for outer reply. But I finally get it worked. See my another reply in this thread. Fu-Keung
I try test PEAP following steps described in http://www.freesoftwaremagazine.com/articles/howto_incremental_setup_freerad... it says to send the following to radius server: $ cat eapol_test.conf.peap network={ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="testuser" password="password" ca_cert="/home/gcheng/myCA/cacert.pem" phase2="auth=MSCHAPV2" anonymous_identity="anonymous" } When running the test, I noticed that it sends “anonymous” user to the server and the server try to authenticate user “anonymous” and failed. Any ideas what is “anonymous” here? Do we need set up password for “anonymous” on the server? Thanks Jim
On Mon, Jan 19, 2015 at 02:08:13PM -0800, Jim Shi wrote:
I try test PEAP following steps described in http://www.freesoftwaremagazine.com/articles/howto_incremental_setup_freerad...
That article is nearly 7 years old. Be careful in case anything is out of date.
it says to send the following to radius server:
$ cat eapol_test.conf.peap network={ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="testuser" password="password" ca_cert="/home/gcheng/myCA/cacert.pem" phase2="auth=MSCHAPV2" anonymous_identity="anonymous" }
When running the test, I noticed that it sends “anonymous” user to the server and the server try to authenticate user “anonymous” and failed.
Because you set your anonymous_identity to "anonymous".
Any ideas what is “anonymous” here? Do we need set up password for “anonymous” on the server?
No, this is the User-Name used for the outer request. The real identity, "testuser", will be sent in the inner PEAP tunnel. Run the server in debug mode (-X) and read the output. It will tell you what went wrong. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (5)
-
Enrique Sainz Baixauli -
Iliya Peregoudov -
Jim Shi -
Lai Fu Keung -
Matthew Newton