Re: Add TLS version to logs with linelog in FreeRADIUS 3.2.4
Thanks.
OK. I suspect the problem is your local mailing system then. No one else has issues.
You do not have to guess / suspect, I am pretty sure it is on our side, but it is hard do find this needle in a haystack in this kind of big setup. Strangely it was only related to this explicit thread "Add TLS version to logs with linelog in FreeRADIUS 3.2.4".
Please post the *full* debug output.
Here we go: (182) Received Access-Request Id 31 from 9.9.9.9:60533 to 130.92.10.33:1812 length 446 (182) User-Name = "xyz@unibe.ch" (182) Service-Type = Framed-User (182) Cisco-AVPair = "service-type=Framed" (182) Framed-MTU = 1485 (182) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368 (182) Message-Authenticator = 0x11a30dec371519f50eb0809f117144db (182) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (182) Cisco-AVPair = "method=dot1x" (182) Cisco-AVPair = "client-iif-id=3724547122" (182) Cisco-AVPair = "vlan-id=1876" (182) NAS-IP-Address = 9.9.9.9 (182) NAS-Port-Type = Wireless-802.11 (182) NAS-Port = 4211 (182) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (182) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (182) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (182) Calling-Station-Id = "22-e0-73-f2-50-23" (182) Airespace-Wlan-Id = 98 (182) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (182) WLAN-Group-Cipher = 1027076 (182) WLAN-Pairwise-Cipher = 1027076 (182) WLAN-AKM-Suite = 1027075 (182) # Executing section authorize from file /etc/freeradius/sites-enabled/default (182) authorize { (182) policy rewrite_called_station_id { (182) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (182) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (182) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (182) update request { (182) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (182) --> 60-B9-C0-04-C4-40 (182) &Called-Station-Id := 60-B9-C0-04-C4-40 (182) } # update request = noop (182) if ("%{8}") { (182) EXPAND %{8} (182) --> eduroam (182) if ("%{8}") -> TRUE (182) if ("%{8}") { (182) update request { (182) EXPAND %{8} (182) --> eduroam (182) &Called-Station-SSID := eduroam (182) EXPAND %{Called-Station-Id}:%{8} (182) --> 60-B9-C0-04-C4-40:eduroam (182) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (182) } # update request = noop (182) } # if ("%{8}") = noop (182) [updated] = updated (182) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (182) ... skipping else: Preceding "if" was taken (182) } # policy rewrite_called_station_id = updated (182) policy rewrite_calling_station_id { (182) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (182) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (182) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (182) update request { (182) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (182) --> 22-E0-73-F2-50-23 (182) &Calling-Station-Id := 22-E0-73-F2-50-23 (182) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (182) --> 22:E0:73:F2:50:23 (182) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (182) } # update request = noop (182) [updated] = updated (182) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (182) ... skipping else: Preceding "if" was taken (182) } # policy rewrite_calling_station_id = updated (182) if (NAS-Identifier == "uvisrz0215.insel.ch") { (182) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (182) if (Service-Type == Call-Check) { (182) if (Service-Type == Call-Check) -> FALSE (182) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (182) EXPAND Packet-Src-IP-Address (182) --> 9.9.9.9 (182) EXPAND Packet-Src-IP-Address (182) --> 9.9.9.9 (182) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (182) if (EAP-Message) { (182) if (EAP-Message) -> TRUE (182) if (EAP-Message) { (182) policy filter_username { (182) if (&User-Name) { (182) if (&User-Name) -> TRUE (182) if (&User-Name) { (182) if (&User-Name =~ / /) { (182) if (&User-Name =~ / /) -> FALSE (182) if (&User-Name =~ /@[^@]*@/ ) { (182) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (182) if (&User-Name =~ /\.\./ ) { (182) if (&User-Name =~ /\.\./ ) -> FALSE (182) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (182) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (182) if (&User-Name =~ /\.$/) { (182) if (&User-Name =~ /\.$/) -> FALSE (182) if (&User-Name =~ /@\./) { (182) if (&User-Name =~ /@\./) -> FALSE (182) } # if (&User-Name) = updated (182) } # policy filter_username = updated (182) suffix: Checking for suffix after "@" (182) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (182) suffix: Found realm "UNIBE.CH" (182) suffix: Adding Realm = "UNIBE.CH" (182) suffix: Authentication realm is LOCAL (182) [suffix] = ok (182) policy deny_no_realm { (182) if (User-Name && (User-Name !~ /@/)) { (182) if (User-Name && (User-Name !~ /@/)) -> FALSE (182) } # policy deny_no_realm = updated (182) update request { (182) EXPAND %{toupper:%{Realm}} (182) --> UNIBE.CH (182) Realm := UNIBE.CH (182) } # update request = noop (182) eap: Peer sent EAP Response (code 2) ID 1 length 29 (182) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (182) [eap] = ok (182) } # if (EAP-Message) = ok (182) } # authorize = updated (182) Found Auth-Type = eap (182) # Executing group from file /etc/freeradius/sites-enabled/default (182) Auth-Type eap { (182) eap: Peer sent packet with method EAP Identity (1) (182) eap: Calling submodule eap_peap to process data (182) eap_peap: (TLS) PEAP -Initiating new session (182) eap: Sending EAP Request (code 1) ID 2 length 6 (182) eap: EAP session adding &reply:State = 0xcf8ae573cf88fce6 (182) [eap] = handled (182) if (handled && (Response-Packet-Type == Access-Challenge)) { (182) EXPAND Response-Packet-Type (182) --> Access-Challenge (182) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (182) if (handled && (Response-Packet-Type == Access-Challenge)) { (182) attr_filter.access_challenge: EXPAND %{User-Name} (182) attr_filter.access_challenge: --> xyz@unibe.ch (182) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (182) [attr_filter.access_challenge.post-auth] = updated (182) [handled] = handled (182) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (182) } # Auth-Type eap = handled (182) Using Post-Auth-Type Challenge (182) Post-Auth-Type sub-section not found. Ignoring. (182) # Executing group from file /etc/freeradius/sites-enabled/default (182) session-state: Saving cached attributes (182) Framed-MTU = 1014 (182) Sent Access-Challenge Id 31 from 130.92.10.33:1812 to 9.9.9.9:60533 length 64 (182) EAP-Message = 0x010200061920 (182) Message-Authenticator = 0x00000000000000000000000000000000 (182) State = 0xcf8ae573cf88fce6e3b6e72de6bf5cbc (182) Finished request Waking up in 4.9 seconds. (183) Received Access-Request Id 39 from 9.9.9.9:60533 to 130.92.10.33:1812 length 596 (183) User-Name = "xyz@unibe.ch" (183) Service-Type = Framed-User (183) Cisco-AVPair = "service-type=Framed" (183) Framed-MTU = 1485 (183) EAP-Message = 0x020200a119800000009716030100920100008e030367374aaa0dddaf0e7d100625e3cfeeb8cd6518161994daa1847ad3002739d57600002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (183) Message-Authenticator = 0x29862be28b4764a547e61644a45d82bf (183) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (183) Cisco-AVPair = "method=dot1x" (183) Cisco-AVPair = "client-iif-id=3724547122" (183) Cisco-AVPair = "vlan-id=1876" (183) NAS-IP-Address = 9.9.9.9 (183) NAS-Port-Type = Wireless-802.11 (183) NAS-Port = 4211 (183) State = 0xcf8ae573cf88fce6e3b6e72de6bf5cbc (183) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (183) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (183) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (183) Calling-Station-Id = "22-e0-73-f2-50-23" (183) Airespace-Wlan-Id = 98 (183) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (183) WLAN-Group-Cipher = 1027076 (183) WLAN-Pairwise-Cipher = 1027076 (183) WLAN-AKM-Suite = 1027075 (183) Restoring &session-state (183) &session-state:Framed-MTU = 1014 (183) # Executing section authorize from file /etc/freeradius/sites-enabled/default (183) authorize { (183) policy rewrite_called_station_id { (183) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (183) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (183) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (183) update request { (183) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (183) --> 60-B9-C0-04-C4-40 (183) &Called-Station-Id := 60-B9-C0-04-C4-40 (183) } # update request = noop (183) if ("%{8}") { (183) EXPAND %{8} (183) --> eduroam (183) if ("%{8}") -> TRUE (183) if ("%{8}") { (183) update request { (183) EXPAND %{8} (183) --> eduroam (183) &Called-Station-SSID := eduroam (183) EXPAND %{Called-Station-Id}:%{8} (183) --> 60-B9-C0-04-C4-40:eduroam (183) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (183) } # update request = noop (183) } # if ("%{8}") = noop (183) [updated] = updated (183) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (183) ... skipping else: Preceding "if" was taken (183) } # policy rewrite_called_station_id = updated (183) policy rewrite_calling_station_id { (183) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (183) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (183) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (183) update request { (183) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (183) --> 22-E0-73-F2-50-23 (183) &Calling-Station-Id := 22-E0-73-F2-50-23 (183) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (183) --> 22:E0:73:F2:50:23 (183) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (183) } # update request = noop (183) [updated] = updated (183) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (183) ... skipping else: Preceding "if" was taken (183) } # policy rewrite_calling_station_id = updated (183) if (NAS-Identifier == "uvisrz0215.insel.ch") { (183) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (183) if (Service-Type == Call-Check) { (183) if (Service-Type == Call-Check) -> FALSE (183) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (183) EXPAND Packet-Src-IP-Address (183) --> 9.9.9.9 (183) EXPAND Packet-Src-IP-Address (183) --> 9.9.9.9 (183) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (183) if (EAP-Message) { (183) if (EAP-Message) -> TRUE (183) if (EAP-Message) { (183) policy filter_username { (183) if (&User-Name) { (183) if (&User-Name) -> TRUE (183) if (&User-Name) { (183) if (&User-Name =~ / /) { (183) if (&User-Name =~ / /) -> FALSE (183) if (&User-Name =~ /@[^@]*@/ ) { (183) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (183) if (&User-Name =~ /\.\./ ) { (183) if (&User-Name =~ /\.\./ ) -> FALSE (183) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (183) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (183) if (&User-Name =~ /\.$/) { (183) if (&User-Name =~ /\.$/) -> FALSE (183) if (&User-Name =~ /@\./) { (183) if (&User-Name =~ /@\./) -> FALSE (183) } # if (&User-Name) = updated (183) } # policy filter_username = updated (183) suffix: Checking for suffix after "@" (183) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (183) suffix: Found realm "UNIBE.CH" (183) suffix: Adding Realm = "UNIBE.CH" (183) suffix: Authentication realm is LOCAL (183) [suffix] = ok (183) policy deny_no_realm { (183) if (User-Name && (User-Name !~ /@/)) { (183) if (User-Name && (User-Name !~ /@/)) -> FALSE (183) } # policy deny_no_realm = updated (183) update request { (183) EXPAND %{toupper:%{Realm}} (183) --> UNIBE.CH (183) Realm := UNIBE.CH (183) } # update request = noop (183) eap: Peer sent EAP Response (code 2) ID 2 length 161 (183) eap: Continuing tunnel setup (183) [eap] = ok (183) } # if (EAP-Message) = ok (183) } # authorize = updated (183) Found Auth-Type = eap (183) # Executing group from file /etc/freeradius/sites-enabled/default (183) Auth-Type eap { (183) eap: Removing EAP session with state 0xcf8ae573cf88fce6 (183) eap: Previous EAP request found for state 0xcf8ae573cf88fce6, released from the list (183) eap: Peer sent packet with method EAP PEAP (25) (183) eap: Calling submodule eap_peap to process data (183) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (183) eap_peap: (TLS) EAP Got all data (151 bytes) (183) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (183) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (183) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (183) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (183) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (183) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (183) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (183) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (183) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (183) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (183) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (183) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (183) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (183) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (183) eap_peap: (TLS) PEAP - In Handshake Phase (183) eap: Sending EAP Request (code 1) ID 3 length 1024 (183) eap: EAP session adding &reply:State = 0xcf8ae573ce89fce6 (183) [eap] = handled (183) if (handled && (Response-Packet-Type == Access-Challenge)) { (183) EXPAND Response-Packet-Type (183) --> Access-Challenge (183) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (183) if (handled && (Response-Packet-Type == Access-Challenge)) { (183) attr_filter.access_challenge: EXPAND %{User-Name} (183) attr_filter.access_challenge: --> xyz@unibe.ch (183) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (183) [attr_filter.access_challenge.post-auth] = updated (183) [handled] = handled (183) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (183) } # Auth-Type eap = handled (183) Using Post-Auth-Type Challenge (183) Post-Auth-Type sub-section not found. Ignoring. (183) # Executing group from file /etc/freeradius/sites-enabled/default (183) session-state: Saving cached attributes (183) Framed-MTU = 1014 (183) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (183) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (183) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (183) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (183) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (183) Sent Access-Challenge Id 39 from 130.92.10.33:1812 to 9.9.9.9:60533 length 1090 (183) EAP-Message = 0x0103040019c000001135160303003d020000390303deaa040a2cd12b855def85a0f1cda085f35e6014c26e22fc444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a003020102021006387c8dc0feba6f5f4a0c47e7c561cd300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3234303532393030303030305a170d3235303532383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (183) Message-Authenticator = 0x00000000000000000000000000000000 (183) State = 0xcf8ae573ce89fce6e3b6e72de6bf5cbc (183) Finished request Waking up in 4.9 seconds. (184) Received Access-Request Id 47 from 9.9.9.9:60533 to 130.92.10.33:1812 length 441 (184) User-Name = "xyz@unibe.ch" (184) Service-Type = Framed-User (184) Cisco-AVPair = "service-type=Framed" (184) Framed-MTU = 1485 (184) EAP-Message = 0x020300061900 (184) Message-Authenticator = 0xf94531ec1c265e936b60a676448e5edf (184) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (184) Cisco-AVPair = "method=dot1x" (184) Cisco-AVPair = "client-iif-id=3724547122" (184) Cisco-AVPair = "vlan-id=1876" (184) NAS-IP-Address = 9.9.9.9 (184) NAS-Port-Type = Wireless-802.11 (184) NAS-Port = 4211 (184) State = 0xcf8ae573ce89fce6e3b6e72de6bf5cbc (184) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (184) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (184) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (184) Calling-Station-Id = "22-e0-73-f2-50-23" (184) Airespace-Wlan-Id = 98 (184) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (184) WLAN-Group-Cipher = 1027076 (184) WLAN-Pairwise-Cipher = 1027076 (184) WLAN-AKM-Suite = 1027075 (184) Restoring &session-state (184) &session-state:Framed-MTU = 1014 (184) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (184) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (184) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (184) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (184) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (184) # Executing section authorize from file /etc/freeradius/sites-enabled/default (184) authorize { (184) policy rewrite_called_station_id { (184) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (184) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (184) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (184) update request { (184) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (184) --> 60-B9-C0-04-C4-40 (184) &Called-Station-Id := 60-B9-C0-04-C4-40 (184) } # update request = noop (184) if ("%{8}") { (184) EXPAND %{8} (184) --> eduroam (184) if ("%{8}") -> TRUE (184) if ("%{8}") { (184) update request { (184) EXPAND %{8} (184) --> eduroam (184) &Called-Station-SSID := eduroam (184) EXPAND %{Called-Station-Id}:%{8} (184) --> 60-B9-C0-04-C4-40:eduroam (184) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (184) } # update request = noop (184) } # if ("%{8}") = noop (184) [updated] = updated (184) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (184) ... skipping else: Preceding "if" was taken (184) } # policy rewrite_called_station_id = updated (184) policy rewrite_calling_station_id { (184) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (184) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (184) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (184) update request { (184) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (184) --> 22-E0-73-F2-50-23 (184) &Calling-Station-Id := 22-E0-73-F2-50-23 (184) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (184) --> 22:E0:73:F2:50:23 (184) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (184) } # update request = noop (184) [updated] = updated (184) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (184) ... skipping else: Preceding "if" was taken (184) } # policy rewrite_calling_station_id = updated (184) if (NAS-Identifier == "uvisrz0215.insel.ch") { (184) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (184) if (Service-Type == Call-Check) { (184) if (Service-Type == Call-Check) -> FALSE (184) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (184) EXPAND Packet-Src-IP-Address (184) --> 9.9.9.9 (184) EXPAND Packet-Src-IP-Address (184) --> 9.9.9.9 (184) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (184) if (EAP-Message) { (184) if (EAP-Message) -> TRUE (184) if (EAP-Message) { (184) policy filter_username { (184) if (&User-Name) { (184) if (&User-Name) -> TRUE (184) if (&User-Name) { (184) if (&User-Name =~ / /) { (184) if (&User-Name =~ / /) -> FALSE (184) if (&User-Name =~ /@[^@]*@/ ) { (184) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (184) if (&User-Name =~ /\.\./ ) { (184) if (&User-Name =~ /\.\./ ) -> FALSE (184) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (184) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (184) if (&User-Name =~ /\.$/) { (184) if (&User-Name =~ /\.$/) -> FALSE (184) if (&User-Name =~ /@\./) { (184) if (&User-Name =~ /@\./) -> FALSE (184) } # if (&User-Name) = updated (184) } # policy filter_username = updated (184) suffix: Checking for suffix after "@" (184) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (184) suffix: Found realm "UNIBE.CH" (184) suffix: Adding Realm = "UNIBE.CH" (184) suffix: Authentication realm is LOCAL (184) [suffix] = ok (184) policy deny_no_realm { (184) if (User-Name && (User-Name !~ /@/)) { (184) if (User-Name && (User-Name !~ /@/)) -> FALSE (184) } # policy deny_no_realm = updated (184) update request { (184) EXPAND %{toupper:%{Realm}} (184) --> UNIBE.CH (184) Realm := UNIBE.CH (184) } # update request = noop (184) eap: Peer sent EAP Response (code 2) ID 3 length 6 (184) eap: Continuing tunnel setup (184) [eap] = ok (184) } # if (EAP-Message) = ok (184) } # authorize = updated (184) Found Auth-Type = eap (184) # Executing group from file /etc/freeradius/sites-enabled/default (184) Auth-Type eap { (184) eap: Removing EAP session with state 0xcf8ae573ce89fce6 (184) eap: Previous EAP request found for state 0xcf8ae573ce89fce6, released from the list (184) eap: Peer sent packet with method EAP PEAP (25) (184) eap: Calling submodule eap_peap to process data (184) eap_peap: (TLS) Peer ACKed our handshake fragment (184) eap: Sending EAP Request (code 1) ID 4 length 1020 (184) eap: EAP session adding &reply:State = 0xcf8ae573cd8efce6 (184) [eap] = handled (184) if (handled && (Response-Packet-Type == Access-Challenge)) { (184) EXPAND Response-Packet-Type (184) --> Access-Challenge (184) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (184) if (handled && (Response-Packet-Type == Access-Challenge)) { (184) attr_filter.access_challenge: EXPAND %{User-Name} (184) attr_filter.access_challenge: --> xyz@unibe.ch (184) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (184) [attr_filter.access_challenge.post-auth] = updated (184) [handled] = handled (184) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (184) } # Auth-Type eap = handled (184) Using Post-Auth-Type Challenge (184) Post-Auth-Type sub-section not found. Ignoring. (184) # Executing group from file /etc/freeradius/sites-enabled/default (184) session-state: Saving cached attributes (184) Framed-MTU = 1014 (184) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (184) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (184) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (184) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (184) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (184) Sent Access-Challenge Id 47 from 130.92.10.33:1812 to 9.9.9.9:60533 length 1086 (184) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077004e75a3275c9a10c3385b6cd4df3f52eb1df0e08e1b8d69c0b1fa64b1629a39df0000018fc49a2e690000040300483046022100c3703d534899e5150ee51285759f020d6d69574d1db223e7a6fba90105e34a98022100a96786ea2924a95667b25b5efae9fb8e9b5e2b8494 (184) Message-Authenticator = 0x00000000000000000000000000000000 (184) State = 0xcf8ae573cd8efce6e3b6e72de6bf5cbc (184) Finished request Waking up in 4.9 seconds. (185) Received Access-Request Id 55 from 9.9.9.9:60533 to 130.92.10.33:1812 length 441 (185) User-Name = "xyz@unibe.ch" (185) Service-Type = Framed-User (185) Cisco-AVPair = "service-type=Framed" (185) Framed-MTU = 1485 (185) EAP-Message = 0x020400061900 (185) Message-Authenticator = 0x762039fe48480c9dd55c1af554ae2e9e (185) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (185) Cisco-AVPair = "method=dot1x" (185) Cisco-AVPair = "client-iif-id=3724547122" (185) Cisco-AVPair = "vlan-id=1876" (185) NAS-IP-Address = 9.9.9.9 (185) NAS-Port-Type = Wireless-802.11 (185) NAS-Port = 4211 (185) State = 0xcf8ae573cd8efce6e3b6e72de6bf5cbc (185) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (185) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (185) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (185) Calling-Station-Id = "22-e0-73-f2-50-23" (185) Airespace-Wlan-Id = 98 (185) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (185) WLAN-Group-Cipher = 1027076 (185) WLAN-Pairwise-Cipher = 1027076 (185) WLAN-AKM-Suite = 1027075 (185) Restoring &session-state (185) &session-state:Framed-MTU = 1014 (185) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (185) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (185) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (185) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (185) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (185) # Executing section authorize from file /etc/freeradius/sites-enabled/default (185) authorize { (185) policy rewrite_called_station_id { (185) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (185) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (185) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (185) update request { (185) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (185) --> 60-B9-C0-04-C4-40 (185) &Called-Station-Id := 60-B9-C0-04-C4-40 (185) } # update request = noop (185) if ("%{8}") { (185) EXPAND %{8} (185) --> eduroam (185) if ("%{8}") -> TRUE (185) if ("%{8}") { (185) update request { (185) EXPAND %{8} (185) --> eduroam (185) &Called-Station-SSID := eduroam (185) EXPAND %{Called-Station-Id}:%{8} (185) --> 60-B9-C0-04-C4-40:eduroam (185) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (185) } # update request = noop (185) } # if ("%{8}") = noop (185) [updated] = updated (185) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (185) ... skipping else: Preceding "if" was taken (185) } # policy rewrite_called_station_id = updated (185) policy rewrite_calling_station_id { (185) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (185) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (185) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (185) update request { (185) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (185) --> 22-E0-73-F2-50-23 (185) &Calling-Station-Id := 22-E0-73-F2-50-23 (185) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (185) --> 22:E0:73:F2:50:23 (185) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (185) } # update request = noop (185) [updated] = updated (185) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (185) ... skipping else: Preceding "if" was taken (185) } # policy rewrite_calling_station_id = updated (185) if (NAS-Identifier == "uvisrz0215.insel.ch") { (185) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (185) if (Service-Type == Call-Check) { (185) if (Service-Type == Call-Check) -> FALSE (185) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (185) EXPAND Packet-Src-IP-Address (185) --> 9.9.9.9 (185) EXPAND Packet-Src-IP-Address (185) --> 9.9.9.9 (185) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (185) if (EAP-Message) { (185) if (EAP-Message) -> TRUE (185) if (EAP-Message) { (185) policy filter_username { (185) if (&User-Name) { (185) if (&User-Name) -> TRUE (185) if (&User-Name) { (185) if (&User-Name =~ / /) { (185) if (&User-Name =~ / /) -> FALSE (185) if (&User-Name =~ /@[^@]*@/ ) { (185) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (185) if (&User-Name =~ /\.\./ ) { (185) if (&User-Name =~ /\.\./ ) -> FALSE (185) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (185) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (185) if (&User-Name =~ /\.$/) { (185) if (&User-Name =~ /\.$/) -> FALSE (185) if (&User-Name =~ /@\./) { (185) if (&User-Name =~ /@\./) -> FALSE (185) } # if (&User-Name) = updated (185) } # policy filter_username = updated (185) suffix: Checking for suffix after "@" (185) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (185) suffix: Found realm "UNIBE.CH" (185) suffix: Adding Realm = "UNIBE.CH" (185) suffix: Authentication realm is LOCAL (185) [suffix] = ok (185) policy deny_no_realm { (185) if (User-Name && (User-Name !~ /@/)) { (185) if (User-Name && (User-Name !~ /@/)) -> FALSE (185) } # policy deny_no_realm = updated (185) update request { (185) EXPAND %{toupper:%{Realm}} (185) --> UNIBE.CH (185) Realm := UNIBE.CH (185) } # update request = noop (185) eap: Peer sent EAP Response (code 2) ID 4 length 6 (185) eap: Continuing tunnel setup (185) [eap] = ok (185) } # if (EAP-Message) = ok (185) } # authorize = updated (185) Found Auth-Type = eap (185) # Executing group from file /etc/freeradius/sites-enabled/default (185) Auth-Type eap { (185) eap: Removing EAP session with state 0xcf8ae573cd8efce6 (185) eap: Previous EAP request found for state 0xcf8ae573cd8efce6, released from the list (185) eap: Peer sent packet with method EAP PEAP (25) (185) eap: Calling submodule eap_peap to process data (185) eap_peap: (TLS) Peer ACKed our handshake fragment (185) eap: Sending EAP Request (code 1) ID 5 length 1020 (185) eap: EAP session adding &reply:State = 0xcf8ae573cc8ffce6 (185) [eap] = handled (185) if (handled && (Response-Packet-Type == Access-Challenge)) { (185) EXPAND Response-Packet-Type (185) --> Access-Challenge (185) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (185) if (handled && (Response-Packet-Type == Access-Challenge)) { (185) attr_filter.access_challenge: EXPAND %{User-Name} (185) attr_filter.access_challenge: --> xyz@unibe.ch (185) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (185) [attr_filter.access_challenge.post-auth] = updated (185) [handled] = handled (185) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (185) } # Auth-Type eap = handled (185) Using Post-Auth-Type Challenge (185) Post-Auth-Type sub-section not found. Ignoring. (185) # Executing group from file /etc/freeradius/sites-enabled/default (185) session-state: Saving cached attributes (185) Framed-MTU = 1014 (185) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (185) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (185) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (185) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (185) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (185) Sent Access-Challenge Id 55 from 130.92.10.33:1812 to 9.9.9.9:60533 length 1086 (185) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (185) Message-Authenticator = 0x00000000000000000000000000000000 (185) State = 0xcf8ae573cc8ffce6e3b6e72de6bf5cbc (185) Finished request Waking up in 4.9 seconds. (186) Received Access-Request Id 63 from 9.9.9.9:60533 to 130.92.10.33:1812 length 441 (186) User-Name = "xyz@unibe.ch" (186) Service-Type = Framed-User (186) Cisco-AVPair = "service-type=Framed" (186) Framed-MTU = 1485 (186) EAP-Message = 0x020500061900 (186) Message-Authenticator = 0xe9653667a164bcf3999f9734716b49db (186) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (186) Cisco-AVPair = "method=dot1x" (186) Cisco-AVPair = "client-iif-id=3724547122" (186) Cisco-AVPair = "vlan-id=1876" (186) NAS-IP-Address = 9.9.9.9 (186) NAS-Port-Type = Wireless-802.11 (186) NAS-Port = 4211 (186) State = 0xcf8ae573cc8ffce6e3b6e72de6bf5cbc (186) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (186) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (186) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (186) Calling-Station-Id = "22-e0-73-f2-50-23" (186) Airespace-Wlan-Id = 98 (186) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (186) WLAN-Group-Cipher = 1027076 (186) WLAN-Pairwise-Cipher = 1027076 (186) WLAN-AKM-Suite = 1027075 (186) Restoring &session-state (186) &session-state:Framed-MTU = 1014 (186) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (186) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (186) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (186) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (186) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (186) # Executing section authorize from file /etc/freeradius/sites-enabled/default (186) authorize { (186) policy rewrite_called_station_id { (186) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (186) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (186) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (186) update request { (186) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (186) --> 60-B9-C0-04-C4-40 (186) &Called-Station-Id := 60-B9-C0-04-C4-40 (186) } # update request = noop (186) if ("%{8}") { (186) EXPAND %{8} (186) --> eduroam (186) if ("%{8}") -> TRUE (186) if ("%{8}") { (186) update request { (186) EXPAND %{8} (186) --> eduroam (186) &Called-Station-SSID := eduroam (186) EXPAND %{Called-Station-Id}:%{8} (186) --> 60-B9-C0-04-C4-40:eduroam (186) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (186) } # update request = noop (186) } # if ("%{8}") = noop (186) [updated] = updated (186) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (186) ... skipping else: Preceding "if" was taken (186) } # policy rewrite_called_station_id = updated (186) policy rewrite_calling_station_id { (186) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (186) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (186) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (186) update request { (186) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (186) --> 22-E0-73-F2-50-23 (186) &Calling-Station-Id := 22-E0-73-F2-50-23 (186) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (186) --> 22:E0:73:F2:50:23 (186) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (186) } # update request = noop (186) [updated] = updated (186) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (186) ... skipping else: Preceding "if" was taken (186) } # policy rewrite_calling_station_id = updated (186) if (NAS-Identifier == "uvisrz0215.insel.ch") { (186) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (186) if (Service-Type == Call-Check) { (186) if (Service-Type == Call-Check) -> FALSE (186) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (186) EXPAND Packet-Src-IP-Address (186) --> 9.9.9.9 (186) EXPAND Packet-Src-IP-Address (186) --> 9.9.9.9 (186) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (186) if (EAP-Message) { (186) if (EAP-Message) -> TRUE (186) if (EAP-Message) { (186) policy filter_username { (186) if (&User-Name) { (186) if (&User-Name) -> TRUE (186) if (&User-Name) { (186) if (&User-Name =~ / /) { (186) if (&User-Name =~ / /) -> FALSE (186) if (&User-Name =~ /@[^@]*@/ ) { (186) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (186) if (&User-Name =~ /\.\./ ) { (186) if (&User-Name =~ /\.\./ ) -> FALSE (186) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (186) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (186) if (&User-Name =~ /\.$/) { (186) if (&User-Name =~ /\.$/) -> FALSE (186) if (&User-Name =~ /@\./) { (186) if (&User-Name =~ /@\./) -> FALSE (186) } # if (&User-Name) = updated (186) } # policy filter_username = updated (186) suffix: Checking for suffix after "@" (186) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (186) suffix: Found realm "UNIBE.CH" (186) suffix: Adding Realm = "UNIBE.CH" (186) suffix: Authentication realm is LOCAL (186) [suffix] = ok (186) policy deny_no_realm { (186) if (User-Name && (User-Name !~ /@/)) { (186) if (User-Name && (User-Name !~ /@/)) -> FALSE (186) } # policy deny_no_realm = updated (186) update request { (186) EXPAND %{toupper:%{Realm}} (186) --> UNIBE.CH (186) Realm := UNIBE.CH (186) } # update request = noop (186) eap: Peer sent EAP Response (code 2) ID 5 length 6 (186) eap: Continuing tunnel setup (186) [eap] = ok (186) } # if (EAP-Message) = ok (186) } # authorize = updated (186) Found Auth-Type = eap (186) # Executing group from file /etc/freeradius/sites-enabled/default (186) Auth-Type eap { (186) eap: Removing EAP session with state 0xcf8ae573cc8ffce6 (186) eap: Previous EAP request found for state 0xcf8ae573cc8ffce6, released from the list (186) eap: Peer sent packet with method EAP PEAP (25) (186) eap: Calling submodule eap_peap to process data (186) eap_peap: (TLS) Peer ACKed our handshake fragment (186) eap: Sending EAP Request (code 1) ID 6 length 1020 (186) eap: EAP session adding &reply:State = 0xcf8ae573cb8cfce6 (186) [eap] = handled (186) if (handled && (Response-Packet-Type == Access-Challenge)) { (186) EXPAND Response-Packet-Type (186) --> Access-Challenge (186) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (186) if (handled && (Response-Packet-Type == Access-Challenge)) { (186) attr_filter.access_challenge: EXPAND %{User-Name} (186) attr_filter.access_challenge: --> xyz@unibe.ch (186) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (186) [attr_filter.access_challenge.post-auth] = updated (186) [handled] = handled (186) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (186) } # Auth-Type eap = handled (186) Using Post-Auth-Type Challenge (186) Post-Auth-Type sub-section not found. Ignoring. (186) # Executing group from file /etc/freeradius/sites-enabled/default (186) session-state: Saving cached attributes (186) Framed-MTU = 1014 (186) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (186) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (186) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (186) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (186) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (186) Sent Access-Challenge Id 63 from 130.92.10.33:1812 to 9.9.9.9:60533 length 1086 (186) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (186) Message-Authenticator = 0x00000000000000000000000000000000 (186) State = 0xcf8ae573cb8cfce6e3b6e72de6bf5cbc (186) Finished request Waking up in 4.9 seconds. (187) Received Access-Request Id 71 from 9.9.9.9:60533 to 130.92.10.33:1812 length 441 (187) User-Name = "xyz@unibe.ch" (187) Service-Type = Framed-User (187) Cisco-AVPair = "service-type=Framed" (187) Framed-MTU = 1485 (187) EAP-Message = 0x020600061900 (187) Message-Authenticator = 0x242a03db3080449327126d09317dcedf (187) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (187) Cisco-AVPair = "method=dot1x" (187) Cisco-AVPair = "client-iif-id=3724547122" (187) Cisco-AVPair = "vlan-id=1876" (187) NAS-IP-Address = 9.9.9.9 (187) NAS-Port-Type = Wireless-802.11 (187) NAS-Port = 4211 (187) State = 0xcf8ae573cb8cfce6e3b6e72de6bf5cbc (187) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (187) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (187) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (187) Calling-Station-Id = "22-e0-73-f2-50-23" (187) Airespace-Wlan-Id = 98 (187) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (187) WLAN-Group-Cipher = 1027076 (187) WLAN-Pairwise-Cipher = 1027076 (187) WLAN-AKM-Suite = 1027075 (187) Restoring &session-state (187) &session-state:Framed-MTU = 1014 (187) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (187) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (187) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (187) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (187) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (187) # Executing section authorize from file /etc/freeradius/sites-enabled/default (187) authorize { (187) policy rewrite_called_station_id { (187) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (187) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (187) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (187) update request { (187) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (187) --> 60-B9-C0-04-C4-40 (187) &Called-Station-Id := 60-B9-C0-04-C4-40 (187) } # update request = noop (187) if ("%{8}") { (187) EXPAND %{8} (187) --> eduroam (187) if ("%{8}") -> TRUE (187) if ("%{8}") { (187) update request { (187) EXPAND %{8} (187) --> eduroam (187) &Called-Station-SSID := eduroam (187) EXPAND %{Called-Station-Id}:%{8} (187) --> 60-B9-C0-04-C4-40:eduroam (187) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (187) } # update request = noop (187) } # if ("%{8}") = noop (187) [updated] = updated (187) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (187) ... skipping else: Preceding "if" was taken (187) } # policy rewrite_called_station_id = updated (187) policy rewrite_calling_station_id { (187) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (187) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (187) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (187) update request { (187) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (187) --> 22-E0-73-F2-50-23 (187) &Calling-Station-Id := 22-E0-73-F2-50-23 (187) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (187) --> 22:E0:73:F2:50:23 (187) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (187) } # update request = noop (187) [updated] = updated (187) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (187) ... skipping else: Preceding "if" was taken (187) } # policy rewrite_calling_station_id = updated (187) if (NAS-Identifier == "uvisrz0215.insel.ch") { (187) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (187) if (Service-Type == Call-Check) { (187) if (Service-Type == Call-Check) -> FALSE (187) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (187) EXPAND Packet-Src-IP-Address (187) --> 9.9.9.9 (187) EXPAND Packet-Src-IP-Address (187) --> 9.9.9.9 (187) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (187) if (EAP-Message) { (187) if (EAP-Message) -> TRUE (187) if (EAP-Message) { (187) policy filter_username { (187) if (&User-Name) { (187) if (&User-Name) -> TRUE (187) if (&User-Name) { (187) if (&User-Name =~ / /) { (187) if (&User-Name =~ / /) -> FALSE (187) if (&User-Name =~ /@[^@]*@/ ) { (187) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (187) if (&User-Name =~ /\.\./ ) { (187) if (&User-Name =~ /\.\./ ) -> FALSE (187) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (187) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (187) if (&User-Name =~ /\.$/) { (187) if (&User-Name =~ /\.$/) -> FALSE (187) if (&User-Name =~ /@\./) { (187) if (&User-Name =~ /@\./) -> FALSE (187) } # if (&User-Name) = updated (187) } # policy filter_username = updated (187) suffix: Checking for suffix after "@" (187) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (187) suffix: Found realm "UNIBE.CH" (187) suffix: Adding Realm = "UNIBE.CH" (187) suffix: Authentication realm is LOCAL (187) [suffix] = ok (187) policy deny_no_realm { (187) if (User-Name && (User-Name !~ /@/)) { (187) if (User-Name && (User-Name !~ /@/)) -> FALSE (187) } # policy deny_no_realm = updated (187) update request { (187) EXPAND %{toupper:%{Realm}} (187) --> UNIBE.CH (187) Realm := UNIBE.CH (187) } # update request = noop (187) eap: Peer sent EAP Response (code 2) ID 6 length 6 (187) eap: Continuing tunnel setup (187) [eap] = ok (187) } # if (EAP-Message) = ok (187) } # authorize = updated (187) Found Auth-Type = eap (187) # Executing group from file /etc/freeradius/sites-enabled/default (187) Auth-Type eap { (187) eap: Removing EAP session with state 0xcf8ae573cb8cfce6 (187) eap: Previous EAP request found for state 0xcf8ae573cb8cfce6, released from the list (187) eap: Peer sent packet with method EAP PEAP (25) (187) eap: Calling submodule eap_peap to process data (187) eap_peap: (TLS) Peer ACKed our handshake fragment (187) eap: Sending EAP Request (code 1) ID 7 length 355 (187) eap: EAP session adding &reply:State = 0xcf8ae573ca8dfce6 (187) [eap] = handled (187) if (handled && (Response-Packet-Type == Access-Challenge)) { (187) EXPAND Response-Packet-Type (187) --> Access-Challenge (187) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (187) if (handled && (Response-Packet-Type == Access-Challenge)) { (187) attr_filter.access_challenge: EXPAND %{User-Name} (187) attr_filter.access_challenge: --> xyz@unibe.ch (187) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (187) [attr_filter.access_challenge.post-auth] = updated (187) [handled] = handled (187) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (187) } # Auth-Type eap = handled (187) Using Post-Auth-Type Challenge (187) Post-Auth-Type sub-section not found. Ignoring. (187) # Executing group from file /etc/freeradius/sites-enabled/default (187) session-state: Saving cached attributes (187) Framed-MTU = 1014 (187) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (187) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (187) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (187) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (187) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (187) Sent Access-Challenge Id 71 from 130.92.10.33:1812 to 9.9.9.9:60533 length 415 (187) EAP-Message = 0x01070163190032b6160303014d0c00014903001741042ecf4619c88bd3f9d2564d80ccf135283bc2bf397860861137ed899ad3521a198102a135ceee9d6c4a1f365b28ca6fa1abcb775e7e39e54dd612eb5ea0af4c4704010100a678c60510cecc8151c293799b383fe4f21878672e4c20666f9ffbc3ee8b6ca2c799b658371ca3e82a5758e91dc96d03d419fd4a932df264d4568b93bbd88395b905d1d80917f36fd8c3bf5c88e446eabfe1b16a1c6e2d34514955ea4939e33714149c6fd768a2b751326ce3d5efcd074dc01a14d4e6cf1c21be0873fb694c9f1c06533e3788bcd5a8f3c4dfe09dedf9d6a305597ef549c9a5e270d5ed0da6e7bac6cf43a793922384b33438ef8c270441d243379e2bcaf877c216a6757c4a87cc867650abd212201fcee3745132d5988be5e2a355565b413277794fa983b381bc7d3ef806fe84e20259008fde46fbec88934273fcb43051eb51e6ffc7bc215516030300040e000000 (187) Message-Authenticator = 0x00000000000000000000000000000000 (187) State = 0xcf8ae573ca8dfce6e3b6e72de6bf5cbc (187) Finished request Waking up in 4.9 seconds. (188) Received Access-Request Id 79 from 9.9.9.9:60533 to 130.92.10.33:1812 length 571 (188) User-Name = "xyz@unibe.ch" (188) Service-Type = Framed-User (188) Cisco-AVPair = "service-type=Framed" (188) Framed-MTU = 1485 (188) EAP-Message = 0x0207008819800000007e1603030046100000424104e6595813fcf61f0bcf33212269292b56b96c43fa1c8521b7e9ca6253bc8ba93a42bbf48836d9cd888fe082cfa6fab40327beb814a7fb7f88dd37f9af6caafe2c1403030001011603030028205b847b10fba1568b03991cae85dab7c8553e4b8fbf36eca8a4ec3411939e1e7f4d5270df2d81d8 (188) Message-Authenticator = 0x5dc9e821834fdb1a0dbda25c60505863 (188) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (188) Cisco-AVPair = "method=dot1x" (188) Cisco-AVPair = "client-iif-id=3724547122" (188) Cisco-AVPair = "vlan-id=1876" (188) NAS-IP-Address = 9.9.9.9 (188) NAS-Port-Type = Wireless-802.11 (188) NAS-Port = 4211 (188) State = 0xcf8ae573ca8dfce6e3b6e72de6bf5cbc (188) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (188) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (188) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (188) Calling-Station-Id = "22-e0-73-f2-50-23" (188) Airespace-Wlan-Id = 98 (188) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (188) WLAN-Group-Cipher = 1027076 (188) WLAN-Pairwise-Cipher = 1027076 (188) WLAN-AKM-Suite = 1027075 (188) Restoring &session-state (188) &session-state:Framed-MTU = 1014 (188) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (188) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (188) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (188) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (188) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (188) # Executing section authorize from file /etc/freeradius/sites-enabled/default (188) authorize { (188) policy rewrite_called_station_id { (188) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (188) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (188) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (188) update request { (188) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (188) --> 60-B9-C0-04-C4-40 (188) &Called-Station-Id := 60-B9-C0-04-C4-40 (188) } # update request = noop (188) if ("%{8}") { (188) EXPAND %{8} (188) --> eduroam (188) if ("%{8}") -> TRUE (188) if ("%{8}") { (188) update request { (188) EXPAND %{8} (188) --> eduroam (188) &Called-Station-SSID := eduroam (188) EXPAND %{Called-Station-Id}:%{8} (188) --> 60-B9-C0-04-C4-40:eduroam (188) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (188) } # update request = noop (188) } # if ("%{8}") = noop (188) [updated] = updated (188) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (188) ... skipping else: Preceding "if" was taken (188) } # policy rewrite_called_station_id = updated (188) policy rewrite_calling_station_id { (188) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (188) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (188) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (188) update request { (188) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (188) --> 22-E0-73-F2-50-23 (188) &Calling-Station-Id := 22-E0-73-F2-50-23 (188) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (188) --> 22:E0:73:F2:50:23 (188) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (188) } # update request = noop (188) [updated] = updated (188) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (188) ... skipping else: Preceding "if" was taken (188) } # policy rewrite_calling_station_id = updated (188) if (NAS-Identifier == "uvisrz0215.insel.ch") { (188) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (188) if (Service-Type == Call-Check) { (188) if (Service-Type == Call-Check) -> FALSE (188) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (188) EXPAND Packet-Src-IP-Address (188) --> 9.9.9.9 (188) EXPAND Packet-Src-IP-Address (188) --> 9.9.9.9 (188) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (188) if (EAP-Message) { (188) if (EAP-Message) -> TRUE (188) if (EAP-Message) { (188) policy filter_username { (188) if (&User-Name) { (188) if (&User-Name) -> TRUE (188) if (&User-Name) { (188) if (&User-Name =~ / /) { (188) if (&User-Name =~ / /) -> FALSE (188) if (&User-Name =~ /@[^@]*@/ ) { (188) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (188) if (&User-Name =~ /\.\./ ) { (188) if (&User-Name =~ /\.\./ ) -> FALSE (188) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (188) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (188) if (&User-Name =~ /\.$/) { (188) if (&User-Name =~ /\.$/) -> FALSE (188) if (&User-Name =~ /@\./) { (188) if (&User-Name =~ /@\./) -> FALSE (188) } # if (&User-Name) = updated (188) } # policy filter_username = updated (188) suffix: Checking for suffix after "@" (188) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (188) suffix: Found realm "UNIBE.CH" (188) suffix: Adding Realm = "UNIBE.CH" (188) suffix: Authentication realm is LOCAL (188) [suffix] = ok (188) policy deny_no_realm { (188) if (User-Name && (User-Name !~ /@/)) { (188) if (User-Name && (User-Name !~ /@/)) -> FALSE (188) } # policy deny_no_realm = updated (188) update request { (188) EXPAND %{toupper:%{Realm}} (188) --> UNIBE.CH (188) Realm := UNIBE.CH (188) } # update request = noop (188) eap: Peer sent EAP Response (code 2) ID 7 length 136 (188) eap: Continuing tunnel setup (188) [eap] = ok (188) } # if (EAP-Message) = ok (188) } # authorize = updated (188) Found Auth-Type = eap (188) # Executing group from file /etc/freeradius/sites-enabled/default (188) Auth-Type eap { (188) eap: Removing EAP session with state 0xcf8ae573ca8dfce6 (188) eap: Previous EAP request found for state 0xcf8ae573ca8dfce6, released from the list (188) eap: Peer sent packet with method EAP PEAP (25) (188) eap: Calling submodule eap_peap to process data (188) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (188) eap_peap: (TLS) EAP Got all data (126 bytes) (188) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (188) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (188) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (188) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (188) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (188) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (188) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (188) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (188) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (188) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (188) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (188) eap_peap: (TLS) PEAP - Connection Established (188) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (188) eap_peap: TLS-Session-Version = "TLS 1.2" (188) eap: Sending EAP Request (code 1) ID 8 length 57 (188) eap: EAP session adding &reply:State = 0xcf8ae573c982fce6 (188) [eap] = handled (188) if (handled && (Response-Packet-Type == Access-Challenge)) { (188) EXPAND Response-Packet-Type (188) --> Access-Challenge (188) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (188) if (handled && (Response-Packet-Type == Access-Challenge)) { (188) attr_filter.access_challenge: EXPAND %{User-Name} (188) attr_filter.access_challenge: --> xyz@unibe.ch (188) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (188) [attr_filter.access_challenge.post-auth] = updated (188) [handled] = handled (188) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (188) } # Auth-Type eap = handled (188) Using Post-Auth-Type Challenge (188) Post-Auth-Type sub-section not found. Ignoring. (188) # Executing group from file /etc/freeradius/sites-enabled/default (188) session-state: Saving cached attributes (188) Framed-MTU = 1014 (188) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (188) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (188) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (188) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (188) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (188) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (188) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (188) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (188) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (188) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (188) TLS-Session-Version = "TLS 1.2" (188) Sent Access-Challenge Id 79 from 130.92.10.33:1812 to 9.9.9.9:60533 length 115 (188) EAP-Message = 0x010800391900140303000101160303002804f99461d03fc2be43b472810aaccc1082398a50bfe278395884ee9a22cacc6e5f0aa86dc8a3021e (188) Message-Authenticator = 0x00000000000000000000000000000000 (188) State = 0xcf8ae573c982fce6e3b6e72de6bf5cbc (188) Finished request Waking up in 2.0 seconds. (189) Received Access-Request Id 87 from 9.9.9.9:60533 to 130.92.10.33:1812 length 441 (189) User-Name = "xyz@unibe.ch" (189) Service-Type = Framed-User (189) Cisco-AVPair = "service-type=Framed" (189) Framed-MTU = 1485 (189) EAP-Message = 0x020800061900 (189) Message-Authenticator = 0xa5b00fd17fe7b04da57e577d073ddcf4 (189) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (189) Cisco-AVPair = "method=dot1x" (189) Cisco-AVPair = "client-iif-id=3724547122" (189) Cisco-AVPair = "vlan-id=1876" (189) NAS-IP-Address = 9.9.9.9 (189) NAS-Port-Type = Wireless-802.11 (189) NAS-Port = 4211 (189) State = 0xcf8ae573c982fce6e3b6e72de6bf5cbc (189) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (189) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (189) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (189) Calling-Station-Id = "22-e0-73-f2-50-23" (189) Airespace-Wlan-Id = 98 (189) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (189) WLAN-Group-Cipher = 1027076 (189) WLAN-Pairwise-Cipher = 1027076 (189) WLAN-AKM-Suite = 1027075 (189) Restoring &session-state (189) &session-state:Framed-MTU = 1014 (189) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (189) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (189) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (189) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (189) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (189) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (189) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (189) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (189) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (189) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (189) &session-state:TLS-Session-Version = "TLS 1.2" (189) # Executing section authorize from file /etc/freeradius/sites-enabled/default (189) authorize { (189) policy rewrite_called_station_id { (189) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (189) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (189) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (189) update request { (189) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (189) --> 60-B9-C0-04-C4-40 (189) &Called-Station-Id := 60-B9-C0-04-C4-40 (189) } # update request = noop (189) if ("%{8}") { (189) EXPAND %{8} (189) --> eduroam (189) if ("%{8}") -> TRUE (189) if ("%{8}") { (189) update request { (189) EXPAND %{8} (189) --> eduroam (189) &Called-Station-SSID := eduroam (189) EXPAND %{Called-Station-Id}:%{8} (189) --> 60-B9-C0-04-C4-40:eduroam (189) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (189) } # update request = noop (189) } # if ("%{8}") = noop (189) [updated] = updated (189) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (189) ... skipping else: Preceding "if" was taken (189) } # policy rewrite_called_station_id = updated (189) policy rewrite_calling_station_id { (189) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (189) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (189) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (189) update request { (189) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (189) --> 22-E0-73-F2-50-23 (189) &Calling-Station-Id := 22-E0-73-F2-50-23 (189) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (189) --> 22:E0:73:F2:50:23 (189) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (189) } # update request = noop (189) [updated] = updated (189) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (189) ... skipping else: Preceding "if" was taken (189) } # policy rewrite_calling_station_id = updated (189) if (NAS-Identifier == "uvisrz0215.insel.ch") { (189) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (189) if (Service-Type == Call-Check) { (189) if (Service-Type == Call-Check) -> FALSE (189) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (189) EXPAND Packet-Src-IP-Address (189) --> 9.9.9.9 (189) EXPAND Packet-Src-IP-Address (189) --> 9.9.9.9 (189) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (189) if (EAP-Message) { (189) if (EAP-Message) -> TRUE (189) if (EAP-Message) { (189) policy filter_username { (189) if (&User-Name) { (189) if (&User-Name) -> TRUE (189) if (&User-Name) { (189) if (&User-Name =~ / /) { (189) if (&User-Name =~ / /) -> FALSE (189) if (&User-Name =~ /@[^@]*@/ ) { (189) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (189) if (&User-Name =~ /\.\./ ) { (189) if (&User-Name =~ /\.\./ ) -> FALSE (189) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (189) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (189) if (&User-Name =~ /\.$/) { (189) if (&User-Name =~ /\.$/) -> FALSE (189) if (&User-Name =~ /@\./) { (189) if (&User-Name =~ /@\./) -> FALSE (189) } # if (&User-Name) = updated (189) } # policy filter_username = updated (189) suffix: Checking for suffix after "@" (189) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (189) suffix: Found realm "UNIBE.CH" (189) suffix: Adding Realm = "UNIBE.CH" (189) suffix: Authentication realm is LOCAL (189) [suffix] = ok (189) policy deny_no_realm { (189) if (User-Name && (User-Name !~ /@/)) { (189) if (User-Name && (User-Name !~ /@/)) -> FALSE (189) } # policy deny_no_realm = updated (189) update request { (189) EXPAND %{toupper:%{Realm}} (189) --> UNIBE.CH (189) Realm := UNIBE.CH (189) } # update request = noop (189) eap: Peer sent EAP Response (code 2) ID 8 length 6 (189) eap: Continuing tunnel setup (189) [eap] = ok (189) } # if (EAP-Message) = ok (189) } # authorize = updated (189) Found Auth-Type = eap (189) # Executing group from file /etc/freeradius/sites-enabled/default (189) Auth-Type eap { (189) eap: Removing EAP session with state 0xcf8ae573c982fce6 (189) eap: Previous EAP request found for state 0xcf8ae573c982fce6, released from the list (189) eap: Peer sent packet with method EAP PEAP (25) (189) eap: Calling submodule eap_peap to process data (189) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (189) eap_peap: Session established. Decoding tunneled attributes (189) eap_peap: PEAP state TUNNEL ESTABLISHED (189) eap: Sending EAP Request (code 1) ID 9 length 40 (189) eap: EAP session adding &reply:State = 0xcf8ae573c883fce6 (189) [eap] = handled (189) if (handled && (Response-Packet-Type == Access-Challenge)) { (189) EXPAND Response-Packet-Type (189) --> Access-Challenge (189) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (189) if (handled && (Response-Packet-Type == Access-Challenge)) { (189) attr_filter.access_challenge: EXPAND %{User-Name} (189) attr_filter.access_challenge: --> xyz@unibe.ch (189) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (189) [attr_filter.access_challenge.post-auth] = updated (189) [handled] = handled (189) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (189) } # Auth-Type eap = handled (189) Using Post-Auth-Type Challenge (189) Post-Auth-Type sub-section not found. Ignoring. (189) # Executing group from file /etc/freeradius/sites-enabled/default (189) session-state: Saving cached attributes (189) Framed-MTU = 1014 (189) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (189) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (189) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (189) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (189) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (189) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (189) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (189) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (189) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (189) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (189) TLS-Session-Version = "TLS 1.2" (189) Sent Access-Challenge Id 87 from 130.92.10.33:1812 to 9.9.9.9:60533 length 98 (189) EAP-Message = 0x010900281900170303001d04f99461d03fc2bfcba8de001c3d804bdee9841e17c66ad8e895cc716f (189) Message-Authenticator = 0x00000000000000000000000000000000 (189) State = 0xcf8ae573c883fce6e3b6e72de6bf5cbc (189) Finished request Waking up in 2.0 seconds. (190) Received Access-Request Id 95 from 9.9.9.9:60533 to 130.92.10.33:1812 length 495 (190) User-Name = "xyz@unibe.ch" (190) Service-Type = Framed-User (190) Cisco-AVPair = "service-type=Framed" (190) Framed-MTU = 1485 (190) EAP-Message = 0x0209003c19001703030031205b847b10fba1571aeefaf72e8f9d6bacb5c5b0c60ea6e48b4fbe8b47377db78af34cb6696f2d542aac549b9d859dfb64 (190) Message-Authenticator = 0x4798ae57b2ed9970df767d1ac0b91c74 (190) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (190) Cisco-AVPair = "method=dot1x" (190) Cisco-AVPair = "client-iif-id=3724547122" (190) Cisco-AVPair = "vlan-id=1876" (190) NAS-IP-Address = 9.9.9.9 (190) NAS-Port-Type = Wireless-802.11 (190) NAS-Port = 4211 (190) State = 0xcf8ae573c883fce6e3b6e72de6bf5cbc (190) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (190) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (190) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (190) Calling-Station-Id = "22-e0-73-f2-50-23" (190) Airespace-Wlan-Id = 98 (190) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (190) WLAN-Group-Cipher = 1027076 (190) WLAN-Pairwise-Cipher = 1027076 (190) WLAN-AKM-Suite = 1027075 (190) Restoring &session-state (190) &session-state:Framed-MTU = 1014 (190) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (190) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (190) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (190) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (190) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (190) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (190) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (190) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (190) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (190) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (190) &session-state:TLS-Session-Version = "TLS 1.2" (190) # Executing section authorize from file /etc/freeradius/sites-enabled/default (190) authorize { (190) policy rewrite_called_station_id { (190) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (190) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (190) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (190) update request { (190) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (190) --> 60-B9-C0-04-C4-40 (190) &Called-Station-Id := 60-B9-C0-04-C4-40 (190) } # update request = noop (190) if ("%{8}") { (190) EXPAND %{8} (190) --> eduroam (190) if ("%{8}") -> TRUE (190) if ("%{8}") { (190) update request { (190) EXPAND %{8} (190) --> eduroam (190) &Called-Station-SSID := eduroam (190) EXPAND %{Called-Station-Id}:%{8} (190) --> 60-B9-C0-04-C4-40:eduroam (190) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (190) } # update request = noop (190) } # if ("%{8}") = noop (190) [updated] = updated (190) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (190) ... skipping else: Preceding "if" was taken (190) } # policy rewrite_called_station_id = updated (190) policy rewrite_calling_station_id { (190) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (190) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (190) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (190) update request { (190) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (190) --> 22-E0-73-F2-50-23 (190) &Calling-Station-Id := 22-E0-73-F2-50-23 (190) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (190) --> 22:E0:73:F2:50:23 (190) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (190) } # update request = noop (190) [updated] = updated (190) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (190) ... skipping else: Preceding "if" was taken (190) } # policy rewrite_calling_station_id = updated (190) if (NAS-Identifier == "uvisrz0215.insel.ch") { (190) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (190) if (Service-Type == Call-Check) { (190) if (Service-Type == Call-Check) -> FALSE (190) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (190) EXPAND Packet-Src-IP-Address (190) --> 9.9.9.9 (190) EXPAND Packet-Src-IP-Address (190) --> 9.9.9.9 (190) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (190) if (EAP-Message) { (190) if (EAP-Message) -> TRUE (190) if (EAP-Message) { (190) policy filter_username { (190) if (&User-Name) { (190) if (&User-Name) -> TRUE (190) if (&User-Name) { (190) if (&User-Name =~ / /) { (190) if (&User-Name =~ / /) -> FALSE (190) if (&User-Name =~ /@[^@]*@/ ) { (190) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (190) if (&User-Name =~ /\.\./ ) { (190) if (&User-Name =~ /\.\./ ) -> FALSE (190) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (190) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (190) if (&User-Name =~ /\.$/) { (190) if (&User-Name =~ /\.$/) -> FALSE (190) if (&User-Name =~ /@\./) { (190) if (&User-Name =~ /@\./) -> FALSE (190) } # if (&User-Name) = updated (190) } # policy filter_username = updated (190) suffix: Checking for suffix after "@" (190) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (190) suffix: Found realm "UNIBE.CH" (190) suffix: Adding Realm = "UNIBE.CH" (190) suffix: Authentication realm is LOCAL (190) [suffix] = ok (190) policy deny_no_realm { (190) if (User-Name && (User-Name !~ /@/)) { (190) if (User-Name && (User-Name !~ /@/)) -> FALSE (190) } # policy deny_no_realm = updated (190) update request { (190) EXPAND %{toupper:%{Realm}} (190) --> UNIBE.CH (190) Realm := UNIBE.CH (190) } # update request = noop (190) eap: Peer sent EAP Response (code 2) ID 9 length 60 (190) eap: Continuing tunnel setup (190) [eap] = ok (190) } # if (EAP-Message) = ok (190) } # authorize = updated (190) Found Auth-Type = eap (190) # Executing group from file /etc/freeradius/sites-enabled/default (190) Auth-Type eap { (190) eap: Removing EAP session with state 0xcf8ae573c883fce6 (190) eap: Previous EAP request found for state 0xcf8ae573c883fce6, released from the list (190) eap: Peer sent packet with method EAP PEAP (25) (190) eap: Calling submodule eap_peap to process data (190) eap_peap: (TLS) EAP Done initial handshake (190) eap_peap: Session established. Decoding tunneled attributes (190) eap_peap: PEAP state WAITING FOR INNER IDENTITY (190) eap_peap: Identity - xyz@unibe.ch (190) eap_peap: Got inner identity 'xyz@unibe.ch' (190) eap_peap: Setting default EAP type for tunneled EAP session (190) eap_peap: Got tunneled request (190) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (190) eap_peap: Setting User-Name to xyz@unibe.ch (190) eap_peap: Sending tunneled request to proxy-inner-tunnel (190) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (190) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (190) eap_peap: User-Name = "xyz@unibe.ch" (190) eap_peap: Service-Type = Framed-User (190) eap_peap: Cisco-AVPair = "service-type=Framed" (190) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (190) eap_peap: Cisco-AVPair = "method=dot1x" (190) eap_peap: Cisco-AVPair = "client-iif-id=3724547122" (190) eap_peap: Cisco-AVPair = "vlan-id=1876" (190) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (190) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (190) eap_peap: Framed-MTU = 1485 (190) eap_peap: NAS-IP-Address = 9.9.9.9 (190) eap_peap: NAS-Port-Type = Wireless-802.11 (190) eap_peap: NAS-Port = 4211 (190) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (190) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (190) eap_peap: Airespace-Wlan-Id = 98 (190) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (190) eap_peap: WLAN-Group-Cipher = 1027076 (190) eap_peap: WLAN-Pairwise-Cipher = 1027076 (190) eap_peap: WLAN-AKM-Suite = 1027075 (190) Virtual server proxy-inner-tunnel received request (190) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (190) FreeRADIUS-Proxied-To = 127.0.0.1 (190) User-Name = "xyz@unibe.ch" (190) Service-Type = Framed-User (190) Cisco-AVPair = "service-type=Framed" (190) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (190) Cisco-AVPair = "method=dot1x" (190) Cisco-AVPair = "client-iif-id=3724547122" (190) Cisco-AVPair = "vlan-id=1876" (190) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (190) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (190) Framed-MTU = 1485 (190) NAS-IP-Address = 9.9.9.9 (190) NAS-Port-Type = Wireless-802.11 (190) NAS-Port = 4211 (190) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (190) Calling-Station-Id := "22-E0-73-F2-50-23" (190) Airespace-Wlan-Id = 98 (190) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (190) WLAN-Group-Cipher = 1027076 (190) WLAN-Pairwise-Cipher = 1027076 (190) WLAN-AKM-Suite = 1027075 (190) WARNING: Outer and inner identities are the same. User privacy is compromised. (190) server proxy-inner-tunnel { (190) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (190) authorize { (190) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (190) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (190) if (!NAS-Port-Type){ (190) if (!NAS-Port-Type) -> FALSE (190) update control { (190) &Proxy-To-Realm := REALM-NPS-DEV (190) } # update control = noop (190) } # authorize = noop (190) } # server proxy-inner-tunnel (190) Virtual server sending reply (190) eap_peap: Got tunneled reply code 0 (190) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (190) eap: WARNING: Tunneled session will be proxied. Not doing EAP (190) [eap] = handled (190) if (handled && (Response-Packet-Type == Access-Challenge)) { (190) EXPAND Response-Packet-Type (190) --> (190) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (190) } # Auth-Type eap = handled (190) Starting proxy to home server 130.92.14.27 port 1812 (190) server default { (190) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (190) pre-proxy { (190) attr_filter.pre-proxy: EXPAND %{Realm} (190) attr_filter.pre-proxy: --> UNIBE.CH (190) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (190) [attr_filter.pre-proxy] = updated (190) } # pre-proxy = updated (190) } (190) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (190) Sent Access-Request Id 190 from 0.0.0.0:38376 to 130.92.14.27:1812 length 195 (190) Operator-Name := "1unibe.ch" (190) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (190) User-Name = "xyz@unibe.ch" (190) NAS-IP-Address = 9.9.9.9 (190) NAS-Port-Type = Wireless-802.11 (190) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (190) Calling-Station-Id := "22-E0-73-F2-50-23" (190) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (190) Message-Authenticator = 0x (190) Proxy-State = 0x3935 Waking up in 0.3 seconds. (190) Clearing existing &reply: attributes (190) Received Access-Challenge Id 190 from 130.92.14.27:1812 to 130.92.10.33:38376 length 127 (190) Proxy-State = 0x3935 (190) Session-Timeout = 60 (190) EAP-Message = 0x010a00271a010a002210c83761488cca2718c679660556394dee4141492d4e50532d4544555632 (190) State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (190) Message-Authenticator = 0xa3812c370e044725e89c60fee08004f3 (190) server default { (190) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (190) post-proxy { (190) attr_filter.post-proxy: EXPAND %{Realm} (190) attr_filter.post-proxy: --> UNIBE.CH (190) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (190) [attr_filter.post-proxy] = updated (190) eap: Doing post-proxy callback (190) eap: Passing reply from proxy back into the tunnel (190) eap: Got tunneled reply RADIUS code 11 (190) eap: Tunnel-Type := VLAN (190) eap: Tunnel-Medium-Type := IEEE-802 (190) eap: Proxy-State = 0x3935 (190) eap: EAP-Message = 0x010a00271a010a002210c83761488cca2718c679660556394dee4141492d4e50532d4544555632 (190) eap: State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (190) eap: Message-Authenticator = 0xa3812c370e044725e89c60fee08004f3 (190) eap: Got tunneled Access-Challenge (190) eap: Reply was handled (190) eap: Sending EAP Request (code 1) ID 10 length 70 (190) eap: EAP session adding &reply:State = 0xcf8ae573c780fce6 (190) [eap] = ok (190) } # post-proxy = updated (190) } (190) session-state: Saving cached attributes (190) Framed-MTU = 1014 (190) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (190) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (190) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (190) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (190) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (190) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (190) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (190) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (190) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (190) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (190) TLS-Session-Version = "TLS 1.2" (190) Using Post-Auth-Type Challenge (190) Post-Auth-Type sub-section not found. Ignoring. (190) # Executing group from file /etc/freeradius/sites-enabled/default (190) Sent Access-Challenge Id 95 from 130.92.10.33:1812 to 9.9.9.9:60533 length 128 (190) EAP-Message = 0x010a00461900170303003b04f99461d03fc2c0ac23d67f4ddb067ebf0aab5a9c002f61bc4a0be3c85a32f413a556f4f955e47114a5bd3076e920126f217073cb89e19f73e9b7 (190) Message-Authenticator = 0x00000000000000000000000000000000 (190) State = 0xcf8ae573c780fce6e3b6e72de6bf5cbc (190) Finished request Waking up in 2.0 seconds. (191) Received Access-Request Id 103 from 9.9.9.9:60533 to 130.92.10.33:1812 length 549 (191) User-Name = "xyz@unibe.ch" (191) Service-Type = Framed-User (191) Cisco-AVPair = "service-type=Framed" (191) Framed-MTU = 1485 (191) EAP-Message = 0x020a007219001703030067205b847b10fba1584559915251d4673e0abf889721cd70283f669b7bc2790a707ee10b32db67326f5dc5ff040d06c69d2abac6cc1d42f3121fd59414b1064d38037caa197e338ac30a55ba2f77cc8e976d46335a5dfb2dd86e2f89a299d8ea1d97945192b49dbe (191) Message-Authenticator = 0xf3f378571c227125d81046d457c56823 (191) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (191) Cisco-AVPair = "method=dot1x" (191) Cisco-AVPair = "client-iif-id=3724547122" (191) Cisco-AVPair = "vlan-id=1876" (191) NAS-IP-Address = 9.9.9.9 (191) NAS-Port-Type = Wireless-802.11 (191) NAS-Port = 4211 (191) State = 0xcf8ae573c780fce6e3b6e72de6bf5cbc (191) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (191) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (191) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (191) Calling-Station-Id = "22-e0-73-f2-50-23" (191) Airespace-Wlan-Id = 98 (191) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (191) WLAN-Group-Cipher = 1027076 (191) WLAN-Pairwise-Cipher = 1027076 (191) WLAN-AKM-Suite = 1027075 (191) session-state: No cached attributes (191) # Executing section authorize from file /etc/freeradius/sites-enabled/default (191) authorize { (191) policy rewrite_called_station_id { (191) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (191) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (191) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (191) update request { (191) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (191) --> 60-B9-C0-04-C4-40 (191) &Called-Station-Id := 60-B9-C0-04-C4-40 (191) } # update request = noop (191) if ("%{8}") { (191) EXPAND %{8} (191) --> eduroam (191) if ("%{8}") -> TRUE (191) if ("%{8}") { (191) update request { (191) EXPAND %{8} (191) --> eduroam (191) &Called-Station-SSID := eduroam (191) EXPAND %{Called-Station-Id}:%{8} (191) --> 60-B9-C0-04-C4-40:eduroam (191) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (191) } # update request = noop (191) } # if ("%{8}") = noop (191) [updated] = updated (191) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (191) ... skipping else: Preceding "if" was taken (191) } # policy rewrite_called_station_id = updated (191) policy rewrite_calling_station_id { (191) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (191) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (191) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (191) update request { (191) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (191) --> 22-E0-73-F2-50-23 (191) &Calling-Station-Id := 22-E0-73-F2-50-23 (191) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (191) --> 22:E0:73:F2:50:23 (191) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (191) } # update request = noop (191) [updated] = updated (191) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (191) ... skipping else: Preceding "if" was taken (191) } # policy rewrite_calling_station_id = updated (191) if (NAS-Identifier == "uvisrz0215.insel.ch") { (191) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (191) if (Service-Type == Call-Check) { (191) if (Service-Type == Call-Check) -> FALSE (191) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (191) EXPAND Packet-Src-IP-Address (191) --> 9.9.9.9 (191) EXPAND Packet-Src-IP-Address (191) --> 9.9.9.9 (191) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (191) if (EAP-Message) { (191) if (EAP-Message) -> TRUE (191) if (EAP-Message) { (191) policy filter_username { (191) if (&User-Name) { (191) if (&User-Name) -> TRUE (191) if (&User-Name) { (191) if (&User-Name =~ / /) { (191) if (&User-Name =~ / /) -> FALSE (191) if (&User-Name =~ /@[^@]*@/ ) { (191) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (191) if (&User-Name =~ /\.\./ ) { (191) if (&User-Name =~ /\.\./ ) -> FALSE (191) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (191) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (191) if (&User-Name =~ /\.$/) { (191) if (&User-Name =~ /\.$/) -> FALSE (191) if (&User-Name =~ /@\./) { (191) if (&User-Name =~ /@\./) -> FALSE (191) } # if (&User-Name) = updated (191) } # policy filter_username = updated (191) suffix: Checking for suffix after "@" (191) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (191) suffix: Found realm "UNIBE.CH" (191) suffix: Adding Realm = "UNIBE.CH" (191) suffix: Authentication realm is LOCAL (191) [suffix] = ok (191) policy deny_no_realm { (191) if (User-Name && (User-Name !~ /@/)) { (191) if (User-Name && (User-Name !~ /@/)) -> FALSE (191) } # policy deny_no_realm = updated (191) update request { (191) EXPAND %{toupper:%{Realm}} (191) --> UNIBE.CH (191) Realm := UNIBE.CH (191) } # update request = noop (191) eap: Peer sent EAP Response (code 2) ID 10 length 114 (191) eap: Continuing tunnel setup (191) [eap] = ok (191) } # if (EAP-Message) = ok (191) } # authorize = updated (191) Found Auth-Type = eap (191) # Executing group from file /etc/freeradius/sites-enabled/default (191) Auth-Type eap { (191) eap: Removing EAP session with state 0xcf8ae573c780fce6 (191) eap: Previous EAP request found for state 0xcf8ae573c780fce6, released from the list (191) eap: Peer sent packet with method EAP PEAP (25) (191) eap: Calling submodule eap_peap to process data (191) eap_peap: (TLS) EAP Done initial handshake (191) eap_peap: Session established. Decoding tunneled attributes (191) eap_peap: PEAP state phase2 (191) eap_peap: EAP method MSCHAPv2 (26) (191) eap_peap: Got tunneled request (191) eap_peap: EAP-Message = 0x020a00531a020a004e3197d74d4a32fbacd2fa345e05a04b070700000000000000008c45061c2def02f04f327c8c1994b030c364f8a9115efe2a00646f6d696e69632e7374616c64657240756e6962652e6368 (191) eap_peap: Setting User-Name to xyz@unibe.ch (191) eap_peap: Sending tunneled request to proxy-inner-tunnel (191) eap_peap: EAP-Message = 0x020a00531a020a004e3197d74d4a32fbacd2fa345e05a04b070700000000000000008c45061c2def02f04f327c8c1994b030c364f8a9115efe2a00646f6d696e69632e7374616c64657240756e6962652e6368 (191) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (191) eap_peap: User-Name = "xyz@unibe.ch" (191) eap_peap: State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (191) eap_peap: Service-Type = Framed-User (191) eap_peap: Cisco-AVPair = "service-type=Framed" (191) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (191) eap_peap: Cisco-AVPair = "method=dot1x" (191) eap_peap: Cisco-AVPair = "client-iif-id=3724547122" (191) eap_peap: Cisco-AVPair = "vlan-id=1876" (191) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (191) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (191) eap_peap: Framed-MTU = 1485 (191) eap_peap: NAS-IP-Address = 9.9.9.9 (191) eap_peap: NAS-Port-Type = Wireless-802.11 (191) eap_peap: NAS-Port = 4211 (191) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (191) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (191) eap_peap: Airespace-Wlan-Id = 98 (191) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (191) eap_peap: WLAN-Group-Cipher = 1027076 (191) eap_peap: WLAN-Pairwise-Cipher = 1027076 (191) eap_peap: WLAN-AKM-Suite = 1027075 (191) Virtual server proxy-inner-tunnel received request (191) EAP-Message = 0x020a00531a020a004e3197d74d4a32fbacd2fa345e05a04b070700000000000000008c45061c2def02f04f327c8c1994b030c364f8a9115efe2a00646f6d696e69632e7374616c64657240756e6962652e6368 (191) FreeRADIUS-Proxied-To = 127.0.0.1 (191) User-Name = "xyz@unibe.ch" (191) State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (191) Service-Type = Framed-User (191) Cisco-AVPair = "service-type=Framed" (191) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (191) Cisco-AVPair = "method=dot1x" (191) Cisco-AVPair = "client-iif-id=3724547122" (191) Cisco-AVPair = "vlan-id=1876" (191) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (191) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (191) Framed-MTU = 1485 (191) NAS-IP-Address = 9.9.9.9 (191) NAS-Port-Type = Wireless-802.11 (191) NAS-Port = 4211 (191) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (191) Calling-Station-Id := "22-E0-73-F2-50-23" (191) Airespace-Wlan-Id = 98 (191) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (191) WLAN-Group-Cipher = 1027076 (191) WLAN-Pairwise-Cipher = 1027076 (191) WLAN-AKM-Suite = 1027075 (191) WARNING: Outer and inner identities are the same. User privacy is compromised. (191) server proxy-inner-tunnel { (191) session-state: No cached attributes (191) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (191) authorize { (191) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (191) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (191) if (!NAS-Port-Type){ (191) if (!NAS-Port-Type) -> FALSE (191) update control { (191) &Proxy-To-Realm := REALM-NPS-DEV (191) } # update control = noop (191) } # authorize = noop (191) } # server proxy-inner-tunnel (191) Virtual server sending reply (191) eap_peap: Got tunneled reply code 0 (191) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (191) eap: WARNING: Tunneled session will be proxied. Not doing EAP (191) [eap] = handled (191) if (handled && (Response-Packet-Type == Access-Challenge)) { (191) EXPAND Response-Packet-Type (191) --> (191) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (191) } # Auth-Type eap = handled (191) Starting proxy to home server 130.92.14.27 port 1812 (191) server default { (191) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (191) pre-proxy { (191) attr_filter.pre-proxy: EXPAND %{Realm} (191) attr_filter.pre-proxy: --> UNIBE.CH (191) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (191) [attr_filter.pre-proxy] = updated (191) } # pre-proxy = updated (191) } (191) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (191) Sent Access-Request Id 191 from 0.0.0.0:38376 to 130.92.14.27:1812 length 288 (191) Operator-Name := "1unibe.ch" (191) EAP-Message = 0x020a00531a020a004e3197d74d4a32fbacd2fa345e05a04b070700000000000000008c45061c2def02f04f327c8c1994b030c364f8a9115efe2a00646f6d696e69632e7374616c64657240756e6962652e6368 (191) User-Name = "xyz@unibe.ch" (191) State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (191) NAS-IP-Address = 9.9.9.9 (191) NAS-Port-Type = Wireless-802.11 (191) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (191) Calling-Station-Id := "22-E0-73-F2-50-23" (191) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (191) Message-Authenticator = 0x (191) Proxy-State = 0x313033 Waking up in 0.3 seconds. (191) Clearing existing &reply: attributes (191) Received Access-Challenge Id 191 from 130.92.14.27:1812 to 130.92.10.33:38376 length 140 (191) Proxy-State = 0x313033 (191) Session-Timeout = 60 (191) EAP-Message = 0x010b00331a030a002e533d36323537434330314631324434464143463944453131333631363541363935354444423345344438 (191) State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (191) Message-Authenticator = 0x8ca6aae399c7f203dc1a20ce85e5750b (191) server default { (191) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (191) post-proxy { (191) attr_filter.post-proxy: EXPAND %{Realm} (191) attr_filter.post-proxy: --> UNIBE.CH (191) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (191) [attr_filter.post-proxy] = updated (191) eap: Doing post-proxy callback (191) eap: Passing reply from proxy back into the tunnel (191) eap: Got tunneled reply RADIUS code 11 (191) eap: Tunnel-Type := VLAN (191) eap: Tunnel-Medium-Type := IEEE-802 (191) eap: Proxy-State = 0x313033 (191) eap: EAP-Message = 0x010b00331a030a002e533d36323537434330314631324434464143463944453131333631363541363935354444423345344438 (191) eap: State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (191) eap: Message-Authenticator = 0x8ca6aae399c7f203dc1a20ce85e5750b (191) eap: Got tunneled Access-Challenge (191) eap: Reply was handled (191) eap: Sending EAP Request (code 1) ID 11 length 82 (191) eap: EAP session adding &reply:State = 0xcf8ae573c681fce6 (191) [eap] = ok (191) } # post-proxy = updated (191) } (191) Using Post-Auth-Type Challenge (191) Post-Auth-Type sub-section not found. Ignoring. (191) # Executing group from file /etc/freeradius/sites-enabled/default (191) Sent Access-Challenge Id 103 from 130.92.10.33:1812 to 9.9.9.9:60533 length 140 (191) EAP-Message = 0x010b00521900170303004704f99461d03fc2c1394041037baef530edfd9b8bf3fa86b0e63dd7b2ccbec2333eb2a290f24dcaa4882575e6ace41e0ab2b5a7b86b753145bb360713633e4a7d4d11d21c93b2d4 (191) Message-Authenticator = 0x00000000000000000000000000000000 (191) State = 0xcf8ae573c681fce6e3b6e72de6bf5cbc (191) Finished request Waking up in 1.9 seconds. (192) Received Access-Request Id 111 from 9.9.9.9:60533 to 130.92.10.33:1812 length 472 (192) User-Name = "xyz@unibe.ch" (192) Service-Type = Framed-User (192) Cisco-AVPair = "service-type=Framed" (192) Framed-MTU = 1485 (192) EAP-Message = 0x020b00251900170303001a205b847b10fba159867591b547327317b26e0f7da7607738977b (192) Message-Authenticator = 0x80bb23fad6417fe1677e1055aac4907e (192) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (192) Cisco-AVPair = "method=dot1x" (192) Cisco-AVPair = "client-iif-id=3724547122" (192) Cisco-AVPair = "vlan-id=1876" (192) NAS-IP-Address = 9.9.9.9 (192) NAS-Port-Type = Wireless-802.11 (192) NAS-Port = 4211 (192) State = 0xcf8ae573c681fce6e3b6e72de6bf5cbc (192) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (192) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (192) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (192) Calling-Station-Id = "22-e0-73-f2-50-23" (192) Airespace-Wlan-Id = 98 (192) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (192) WLAN-Group-Cipher = 1027076 (192) WLAN-Pairwise-Cipher = 1027076 (192) WLAN-AKM-Suite = 1027075 (192) session-state: No cached attributes (192) # Executing section authorize from file /etc/freeradius/sites-enabled/default (192) authorize { (192) policy rewrite_called_station_id { (192) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (192) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (192) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (192) update request { (192) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (192) --> 60-B9-C0-04-C4-40 (192) &Called-Station-Id := 60-B9-C0-04-C4-40 (192) } # update request = noop (192) if ("%{8}") { (192) EXPAND %{8} (192) --> eduroam (192) if ("%{8}") -> TRUE (192) if ("%{8}") { (192) update request { (192) EXPAND %{8} (192) --> eduroam (192) &Called-Station-SSID := eduroam (192) EXPAND %{Called-Station-Id}:%{8} (192) --> 60-B9-C0-04-C4-40:eduroam (192) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (192) } # update request = noop (192) } # if ("%{8}") = noop (192) [updated] = updated (192) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (192) ... skipping else: Preceding "if" was taken (192) } # policy rewrite_called_station_id = updated (192) policy rewrite_calling_station_id { (192) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (192) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (192) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (192) update request { (192) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (192) --> 22-E0-73-F2-50-23 (192) &Calling-Station-Id := 22-E0-73-F2-50-23 (192) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (192) --> 22:E0:73:F2:50:23 (192) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (192) } # update request = noop (192) [updated] = updated (192) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (192) ... skipping else: Preceding "if" was taken (192) } # policy rewrite_calling_station_id = updated (192) if (NAS-Identifier == "uvisrz0215.insel.ch") { (192) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (192) if (Service-Type == Call-Check) { (192) if (Service-Type == Call-Check) -> FALSE (192) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (192) EXPAND Packet-Src-IP-Address (192) --> 9.9.9.9 (192) EXPAND Packet-Src-IP-Address (192) --> 9.9.9.9 (192) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (192) if (EAP-Message) { (192) if (EAP-Message) -> TRUE (192) if (EAP-Message) { (192) policy filter_username { (192) if (&User-Name) { (192) if (&User-Name) -> TRUE (192) if (&User-Name) { (192) if (&User-Name =~ / /) { (192) if (&User-Name =~ / /) -> FALSE (192) if (&User-Name =~ /@[^@]*@/ ) { (192) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (192) if (&User-Name =~ /\.\./ ) { (192) if (&User-Name =~ /\.\./ ) -> FALSE (192) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (192) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (192) if (&User-Name =~ /\.$/) { (192) if (&User-Name =~ /\.$/) -> FALSE (192) if (&User-Name =~ /@\./) { (192) if (&User-Name =~ /@\./) -> FALSE (192) } # if (&User-Name) = updated (192) } # policy filter_username = updated (192) suffix: Checking for suffix after "@" (192) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (192) suffix: Found realm "UNIBE.CH" (192) suffix: Adding Realm = "UNIBE.CH" (192) suffix: Authentication realm is LOCAL (192) [suffix] = ok (192) policy deny_no_realm { (192) if (User-Name && (User-Name !~ /@/)) { (192) if (User-Name && (User-Name !~ /@/)) -> FALSE (192) } # policy deny_no_realm = updated (192) update request { (192) EXPAND %{toupper:%{Realm}} (192) --> UNIBE.CH (192) Realm := UNIBE.CH (192) } # update request = noop (192) eap: Peer sent EAP Response (code 2) ID 11 length 37 (192) eap: Continuing tunnel setup (192) [eap] = ok (192) } # if (EAP-Message) = ok (192) } # authorize = updated (192) Found Auth-Type = eap (192) # Executing group from file /etc/freeradius/sites-enabled/default (192) Auth-Type eap { (192) eap: Removing EAP session with state 0xcf8ae573c681fce6 (192) eap: Previous EAP request found for state 0xcf8ae573c681fce6, released from the list (192) eap: Peer sent packet with method EAP PEAP (25) (192) eap: Calling submodule eap_peap to process data (192) eap_peap: (TLS) EAP Done initial handshake (192) eap_peap: Session established. Decoding tunneled attributes (192) eap_peap: PEAP state phase2 (192) eap_peap: EAP method MSCHAPv2 (26) (192) eap_peap: Got tunneled request (192) eap_peap: EAP-Message = 0x020b00061a03 (192) eap_peap: Setting User-Name to xyz@unibe.ch (192) eap_peap: Sending tunneled request to proxy-inner-tunnel (192) eap_peap: EAP-Message = 0x020b00061a03 (192) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (192) eap_peap: User-Name = "xyz@unibe.ch" (192) eap_peap: State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (192) eap_peap: Service-Type = Framed-User (192) eap_peap: Cisco-AVPair = "service-type=Framed" (192) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (192) eap_peap: Cisco-AVPair = "method=dot1x" (192) eap_peap: Cisco-AVPair = "client-iif-id=3724547122" (192) eap_peap: Cisco-AVPair = "vlan-id=1876" (192) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (192) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (192) eap_peap: Framed-MTU = 1485 (192) eap_peap: NAS-IP-Address = 9.9.9.9 (192) eap_peap: NAS-Port-Type = Wireless-802.11 (192) eap_peap: NAS-Port = 4211 (192) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (192) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (192) eap_peap: Airespace-Wlan-Id = 98 (192) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (192) eap_peap: WLAN-Group-Cipher = 1027076 (192) eap_peap: WLAN-Pairwise-Cipher = 1027076 (192) eap_peap: WLAN-AKM-Suite = 1027075 (192) Virtual server proxy-inner-tunnel received request (192) EAP-Message = 0x020b00061a03 (192) FreeRADIUS-Proxied-To = 127.0.0.1 (192) User-Name = "xyz@unibe.ch" (192) State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (192) Service-Type = Framed-User (192) Cisco-AVPair = "service-type=Framed" (192) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (192) Cisco-AVPair = "method=dot1x" (192) Cisco-AVPair = "client-iif-id=3724547122" (192) Cisco-AVPair = "vlan-id=1876" (192) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (192) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (192) Framed-MTU = 1485 (192) NAS-IP-Address = 9.9.9.9 (192) NAS-Port-Type = Wireless-802.11 (192) NAS-Port = 4211 (192) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (192) Calling-Station-Id := "22-E0-73-F2-50-23" (192) Airespace-Wlan-Id = 98 (192) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (192) WLAN-Group-Cipher = 1027076 (192) WLAN-Pairwise-Cipher = 1027076 (192) WLAN-AKM-Suite = 1027075 (192) WARNING: Outer and inner identities are the same. User privacy is compromised. (192) server proxy-inner-tunnel { (192) session-state: No cached attributes (192) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (192) authorize { (192) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (192) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (192) if (!NAS-Port-Type){ (192) if (!NAS-Port-Type) -> FALSE (192) update control { (192) &Proxy-To-Realm := REALM-NPS-DEV (192) } # update control = noop (192) } # authorize = noop (192) } # server proxy-inner-tunnel (192) Virtual server sending reply (192) eap_peap: Got tunneled reply code 0 (192) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (192) eap: WARNING: Tunneled session will be proxied. Not doing EAP (192) [eap] = handled (192) if (handled && (Response-Packet-Type == Access-Challenge)) { (192) EXPAND Response-Packet-Type (192) --> (192) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (192) } # Auth-Type eap = handled (192) Starting proxy to home server 130.92.14.27 port 1812 (192) server default { (192) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (192) pre-proxy { (192) attr_filter.pre-proxy: EXPAND %{Realm} (192) attr_filter.pre-proxy: --> UNIBE.CH (192) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (192) [attr_filter.pre-proxy] = updated (192) } # pre-proxy = updated (192) } (192) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (192) Sent Access-Request Id 192 from 0.0.0.0:38376 to 130.92.14.27:1812 length 211 (192) Operator-Name := "1unibe.ch" (192) EAP-Message = 0x020b00061a03 (192) User-Name = "xyz@unibe.ch" (192) State = 0x22df03070000013700010200825c0e1b000000000000000000000000000000043a958c65 (192) NAS-IP-Address = 9.9.9.9 (192) NAS-Port-Type = Wireless-802.11 (192) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (192) Calling-Station-Id := "22-E0-73-F2-50-23" (192) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (192) Message-Authenticator = 0x (192) Proxy-State = 0x313131 Waking up in 0.3 seconds. (192) Clearing existing &reply: attributes (192) Received Access-Accept Id 192 from 130.92.14.27:1812 to 130.92.10.33:38376 length 289 (192) Proxy-State = 0x313131 (192) Class = 0x7374616666 (192) Filter-Id = "staff" (192) Framed-Protocol = PPP (192) Service-Type = Framed-User (192) Tunnel-Medium-Type:0 = IEEE-802 (192) Tunnel-Private-Group-Id:0 = "1874" (192) Tunnel-Type:0 = VLAN (192) EAP-Message = 0x030b0004 (192) Class = 0x577206960000013700010200825c0e1b00000000000000000000000001dac0032e975ae0000000000057c996 (192) MS-CHAP-Domain = "\001CAMPUS" (192) MS-MPPE-Send-Key = 0xfe66eab21e8b02b3e1c4b4f57f508f7a (192) MS-MPPE-Recv-Key = 0x1d45747249960c52c1ceeaf9378ad8aa (192) MS-CHAP2-Success = 0x01533d36323537434330314631324434464143463944453131333631363541363935354444423345344438 (192) Message-Authenticator = 0x332c0b8965d8c87621614cec5d9820b5 (192) server default { (192) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (192) post-proxy { (192) attr_filter.post-proxy: EXPAND %{Realm} (192) attr_filter.post-proxy: --> UNIBE.CH (192) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102 (192) [attr_filter.post-proxy] = updated (192) eap: Doing post-proxy callback (192) eap: Passing reply from proxy back into the tunnel (192) eap: Got tunneled reply RADIUS code 2 (192) eap: Tunnel-Type := VLAN (192) eap: Tunnel-Medium-Type := IEEE-802 (192) eap: Proxy-State = 0x313131 (192) eap: Class = 0x7374616666 (192) eap: Filter-Id = "staff" (192) eap: Tunnel-Private-Group-Id:0 = "1874" (192) eap: EAP-Message = 0x030b0004 (192) eap: Class = 0x577206960000013700010200825c0e1b00000000000000000000000001dac0032e975ae0000000000057c996 (192) eap: MS-MPPE-Send-Key = 0xfe66eab21e8b02b3e1c4b4f57f508f7a (192) eap: MS-MPPE-Recv-Key = 0x1d45747249960c52c1ceeaf9378ad8aa (192) eap: Message-Authenticator = 0x332c0b8965d8c87621614cec5d9820b5 (192) eap: Tunneled authentication was successful (192) eap: SUCCESS (192) eap: Saving tunneled attributes for later (192) eap: Reply was handled (192) eap: Sending EAP Request (code 1) ID 12 length 46 (192) eap: EAP session adding &reply:State = 0xcf8ae573c586fce6 (192) [eap] = ok (192) } # post-proxy = updated (192) } (192) Using Post-Auth-Type Challenge (192) Post-Auth-Type sub-section not found. Ignoring. (192) # Executing group from file /etc/freeradius/sites-enabled/default (192) Sent Access-Challenge Id 111 from 130.92.10.33:1812 to 9.9.9.9:60533 length 104 (192) EAP-Message = 0x010c002e1900170303002304f99461d03fc2c2b4dd16ee98eb7b0ed3a137545de5ddc88bf5b3423c2b5f193225fc (192) Message-Authenticator = 0x00000000000000000000000000000000 (192) State = 0xcf8ae573c586fce6e3b6e72de6bf5cbc (192) Finished request Waking up in 1.9 seconds. (193) Received Access-Request Id 119 from 9.9.9.9:60533 to 130.92.10.33:1812 length 481 (193) User-Name = "xyz@unibe.ch" (193) Service-Type = Framed-User (193) Cisco-AVPair = "service-type=Framed" (193) Framed-MTU = 1485 (193) EAP-Message = 0x020c002e19001703030023205b847b10fba15afce16997166d4cb19322461fe577bbdaf9ad0ee9efac33751092a9 (193) Message-Authenticator = 0xb4660f308f2de4f2c559a9a233219dd9 (193) Cisco-AVPair = "audit-session-id=0F2A5C820000093C2FFBA7DF" (193) Cisco-AVPair = "method=dot1x" (193) Cisco-AVPair = "client-iif-id=3724547122" (193) Cisco-AVPair = "vlan-id=1876" (193) NAS-IP-Address = 9.9.9.9 (193) NAS-Port-Type = Wireless-802.11 (193) NAS-Port = 4211 (193) State = 0xcf8ae573c586fce6e3b6e72de6bf5cbc (193) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (193) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (193) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (193) Calling-Station-Id = "22-e0-73-f2-50-23" (193) Airespace-Wlan-Id = 98 (193) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (193) WLAN-Group-Cipher = 1027076 (193) WLAN-Pairwise-Cipher = 1027076 (193) WLAN-AKM-Suite = 1027075 (193) session-state: No cached attributes (193) # Executing section authorize from file /etc/freeradius/sites-enabled/default (193) authorize { (193) policy rewrite_called_station_id { (193) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (193) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (193) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (193) update request { (193) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (193) --> 60-B9-C0-04-C4-40 (193) &Called-Station-Id := 60-B9-C0-04-C4-40 (193) } # update request = noop (193) if ("%{8}") { (193) EXPAND %{8} (193) --> eduroam (193) if ("%{8}") -> TRUE (193) if ("%{8}") { (193) update request { (193) EXPAND %{8} (193) --> eduroam (193) &Called-Station-SSID := eduroam (193) EXPAND %{Called-Station-Id}:%{8} (193) --> 60-B9-C0-04-C4-40:eduroam (193) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (193) } # update request = noop (193) } # if ("%{8}") = noop (193) [updated] = updated (193) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (193) ... skipping else: Preceding "if" was taken (193) } # policy rewrite_called_station_id = updated (193) policy rewrite_calling_station_id { (193) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (193) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (193) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (193) update request { (193) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (193) --> 22-E0-73-F2-50-23 (193) &Calling-Station-Id := 22-E0-73-F2-50-23 (193) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (193) --> 22:E0:73:F2:50:23 (193) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (193) } # update request = noop (193) [updated] = updated (193) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (193) ... skipping else: Preceding "if" was taken (193) } # policy rewrite_calling_station_id = updated (193) if (NAS-Identifier == "uvisrz0215.insel.ch") { (193) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (193) if (Service-Type == Call-Check) { (193) if (Service-Type == Call-Check) -> FALSE (193) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (193) EXPAND Packet-Src-IP-Address (193) --> 9.9.9.9 (193) EXPAND Packet-Src-IP-Address (193) --> 9.9.9.9 (193) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (193) if (EAP-Message) { (193) if (EAP-Message) -> TRUE (193) if (EAP-Message) { (193) policy filter_username { (193) if (&User-Name) { (193) if (&User-Name) -> TRUE (193) if (&User-Name) { (193) if (&User-Name =~ / /) { (193) if (&User-Name =~ / /) -> FALSE (193) if (&User-Name =~ /@[^@]*@/ ) { (193) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (193) if (&User-Name =~ /\.\./ ) { (193) if (&User-Name =~ /\.\./ ) -> FALSE (193) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (193) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (193) if (&User-Name =~ /\.$/) { (193) if (&User-Name =~ /\.$/) -> FALSE (193) if (&User-Name =~ /@\./) { (193) if (&User-Name =~ /@\./) -> FALSE (193) } # if (&User-Name) = updated (193) } # policy filter_username = updated (193) suffix: Checking for suffix after "@" (193) suffix: Looking up realm "unibe.ch" for User-Name = "xyz@unibe.ch" (193) suffix: Found realm "UNIBE.CH" (193) suffix: Adding Realm = "UNIBE.CH" (193) suffix: Authentication realm is LOCAL (193) [suffix] = ok (193) policy deny_no_realm { (193) if (User-Name && (User-Name !~ /@/)) { (193) if (User-Name && (User-Name !~ /@/)) -> FALSE (193) } # policy deny_no_realm = updated (193) update request { (193) EXPAND %{toupper:%{Realm}} (193) --> UNIBE.CH (193) Realm := UNIBE.CH (193) } # update request = noop (193) eap: Peer sent EAP Response (code 2) ID 12 length 46 (193) eap: Continuing tunnel setup (193) [eap] = ok (193) } # if (EAP-Message) = ok (193) } # authorize = updated (193) Found Auth-Type = eap (193) # Executing group from file /etc/freeradius/sites-enabled/default (193) Auth-Type eap { (193) eap: Removing EAP session with state 0xcf8ae573c586fce6 (193) eap: Previous EAP request found for state 0xcf8ae573c586fce6, released from the list (193) eap: Peer sent packet with method EAP PEAP (25) (193) eap: Calling submodule eap_peap to process data (193) eap_peap: (TLS) EAP Done initial handshake (193) eap_peap: Session established. Decoding tunneled attributes (193) eap_peap: PEAP state send tlv success (193) eap_peap: Received EAP-TLV response (193) eap_peap: Success (193) eap_peap: Using saved attributes from the original Access-Accept (193) eap_peap: Tunnel-Type := VLAN (193) eap_peap: Tunnel-Medium-Type := IEEE-802 (193) eap_peap: Class = 0x7374616666 (193) eap_peap: Filter-Id = "staff" (193) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (193) eap_peap: Class = 0x577206960000013700010200825c0e1b00000000000000000000000001dac0032e975ae0000000000057c996 (193) eap: Sending EAP Success (code 3) ID 12 length 4 (193) eap: Freeing handler (193) [eap] = ok (193) if (handled && (Response-Packet-Type == Access-Challenge)) { (193) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (193) } # Auth-Type eap = ok (193) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (193) post-auth { (193) update { (193) No attributes updated for RHS &session-state: (193) } # update = noop (193) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format} (193) 802.1x_authz_log: --> sp.Access-Accept (193) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (193) 802.1x_authz_log: --> Fri Nov 15 14:20:45 2024 : AuthZ: (119) Access-Accept: [xyz@unibe.ch] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client cisco-wlc-9800-dev-mgmt.wifi.unibe.ch port 4211 operator-name Unknown) (193) 802.1x_authz_log: EXPAND /var/log/freeradius/authz.log (193) 802.1x_authz_log: --> /var/log/freeradius/authz.log (193) [802.1x_authz_log] = ok (193) policy remove_reply_message_if_eap { (193) if (&reply:EAP-Message && &reply:Reply-Message) { (193) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (193) else { (193) [noop] = noop (193) } # else = noop (193) } # policy remove_reply_message_if_eap = noop (193) } # post-auth = ok (193) Login OK: [xyz@unibe.ch] (from client cisco-wlc-9800-dev-mgmt.wifi.unibe.ch port 4211 cli 22-E0-73-F2-50-23) (193) Sent Access-Accept Id 119 from 130.92.10.33:1812 to 9.9.9.9:60533 length 264 (193) Tunnel-Type := VLAN (193) Tunnel-Medium-Type := IEEE-802 (193) Class = 0x7374616666 (193) Filter-Id = "staff" (193) Tunnel-Private-Group-Id:0 = "1874" (193) Class = 0x577206960000013700010200825c0e1b00000000000000000000000001dac0032e975ae0000000000057c996 (193) MS-MPPE-Recv-Key = 0xa0c1ae0b7eeb1e5c11689f0921a1cd1bda85111a84912ecbbb853107fe90372a (193) MS-MPPE-Send-Key = 0x4f4bdb175d9d487f81ddf1e819a82c37de9d37605d47a226923fc335d3e805a4 (193) EAP-Message = 0x030c0004 (193) Message-Authenticator = 0x00000000000000000000000000000000 (193) User-Name = "xyz@unibe.ch" (193) Finished request Waking up in 1.9 seconds. If you look at src/main/tls.c, it adds that attribute when the debug output shows "Connection established". And, it prints out the attribute it's added. (188) eap_peap: (TLS) PEAP - Connection Established (188) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (188) eap_peap: TLS-Session-Version = "TLS 1.2" Why the f**k did I miss this in version 3.2.4? Or was it maybe "reintroduced" in 3.2.6 since I upgraded to this version lately; is is this another “SSL thing” patched by Nick? - More debugging for SSL ciphers. Patch from Nick Porter. Nonetheless, I am going to figure out how adjust my linelog module configuration to get it back into the logs, because at the moment I still see NULL (example): linelog 802.1x_authz_log { filename = ${logdir}/authz.log reference = "sp.%{%{reply:Packet-Type}:-format}" sp { Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})" } } Fri Nov 15 14:25:34 2024 : AuthZ: (11) Access-Accept: [anonymous@unibe.ch] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=02-00-00-00-00-01 Called-Station-Id=11-22-33-44-55-66:eduroam Filter-ID=external VLAN=1876 Class=0x65787465726e616c (from client localhost port 0 operator-name Unknown)
On Nov 15, 2024, at 9:27 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
You do not have to guess / suspect, I am pretty sure it is on our side, but it is hard do find this needle in a haystack in this kind of big setup. Strangely it was only related to this explicit thread "Add TLS version to logs with linelog in FreeRADIUS 3.2.4".
OK.
(188) eap_peap: (TLS) PEAP - Connection Established (188) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (188) eap_peap: TLS-Session-Version = "TLS 1.2"
Why the f**k did I miss this in version 3.2.4? Or was it maybe "reintroduced" in 3.2.6 since I upgraded to this version lately; is is this another “SSL thing” patched by Nick?]
"git annotate" state the TLS-Session-Version code was added in August 2018.
- More debugging for SSL ciphers. Patch from Nick Porter.
Nonetheless, I am going to figure out how adjust my linelog module configuration to get it back into the logs, because at the moment I still see NULL (example):
It's not a matter of "adjusting" things. It's figuring out where in the call flow the attribute is defined, and then accessing it after that.
linelog 802.1x_authz_log {
If you're logging this in the "authorize" phase, then it generally won't work. The TLS variables are defined after that. Instead, log things in the "post-auth" phase. You're guaranteed that the TLS variables are in the session-state, as everything TLS has finished by then. Alan DeKok.
Hi Alan
If you're logging this in the "authorize" phase, then it generally won't work. The TLS variables are defined after that. Instead, log things in the "post-auth" phase. You're guaranteed that the TLS variables are in the session-state, as everything TLS has finished by then.
OK thanks, going to change that asap and pretty sure, it will work (again) after. But let me add, this logging configuration did not change on our side from 3.2.{someting} to 3.2.4 to 3.2.6 now. That’s why I am little confused, but happy to have a solution in the end. Regards
Am 15.11.2024 um 15:37 schrieb Alan DeKok <aland@deployingradius.com>:
On Nov 15, 2024, at 9:27 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
You do not have to guess / suspect, I am pretty sure it is on our side, but it is hard do find this needle in a haystack in this kind of big setup. Strangely it was only related to this explicit thread "Add TLS version to logs with linelog in FreeRADIUS 3.2.4".
OK.
(188) eap_peap: (TLS) PEAP - Connection Established (188) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (188) eap_peap: TLS-Session-Version = "TLS 1.2"
Why the f**k did I miss this in version 3.2.4? Or was it maybe "reintroduced" in 3.2.6 since I upgraded to this version lately; is is this another “SSL thing” patched by Nick?]
"git annotate" state the TLS-Session-Version code was added in August 2018.
- More debugging for SSL ciphers. Patch from Nick Porter.
Nonetheless, I am going to figure out how adjust my linelog module configuration to get it back into the logs, because at the moment I still see NULL (example):
It's not a matter of "adjusting" things. It's figuring out where in the call flow the attribute is defined, and then accessing it after that.
linelog 802.1x_authz_log {
If you're logging this in the "authorize" phase, then it generally won't work. The TLS variables are defined after that.
Instead, log things in the "post-auth" phase. You're guaranteed that the TLS variables are in the session-state, as everything TLS has finished by then.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry, again; I checked the default site configuration and it is already logged in the post-auth phase: post-auth { update { &reply: += &session-state: } 802.1x_authz_log } Any ideas on this behavior?
On 15/11/2024 17:25, Dominic Stalder wrote:
Sorry, again; I checked the default site configuration and it is already logged in the post-auth phase:
post-auth { update { &reply: += &session-state: }
802.1x_authz_log }
Suggest you add `debug_all` before the logging call, then you can see exactly what attributes are available. If what you want is not shown then there is something else up. If it is in the list then your logging config needs adjusting. -- Matthew
Hi guys I was finally able to find some time to test and debug it (again). As suggested, I added „debug_all" in the post-auth section before anything else: post-auth { debug_all if (Service-Type == Call-Check) { MAC_auth_log } else { 802.1x_auth_log } ... } See full debug output at the end... I can see multiple places, where "TLS-Session-Cipher-Suite“ and "TLS-Session-Version“ are referenced: (357) Using Post-Auth-Type Challenge (357) Post-Auth-Type sub-section not found. Ignoring. (357) # Executing group from file /etc/freeradius/sites-enabled/default (357) session-state: Saving cached attributes ... (357) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (357) TLS-Session-Version = "TLS 1.2" (358) Restoring &session-state (358) &session-state:Framed-MTU = 1014 ... (358) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (358) &session-state:TLS-Session-Version = "TLS 1.2" (345) Auth-Type eap { (345) eap: Removing EAP session with state 0x0141131104460af2 (345) eap: Previous EAP request found for state 0x0141131104460af2, released from the list (345) eap: Peer sent packet with method EAP PEAP (25) (345) eap: Calling submodule eap_peap to process data (345) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (345) eap_peap: (TLS) EAP Got all data (126 bytes) (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (345) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (345) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (345) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (345) eap_peap: (TLS) PEAP - Connection Established (345) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (345) eap_peap: TLS-Session-Version = "TLS 1.2" But nonetheless, it is not logged afterwards: (362) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (362) 802.1x_auth_log: --> Fri Dec 13 14:05:05 2024 : AuthZ: (111) Access-Accept: [xyz@realm.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=xyz Class=0x7374616666 (from client xyz.wifi.realm.com port 4211 operator-name Unknown) What am I missing in this context? Regards Dominic *** Full debug output: (339) Received Access-Request Id 183 from 130.92.42.15:60533 to 130.92.10.33:1812 length 446 (339) User-Name = "xyz@realm.com" (339) Service-Type = Framed-User (339) Cisco-AVPair = "service-type=Framed" (339) Framed-MTU = 1485 (339) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368 (339) Message-Authenticator = 0x4c3f3cc9745bd26770b48c2b3b9875fb (339) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (339) Cisco-AVPair = "method=dot1x" (339) Cisco-AVPair = "client-iif-id=2499807523" (339) Cisco-AVPair = "vlan-id=1876" (339) NAS-IP-Address = 130.92.42.15 (339) NAS-Port-Type = Wireless-802.11 (339) NAS-Port = 4211 (339) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (339) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (339) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (339) Calling-Station-Id = "22-e0-73-f2-50-23" (339) Airespace-Wlan-Id = 98 (339) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (339) WLAN-Group-Cipher = 1027076 (339) WLAN-Pairwise-Cipher = 1027076 (339) WLAN-AKM-Suite = 1027075 (339) # Executing section authorize from file /etc/freeradius/sites-enabled/default (339) authorize { (339) policy rewrite_called_station_id { (339) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (339) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (339) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (339) update request { (339) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (339) --> 60-B9-C0-04-C4-40 (339) &Called-Station-Id := 60-B9-C0-04-C4-40 (339) } # update request = noop (339) if ("%{8}") { (339) EXPAND %{8} (339) --> eduroam (339) if ("%{8}") -> TRUE (339) if ("%{8}") { (339) update request { (339) EXPAND %{8} (339) --> eduroam (339) &Called-Station-SSID := eduroam (339) EXPAND %{Called-Station-Id}:%{8} (339) --> 60-B9-C0-04-C4-40:eduroam (339) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (339) } # update request = noop (339) } # if ("%{8}") = noop (339) [updated] = updated (339) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (339) ... skipping else: Preceding "if" was taken (339) } # policy rewrite_called_station_id = updated (339) policy rewrite_calling_station_id { (339) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (339) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (339) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (339) update request { (339) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (339) --> 22-E0-73-F2-50-23 (339) &Calling-Station-Id := 22-E0-73-F2-50-23 (339) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (339) --> 22:E0:73:F2:50:23 (339) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (339) } # update request = noop (339) [updated] = updated (339) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (339) ... skipping else: Preceding "if" was taken (339) } # policy rewrite_calling_station_id = updated (339) if (NAS-Identifier == "uvisrz0215.insel.ch") { (339) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (339) if (Service-Type == Call-Check) { (339) if (Service-Type == Call-Check) -> FALSE (339) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (339) EXPAND Packet-Src-IP-Address (339) --> 130.92.42.15 (339) EXPAND Packet-Src-IP-Address (339) --> 130.92.42.15 (339) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (339) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (339) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (339) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (339) if (EAP-Message) { (339) if (EAP-Message) -> TRUE (339) if (EAP-Message) { (339) policy filter_username { (339) if (&User-Name) { (339) if (&User-Name) -> TRUE (339) if (&User-Name) { (339) if (&User-Name =~ / /) { (339) if (&User-Name =~ / /) -> FALSE (339) if (&User-Name =~ /@[^@]*@/ ) { (339) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (339) if (&User-Name =~ /\.\./ ) { (339) if (&User-Name =~ /\.\./ ) -> FALSE (339) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (339) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (339) if (&User-Name =~ /\.$/) { (339) if (&User-Name =~ /\.$/) -> FALSE (339) if (&User-Name =~ /@\./) { (339) if (&User-Name =~ /@\./) -> FALSE (339) } # if (&User-Name) = updated (339) } # policy filter_username = updated (339) suffix: Checking for suffix after "@" (339) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (339) suffix: Found realm "REALM.COM" (339) suffix: Adding Realm = "REALM.COM" (339) suffix: Authentication realm is LOCAL (339) [suffix] = ok (339) policy deny_no_realm { (339) if (User-Name && (User-Name !~ /@/)) { (339) if (User-Name && (User-Name !~ /@/)) -> FALSE (339) } # policy deny_no_realm = updated (339) update request { (339) EXPAND %{toupper:%{Realm}} (339) --> REALM.COM (339) Realm := REALM.COM (339) } # update request = noop (339) eap: Peer sent EAP Response (code 2) ID 1 length 29 (339) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (339) [eap] = ok (339) } # if (EAP-Message) = ok (339) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (339) } # authorize = updated (339) Found Auth-Type = eap (339) # Executing group from file /etc/freeradius/sites-enabled/default (339) Auth-Type eap { (339) eap: Peer sent packet with method EAP Identity (1) (339) eap: Calling submodule eap_peap to process data (339) eap_peap: (TLS) PEAP -Initiating new session (339) eap: Sending EAP Request (code 1) ID 2 length 6 (339) eap: EAP session adding &reply:State = 0x0141131101430af2 (339) [eap] = handled (339) if (handled && (Response-Packet-Type == Access-Challenge)) { (339) EXPAND Response-Packet-Type (339) --> Access-Challenge (339) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (339) if (handled && (Response-Packet-Type == Access-Challenge)) { (339) attr_filter.access_challenge: EXPAND %{User-Name} (339) attr_filter.access_challenge: --> xyz@realm.com (339) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (339) [attr_filter.access_challenge.post-auth] = updated (339) [handled] = handled (339) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (339) } # Auth-Type eap = handled (339) Using Post-Auth-Type Challenge (339) Post-Auth-Type sub-section not found. Ignoring. (339) # Executing group from file /etc/freeradius/sites-enabled/default (339) session-state: Saving cached attributes (339) Framed-MTU = 1014 (339) Sent Access-Challenge Id 183 from 130.92.10.33:1812 to 130.92.42.15:60533 length 64 (339) EAP-Message = 0x010200061920 (339) Message-Authenticator = 0x00000000000000000000000000000000 (339) State = 0x0141131101430af2159d1101103ebc16 (339) Finished request Waking up in 4.9 seconds. (340) Received Access-Request Id 191 from 130.92.42.15:60533 to 130.92.10.33:1812 length 596 (340) User-Name = "xyz@realm.com" (340) Service-Type = Framed-User (340) Cisco-AVPair = "service-type=Framed" (340) Framed-MTU = 1485 (340) EAP-Message = 0x020200a119800000009716030100920100008e0303675c30ff6a9b0b902f1e931a2758f15aa27a75704f9760726e5c03da301ba84800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (340) Message-Authenticator = 0x1bf88fb93027e9dd852deff1d387f443 (340) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (340) Cisco-AVPair = "method=dot1x" (340) Cisco-AVPair = "client-iif-id=2499807523" (340) Cisco-AVPair = "vlan-id=1876" (340) NAS-IP-Address = 130.92.42.15 (340) NAS-Port-Type = Wireless-802.11 (340) NAS-Port = 4211 (340) State = 0x0141131101430af2159d1101103ebc16 (340) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (340) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (340) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (340) Calling-Station-Id = "22-e0-73-f2-50-23" (340) Airespace-Wlan-Id = 98 (340) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (340) WLAN-Group-Cipher = 1027076 (340) WLAN-Pairwise-Cipher = 1027076 (340) WLAN-AKM-Suite = 1027075 (340) Restoring &session-state (340) &session-state:Framed-MTU = 1014 (340) # Executing section authorize from file /etc/freeradius/sites-enabled/default (340) authorize { (340) policy rewrite_called_station_id { (340) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (340) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (340) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (340) update request { (340) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (340) --> 60-B9-C0-04-C4-40 (340) &Called-Station-Id := 60-B9-C0-04-C4-40 (340) } # update request = noop (340) if ("%{8}") { (340) EXPAND %{8} (340) --> eduroam (340) if ("%{8}") -> TRUE (340) if ("%{8}") { (340) update request { (340) EXPAND %{8} (340) --> eduroam (340) &Called-Station-SSID := eduroam (340) EXPAND %{Called-Station-Id}:%{8} (340) --> 60-B9-C0-04-C4-40:eduroam (340) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (340) } # update request = noop (340) } # if ("%{8}") = noop (340) [updated] = updated (340) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (340) ... skipping else: Preceding "if" was taken (340) } # policy rewrite_called_station_id = updated (340) policy rewrite_calling_station_id { (340) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (340) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (340) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (340) update request { (340) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (340) --> 22-E0-73-F2-50-23 (340) &Calling-Station-Id := 22-E0-73-F2-50-23 (340) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (340) --> 22:E0:73:F2:50:23 (340) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (340) } # update request = noop (340) [updated] = updated (340) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (340) ... skipping else: Preceding "if" was taken (340) } # policy rewrite_calling_station_id = updated (340) if (NAS-Identifier == "uvisrz0215.insel.ch") { (340) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (340) if (Service-Type == Call-Check) { (340) if (Service-Type == Call-Check) -> FALSE (340) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (340) EXPAND Packet-Src-IP-Address (340) --> 130.92.42.15 (340) EXPAND Packet-Src-IP-Address (340) --> 130.92.42.15 (340) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (340) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (340) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (340) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (340) if (EAP-Message) { (340) if (EAP-Message) -> TRUE (340) if (EAP-Message) { (340) policy filter_username { (340) if (&User-Name) { (340) if (&User-Name) -> TRUE (340) if (&User-Name) { (340) if (&User-Name =~ / /) { (340) if (&User-Name =~ / /) -> FALSE (340) if (&User-Name =~ /@[^@]*@/ ) { (340) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (340) if (&User-Name =~ /\.\./ ) { (340) if (&User-Name =~ /\.\./ ) -> FALSE (340) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (340) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (340) if (&User-Name =~ /\.$/) { (340) if (&User-Name =~ /\.$/) -> FALSE (340) if (&User-Name =~ /@\./) { (340) if (&User-Name =~ /@\./) -> FALSE (340) } # if (&User-Name) = updated (340) } # policy filter_username = updated (340) suffix: Checking for suffix after "@" (340) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (340) suffix: Found realm "REALM.COM" (340) suffix: Adding Realm = "REALM.COM" (340) suffix: Authentication realm is LOCAL (340) [suffix] = ok (340) policy deny_no_realm { (340) if (User-Name && (User-Name !~ /@/)) { (340) if (User-Name && (User-Name !~ /@/)) -> FALSE (340) } # policy deny_no_realm = updated (340) update request { (340) EXPAND %{toupper:%{Realm}} (340) --> REALM.COM (340) Realm := REALM.COM (340) } # update request = noop (340) eap: Peer sent EAP Response (code 2) ID 2 length 161 (340) eap: Continuing tunnel setup (340) [eap] = ok (340) } # if (EAP-Message) = ok (340) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (340) } # authorize = updated (340) Found Auth-Type = eap (340) # Executing group from file /etc/freeradius/sites-enabled/default (340) Auth-Type eap { (340) eap: Removing EAP session with state 0x0141131101430af2 (340) eap: Previous EAP request found for state 0x0141131101430af2, released from the list (340) eap: Peer sent packet with method EAP PEAP (25) (340) eap: Calling submodule eap_peap to process data (340) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (340) eap_peap: (TLS) EAP Got all data (151 bytes) (340) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (340) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (340) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (340) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (340) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (340) eap_peap: (TLS) PEAP - In Handshake Phase (340) eap: Sending EAP Request (code 1) ID 3 length 1024 (340) eap: EAP session adding &reply:State = 0x0141131100420af2 (340) [eap] = handled (340) if (handled && (Response-Packet-Type == Access-Challenge)) { (340) EXPAND Response-Packet-Type (340) --> Access-Challenge (340) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (340) if (handled && (Response-Packet-Type == Access-Challenge)) { (340) attr_filter.access_challenge: EXPAND %{User-Name} (340) attr_filter.access_challenge: --> xyz@realm.com (340) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (340) [attr_filter.access_challenge.post-auth] = updated (340) [handled] = handled (340) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (340) } # Auth-Type eap = handled (340) Using Post-Auth-Type Challenge (340) Post-Auth-Type sub-section not found. Ignoring. (340) # Executing group from file /etc/freeradius/sites-enabled/default (340) session-state: Saving cached attributes (340) Framed-MTU = 1014 (340) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (340) Sent Access-Challenge Id 191 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1090 (340) EAP-Message = 0x0103040019c000001135160303003d020000390303c6f0abbfc21ebae81584415260a08bae7625b694abcfc744444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a003020102021006387c8dc0feba6f5f4a0c47e7c561cd300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3234303532393030303030305a170d3235303532383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (340) Message-Authenticator = 0x00000000000000000000000000000000 (340) State = 0x0141131100420af2159d1101103ebc16 (340) Finished request Waking up in 4.9 seconds. (341) Received Access-Request Id 199 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (341) User-Name = "xyz@realm.com" (341) Service-Type = Framed-User (341) Cisco-AVPair = "service-type=Framed" (341) Framed-MTU = 1485 (341) EAP-Message = 0x020300061900 (341) Message-Authenticator = 0xae5eb8ba2e18ea67433ce94f73ea9d45 (341) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (341) Cisco-AVPair = "method=dot1x" (341) Cisco-AVPair = "client-iif-id=2499807523" (341) Cisco-AVPair = "vlan-id=1876" (341) NAS-IP-Address = 130.92.42.15 (341) NAS-Port-Type = Wireless-802.11 (341) NAS-Port = 4211 (341) State = 0x0141131100420af2159d1101103ebc16 (341) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (341) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (341) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (341) Calling-Station-Id = "22-e0-73-f2-50-23" (341) Airespace-Wlan-Id = 98 (341) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (341) WLAN-Group-Cipher = 1027076 (341) WLAN-Pairwise-Cipher = 1027076 (341) WLAN-AKM-Suite = 1027075 (341) Restoring &session-state (341) &session-state:Framed-MTU = 1014 (341) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (341) # Executing section authorize from file /etc/freeradius/sites-enabled/default (341) authorize { (341) policy rewrite_called_station_id { (341) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (341) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (341) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (341) update request { (341) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (341) --> 60-B9-C0-04-C4-40 (341) &Called-Station-Id := 60-B9-C0-04-C4-40 (341) } # update request = noop (341) if ("%{8}") { (341) EXPAND %{8} (341) --> eduroam (341) if ("%{8}") -> TRUE (341) if ("%{8}") { (341) update request { (341) EXPAND %{8} (341) --> eduroam (341) &Called-Station-SSID := eduroam (341) EXPAND %{Called-Station-Id}:%{8} (341) --> 60-B9-C0-04-C4-40:eduroam (341) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (341) } # update request = noop (341) } # if ("%{8}") = noop (341) [updated] = updated (341) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (341) ... skipping else: Preceding "if" was taken (341) } # policy rewrite_called_station_id = updated (341) policy rewrite_calling_station_id { (341) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (341) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (341) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (341) update request { (341) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (341) --> 22-E0-73-F2-50-23 (341) &Calling-Station-Id := 22-E0-73-F2-50-23 (341) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (341) --> 22:E0:73:F2:50:23 (341) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (341) } # update request = noop (341) [updated] = updated (341) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (341) ... skipping else: Preceding "if" was taken (341) } # policy rewrite_calling_station_id = updated (341) if (NAS-Identifier == "uvisrz0215.insel.ch") { (341) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (341) if (Service-Type == Call-Check) { (341) if (Service-Type == Call-Check) -> FALSE (341) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (341) EXPAND Packet-Src-IP-Address (341) --> 130.92.42.15 (341) EXPAND Packet-Src-IP-Address (341) --> 130.92.42.15 (341) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (341) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (341) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (341) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (341) if (EAP-Message) { (341) if (EAP-Message) -> TRUE (341) if (EAP-Message) { (341) policy filter_username { (341) if (&User-Name) { (341) if (&User-Name) -> TRUE (341) if (&User-Name) { (341) if (&User-Name =~ / /) { (341) if (&User-Name =~ / /) -> FALSE (341) if (&User-Name =~ /@[^@]*@/ ) { (341) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (341) if (&User-Name =~ /\.\./ ) { (341) if (&User-Name =~ /\.\./ ) -> FALSE (341) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (341) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (341) if (&User-Name =~ /\.$/) { (341) if (&User-Name =~ /\.$/) -> FALSE (341) if (&User-Name =~ /@\./) { (341) if (&User-Name =~ /@\./) -> FALSE (341) } # if (&User-Name) = updated (341) } # policy filter_username = updated (341) suffix: Checking for suffix after "@" (341) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (341) suffix: Found realm "REALM.COM" (341) suffix: Adding Realm = "REALM.COM" (341) suffix: Authentication realm is LOCAL (341) [suffix] = ok (341) policy deny_no_realm { (341) if (User-Name && (User-Name !~ /@/)) { (341) if (User-Name && (User-Name !~ /@/)) -> FALSE (341) } # policy deny_no_realm = updated (341) update request { (341) EXPAND %{toupper:%{Realm}} (341) --> REALM.COM (341) Realm := REALM.COM (341) } # update request = noop (341) eap: Peer sent EAP Response (code 2) ID 3 length 6 (341) eap: Continuing tunnel setup (341) [eap] = ok (341) } # if (EAP-Message) = ok (341) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (341) } # authorize = updated (341) Found Auth-Type = eap (341) # Executing group from file /etc/freeradius/sites-enabled/default (341) Auth-Type eap { (341) eap: Removing EAP session with state 0x0141131100420af2 (341) eap: Previous EAP request found for state 0x0141131100420af2, released from the list (341) eap: Peer sent packet with method EAP PEAP (25) (341) eap: Calling submodule eap_peap to process data (341) eap_peap: (TLS) Peer ACKed our handshake fragment (341) eap: Sending EAP Request (code 1) ID 4 length 1020 (341) eap: EAP session adding &reply:State = 0x0141131103450af2 (341) [eap] = handled (341) if (handled && (Response-Packet-Type == Access-Challenge)) { (341) EXPAND Response-Packet-Type (341) --> Access-Challenge (341) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (341) if (handled && (Response-Packet-Type == Access-Challenge)) { (341) attr_filter.access_challenge: EXPAND %{User-Name} (341) attr_filter.access_challenge: --> xyz@realm.com (341) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (341) [attr_filter.access_challenge.post-auth] = updated (341) [handled] = handled (341) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (341) } # Auth-Type eap = handled (341) Using Post-Auth-Type Challenge (341) Post-Auth-Type sub-section not found. Ignoring. (341) # Executing group from file /etc/freeradius/sites-enabled/default (341) session-state: Saving cached attributes (341) Framed-MTU = 1014 (341) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (341) Sent Access-Challenge Id 199 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (341) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077004e75a3275c9a10c3385b6cd4df3f52eb1df0e08e1b8d69c0b1fa64b1629a39df0000018fc49a2e690000040300483046022100c3703d534899e5150ee51285759f020d6d69574d1db223e7a6fba90105e34a98022100a96786ea2924a95667b25b5efae9fb8e9b5e2b8494 (341) Message-Authenticator = 0x00000000000000000000000000000000 (341) State = 0x0141131103450af2159d1101103ebc16 (341) Finished request Waking up in 4.9 seconds. (342) Received Access-Request Id 207 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (342) User-Name = "xyz@realm.com" (342) Service-Type = Framed-User (342) Cisco-AVPair = "service-type=Framed" (342) Framed-MTU = 1485 (342) EAP-Message = 0x020400061900 (342) Message-Authenticator = 0xa739713798de7cce72a754080e2e64f5 (342) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (342) Cisco-AVPair = "method=dot1x" (342) Cisco-AVPair = "client-iif-id=2499807523" (342) Cisco-AVPair = "vlan-id=1876" (342) NAS-IP-Address = 130.92.42.15 (342) NAS-Port-Type = Wireless-802.11 (342) NAS-Port = 4211 (342) State = 0x0141131103450af2159d1101103ebc16 (342) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (342) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (342) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (342) Calling-Station-Id = "22-e0-73-f2-50-23" (342) Airespace-Wlan-Id = 98 (342) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (342) WLAN-Group-Cipher = 1027076 (342) WLAN-Pairwise-Cipher = 1027076 (342) WLAN-AKM-Suite = 1027075 (342) Restoring &session-state (342) &session-state:Framed-MTU = 1014 (342) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (342) # Executing section authorize from file /etc/freeradius/sites-enabled/default (342) authorize { (342) policy rewrite_called_station_id { (342) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (342) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (342) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (342) update request { (342) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (342) --> 60-B9-C0-04-C4-40 (342) &Called-Station-Id := 60-B9-C0-04-C4-40 (342) } # update request = noop (342) if ("%{8}") { (342) EXPAND %{8} (342) --> eduroam (342) if ("%{8}") -> TRUE (342) if ("%{8}") { (342) update request { (342) EXPAND %{8} (342) --> eduroam (342) &Called-Station-SSID := eduroam (342) EXPAND %{Called-Station-Id}:%{8} (342) --> 60-B9-C0-04-C4-40:eduroam (342) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (342) } # update request = noop (342) } # if ("%{8}") = noop (342) [updated] = updated (342) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (342) ... skipping else: Preceding "if" was taken (342) } # policy rewrite_called_station_id = updated (342) policy rewrite_calling_station_id { (342) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (342) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (342) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (342) update request { (342) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (342) --> 22-E0-73-F2-50-23 (342) &Calling-Station-Id := 22-E0-73-F2-50-23 (342) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (342) --> 22:E0:73:F2:50:23 (342) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (342) } # update request = noop (342) [updated] = updated (342) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (342) ... skipping else: Preceding "if" was taken (342) } # policy rewrite_calling_station_id = updated (342) if (NAS-Identifier == "uvisrz0215.insel.ch") { (342) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (342) if (Service-Type == Call-Check) { (342) if (Service-Type == Call-Check) -> FALSE (342) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (342) EXPAND Packet-Src-IP-Address (342) --> 130.92.42.15 (342) EXPAND Packet-Src-IP-Address (342) --> 130.92.42.15 (342) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (342) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (342) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (342) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (342) if (EAP-Message) { (342) if (EAP-Message) -> TRUE (342) if (EAP-Message) { (342) policy filter_username { (342) if (&User-Name) { (342) if (&User-Name) -> TRUE (342) if (&User-Name) { (342) if (&User-Name =~ / /) { (342) if (&User-Name =~ / /) -> FALSE (342) if (&User-Name =~ /@[^@]*@/ ) { (342) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (342) if (&User-Name =~ /\.\./ ) { (342) if (&User-Name =~ /\.\./ ) -> FALSE (342) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (342) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (342) if (&User-Name =~ /\.$/) { (342) if (&User-Name =~ /\.$/) -> FALSE (342) if (&User-Name =~ /@\./) { (342) if (&User-Name =~ /@\./) -> FALSE (342) } # if (&User-Name) = updated (342) } # policy filter_username = updated (342) suffix: Checking for suffix after "@" (342) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (342) suffix: Found realm "REALM.COM" (342) suffix: Adding Realm = "REALM.COM" (342) suffix: Authentication realm is LOCAL (342) [suffix] = ok (342) policy deny_no_realm { (342) if (User-Name && (User-Name !~ /@/)) { (342) if (User-Name && (User-Name !~ /@/)) -> FALSE (342) } # policy deny_no_realm = updated (342) update request { (342) EXPAND %{toupper:%{Realm}} (342) --> REALM.COM (342) Realm := REALM.COM (342) } # update request = noop (342) eap: Peer sent EAP Response (code 2) ID 4 length 6 (342) eap: Continuing tunnel setup (342) [eap] = ok (342) } # if (EAP-Message) = ok (342) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (342) } # authorize = updated (342) Found Auth-Type = eap (342) # Executing group from file /etc/freeradius/sites-enabled/default (342) Auth-Type eap { (342) eap: Removing EAP session with state 0x0141131103450af2 (342) eap: Previous EAP request found for state 0x0141131103450af2, released from the list (342) eap: Peer sent packet with method EAP PEAP (25) (342) eap: Calling submodule eap_peap to process data (342) eap_peap: (TLS) Peer ACKed our handshake fragment (342) eap: Sending EAP Request (code 1) ID 5 length 1020 (342) eap: EAP session adding &reply:State = 0x0141131102440af2 (342) [eap] = handled (342) if (handled && (Response-Packet-Type == Access-Challenge)) { (342) EXPAND Response-Packet-Type (342) --> Access-Challenge (342) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (342) if (handled && (Response-Packet-Type == Access-Challenge)) { (342) attr_filter.access_challenge: EXPAND %{User-Name} (342) attr_filter.access_challenge: --> xyz@realm.com (342) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (342) [attr_filter.access_challenge.post-auth] = updated (342) [handled] = handled (342) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (342) } # Auth-Type eap = handled (342) Using Post-Auth-Type Challenge (342) Post-Auth-Type sub-section not found. Ignoring. (342) # Executing group from file /etc/freeradius/sites-enabled/default (342) session-state: Saving cached attributes (342) Framed-MTU = 1014 (342) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (342) Sent Access-Challenge Id 207 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (342) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (342) Message-Authenticator = 0x00000000000000000000000000000000 (342) State = 0x0141131102440af2159d1101103ebc16 (342) Finished request Waking up in 4.9 seconds. (343) Received Access-Request Id 215 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (343) User-Name = "xyz@realm.com" (343) Service-Type = Framed-User (343) Cisco-AVPair = "service-type=Framed" (343) Framed-MTU = 1485 (343) EAP-Message = 0x020500061900 (343) Message-Authenticator = 0x020e5248e9fa82c011bcabd01a028762 (343) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (343) Cisco-AVPair = "method=dot1x" (343) Cisco-AVPair = "client-iif-id=2499807523" (343) Cisco-AVPair = "vlan-id=1876" (343) NAS-IP-Address = 130.92.42.15 (343) NAS-Port-Type = Wireless-802.11 (343) NAS-Port = 4211 (343) State = 0x0141131102440af2159d1101103ebc16 (343) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (343) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (343) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (343) Calling-Station-Id = "22-e0-73-f2-50-23" (343) Airespace-Wlan-Id = 98 (343) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (343) WLAN-Group-Cipher = 1027076 (343) WLAN-Pairwise-Cipher = 1027076 (343) WLAN-AKM-Suite = 1027075 (343) Restoring &session-state (343) &session-state:Framed-MTU = 1014 (343) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (343) # Executing section authorize from file /etc/freeradius/sites-enabled/default (343) authorize { (343) policy rewrite_called_station_id { (343) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (343) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (343) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (343) update request { (343) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (343) --> 60-B9-C0-04-C4-40 (343) &Called-Station-Id := 60-B9-C0-04-C4-40 (343) } # update request = noop (343) if ("%{8}") { (343) EXPAND %{8} (343) --> eduroam (343) if ("%{8}") -> TRUE (343) if ("%{8}") { (343) update request { (343) EXPAND %{8} (343) --> eduroam (343) &Called-Station-SSID := eduroam (343) EXPAND %{Called-Station-Id}:%{8} (343) --> 60-B9-C0-04-C4-40:eduroam (343) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (343) } # update request = noop (343) } # if ("%{8}") = noop (343) [updated] = updated (343) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (343) ... skipping else: Preceding "if" was taken (343) } # policy rewrite_called_station_id = updated (343) policy rewrite_calling_station_id { (343) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (343) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (343) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (343) update request { (343) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (343) --> 22-E0-73-F2-50-23 (343) &Calling-Station-Id := 22-E0-73-F2-50-23 (343) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (343) --> 22:E0:73:F2:50:23 (343) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (343) } # update request = noop (343) [updated] = updated (343) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (343) ... skipping else: Preceding "if" was taken (343) } # policy rewrite_calling_station_id = updated (343) if (NAS-Identifier == "uvisrz0215.insel.ch") { (343) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (343) if (Service-Type == Call-Check) { (343) if (Service-Type == Call-Check) -> FALSE (343) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (343) EXPAND Packet-Src-IP-Address (343) --> 130.92.42.15 (343) EXPAND Packet-Src-IP-Address (343) --> 130.92.42.15 (343) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (343) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (343) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (343) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (343) if (EAP-Message) { (343) if (EAP-Message) -> TRUE (343) if (EAP-Message) { (343) policy filter_username { (343) if (&User-Name) { (343) if (&User-Name) -> TRUE (343) if (&User-Name) { (343) if (&User-Name =~ / /) { (343) if (&User-Name =~ / /) -> FALSE (343) if (&User-Name =~ /@[^@]*@/ ) { (343) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (343) if (&User-Name =~ /\.\./ ) { (343) if (&User-Name =~ /\.\./ ) -> FALSE (343) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (343) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (343) if (&User-Name =~ /\.$/) { (343) if (&User-Name =~ /\.$/) -> FALSE (343) if (&User-Name =~ /@\./) { (343) if (&User-Name =~ /@\./) -> FALSE (343) } # if (&User-Name) = updated (343) } # policy filter_username = updated (343) suffix: Checking for suffix after "@" (343) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (343) suffix: Found realm "REALM.COM" (343) suffix: Adding Realm = "REALM.COM" (343) suffix: Authentication realm is LOCAL (343) [suffix] = ok (343) policy deny_no_realm { (343) if (User-Name && (User-Name !~ /@/)) { (343) if (User-Name && (User-Name !~ /@/)) -> FALSE (343) } # policy deny_no_realm = updated (343) update request { (343) EXPAND %{toupper:%{Realm}} (343) --> REALM.COM (343) Realm := REALM.COM (343) } # update request = noop (343) eap: Peer sent EAP Response (code 2) ID 5 length 6 (343) eap: Continuing tunnel setup (343) [eap] = ok (343) } # if (EAP-Message) = ok (343) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (343) } # authorize = updated (343) Found Auth-Type = eap (343) # Executing group from file /etc/freeradius/sites-enabled/default (343) Auth-Type eap { (343) eap: Removing EAP session with state 0x0141131102440af2 (343) eap: Previous EAP request found for state 0x0141131102440af2, released from the list (343) eap: Peer sent packet with method EAP PEAP (25) (343) eap: Calling submodule eap_peap to process data (343) eap_peap: (TLS) Peer ACKed our handshake fragment (343) eap: Sending EAP Request (code 1) ID 6 length 1020 (343) eap: EAP session adding &reply:State = 0x0141131105470af2 (343) [eap] = handled (343) if (handled && (Response-Packet-Type == Access-Challenge)) { (343) EXPAND Response-Packet-Type (343) --> Access-Challenge (343) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (343) if (handled && (Response-Packet-Type == Access-Challenge)) { (343) attr_filter.access_challenge: EXPAND %{User-Name} (343) attr_filter.access_challenge: --> xyz@realm.com (343) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (343) [attr_filter.access_challenge.post-auth] = updated (343) [handled] = handled (343) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (343) } # Auth-Type eap = handled (343) Using Post-Auth-Type Challenge (343) Post-Auth-Type sub-section not found. Ignoring. (343) # Executing group from file /etc/freeradius/sites-enabled/default (343) session-state: Saving cached attributes (343) Framed-MTU = 1014 (343) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (343) Sent Access-Challenge Id 215 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (343) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (343) Message-Authenticator = 0x00000000000000000000000000000000 (343) State = 0x0141131105470af2159d1101103ebc16 (343) Finished request Waking up in 4.9 seconds. (344) Received Access-Request Id 223 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (344) User-Name = "xyz@realm.com" (344) Service-Type = Framed-User (344) Cisco-AVPair = "service-type=Framed" (344) Framed-MTU = 1485 (344) EAP-Message = 0x020600061900 (344) Message-Authenticator = 0x394892b01209a11839df9ea01ffeffc0 (344) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (344) Cisco-AVPair = "method=dot1x" (344) Cisco-AVPair = "client-iif-id=2499807523" (344) Cisco-AVPair = "vlan-id=1876" (344) NAS-IP-Address = 130.92.42.15 (344) NAS-Port-Type = Wireless-802.11 (344) NAS-Port = 4211 (344) State = 0x0141131105470af2159d1101103ebc16 (344) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (344) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (344) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (344) Calling-Station-Id = "22-e0-73-f2-50-23" (344) Airespace-Wlan-Id = 98 (344) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (344) WLAN-Group-Cipher = 1027076 (344) WLAN-Pairwise-Cipher = 1027076 (344) WLAN-AKM-Suite = 1027075 (344) Restoring &session-state (344) &session-state:Framed-MTU = 1014 (344) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (344) # Executing section authorize from file /etc/freeradius/sites-enabled/default (344) authorize { (344) policy rewrite_called_station_id { (344) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (344) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (344) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (344) update request { (344) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (344) --> 60-B9-C0-04-C4-40 (344) &Called-Station-Id := 60-B9-C0-04-C4-40 (344) } # update request = noop (344) if ("%{8}") { (344) EXPAND %{8} (344) --> eduroam (344) if ("%{8}") -> TRUE (344) if ("%{8}") { (344) update request { (344) EXPAND %{8} (344) --> eduroam (344) &Called-Station-SSID := eduroam (344) EXPAND %{Called-Station-Id}:%{8} (344) --> 60-B9-C0-04-C4-40:eduroam (344) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (344) } # update request = noop (344) } # if ("%{8}") = noop (344) [updated] = updated (344) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (344) ... skipping else: Preceding "if" was taken (344) } # policy rewrite_called_station_id = updated (344) policy rewrite_calling_station_id { (344) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (344) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (344) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (344) update request { (344) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (344) --> 22-E0-73-F2-50-23 (344) &Calling-Station-Id := 22-E0-73-F2-50-23 (344) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (344) --> 22:E0:73:F2:50:23 (344) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (344) } # update request = noop (344) [updated] = updated (344) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (344) ... skipping else: Preceding "if" was taken (344) } # policy rewrite_calling_station_id = updated (344) if (NAS-Identifier == "uvisrz0215.insel.ch") { (344) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (344) if (Service-Type == Call-Check) { (344) if (Service-Type == Call-Check) -> FALSE (344) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (344) EXPAND Packet-Src-IP-Address (344) --> 130.92.42.15 (344) EXPAND Packet-Src-IP-Address (344) --> 130.92.42.15 (344) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (344) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (344) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (344) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (344) if (EAP-Message) { (344) if (EAP-Message) -> TRUE (344) if (EAP-Message) { (344) policy filter_username { (344) if (&User-Name) { (344) if (&User-Name) -> TRUE (344) if (&User-Name) { (344) if (&User-Name =~ / /) { (344) if (&User-Name =~ / /) -> FALSE (344) if (&User-Name =~ /@[^@]*@/ ) { (344) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (344) if (&User-Name =~ /\.\./ ) { (344) if (&User-Name =~ /\.\./ ) -> FALSE (344) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (344) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (344) if (&User-Name =~ /\.$/) { (344) if (&User-Name =~ /\.$/) -> FALSE (344) if (&User-Name =~ /@\./) { (344) if (&User-Name =~ /@\./) -> FALSE (344) } # if (&User-Name) = updated (344) } # policy filter_username = updated (344) suffix: Checking for suffix after "@" (344) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (344) suffix: Found realm "REALM.COM" (344) suffix: Adding Realm = "REALM.COM" (344) suffix: Authentication realm is LOCAL (344) [suffix] = ok (344) policy deny_no_realm { (344) if (User-Name && (User-Name !~ /@/)) { (344) if (User-Name && (User-Name !~ /@/)) -> FALSE (344) } # policy deny_no_realm = updated (344) update request { (344) EXPAND %{toupper:%{Realm}} (344) --> REALM.COM (344) Realm := REALM.COM (344) } # update request = noop (344) eap: Peer sent EAP Response (code 2) ID 6 length 6 (344) eap: Continuing tunnel setup (344) [eap] = ok (344) } # if (EAP-Message) = ok (344) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (344) } # authorize = updated (344) Found Auth-Type = eap (344) # Executing group from file /etc/freeradius/sites-enabled/default (344) Auth-Type eap { (344) eap: Removing EAP session with state 0x0141131105470af2 (344) eap: Previous EAP request found for state 0x0141131105470af2, released from the list (344) eap: Peer sent packet with method EAP PEAP (25) (344) eap: Calling submodule eap_peap to process data (344) eap_peap: (TLS) Peer ACKed our handshake fragment (344) eap: Sending EAP Request (code 1) ID 7 length 355 (344) eap: EAP session adding &reply:State = 0x0141131104460af2 (344) [eap] = handled (344) if (handled && (Response-Packet-Type == Access-Challenge)) { (344) EXPAND Response-Packet-Type (344) --> Access-Challenge (344) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (344) if (handled && (Response-Packet-Type == Access-Challenge)) { (344) attr_filter.access_challenge: EXPAND %{User-Name} (344) attr_filter.access_challenge: --> xyz@realm.com (344) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (344) [attr_filter.access_challenge.post-auth] = updated (344) [handled] = handled (344) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (344) } # Auth-Type eap = handled (344) Using Post-Auth-Type Challenge (344) Post-Auth-Type sub-section not found. Ignoring. (344) # Executing group from file /etc/freeradius/sites-enabled/default (344) session-state: Saving cached attributes (344) Framed-MTU = 1014 (344) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (344) Sent Access-Challenge Id 223 from 130.92.10.33:1812 to 130.92.42.15:60533 length 415 (344) EAP-Message = 0x01070163190032b6160303014d0c000149030017410421b4816cdaa0edb2a7ee262c3b373cc7a69aeef94dc7c93d1498397a2f41152a1064075835b63105e3604c9282cfc3638bce1eef1b4f930102c7539dd714fb2e040101006fe58b29c51045ad338888932385ae6a78a1b5a392198df18af907424975763b6bf96876d3609e2538dd16e910ab32539bb337a659539ecdd3f7ca99acc6a1de17ec69fbd64da47839a7e265d4286311067bbefdeb333d87844c916e53bb5cfe26aea3bae7d58ffe17330ccdf61e8b2f425b30128275d5c5a39a84a5d01c2f569dfce9c341f402ef2635f02a2ccd901ee27231c291fe3cfbed92207fefd60eaec7aa7fb54f182d9ef86eff5ed32ecb762e50c366639a23665d5991bfbfc83f27ff21df56cd9af3e5dece4e42956217eaf080218422733ceef848877e3b4f2299df15dfc25a4f5b435f510229d83f4e91828ec3bdf2ee28578ffeb0a39d8d459216030300040e000000 (344) Message-Authenticator = 0x00000000000000000000000000000000 (344) State = 0x0141131104460af2159d1101103ebc16 (344) Finished request Waking up in 4.9 seconds. (345) Received Access-Request Id 231 from 130.92.42.15:60533 to 130.92.10.33:1812 length 571 (345) User-Name = "xyz@realm.com" (345) Service-Type = Framed-User (345) Cisco-AVPair = "service-type=Framed" (345) Framed-MTU = 1485 (345) EAP-Message = 0x0207008819800000007e1603030046100000424104b76edd3264c4b2f971dabd1fb7c02951f64b4ce9fbae8a473198e5810e39a81e2c73c6755d1f1b31ee93a7df1d1b521c9aab988df46c0d334544c1703cffa02514030300010116030300289fbd8407fe6333ba5788a04d42ae35912e9ff891a0be9b8ab3744847434c371ca199fdb89ae2abbb (345) Message-Authenticator = 0xecc16c9bab6fe8444f01d6d5b0dfc951 (345) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (345) Cisco-AVPair = "method=dot1x" (345) Cisco-AVPair = "client-iif-id=2499807523" (345) Cisco-AVPair = "vlan-id=1876" (345) NAS-IP-Address = 130.92.42.15 (345) NAS-Port-Type = Wireless-802.11 (345) NAS-Port = 4211 (345) State = 0x0141131104460af2159d1101103ebc16 (345) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (345) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (345) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (345) Calling-Station-Id = "22-e0-73-f2-50-23" (345) Airespace-Wlan-Id = 98 (345) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (345) WLAN-Group-Cipher = 1027076 (345) WLAN-Pairwise-Cipher = 1027076 (345) WLAN-AKM-Suite = 1027075 (345) Restoring &session-state (345) &session-state:Framed-MTU = 1014 (345) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (345) # Executing section authorize from file /etc/freeradius/sites-enabled/default (345) authorize { (345) policy rewrite_called_station_id { (345) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (345) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (345) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (345) update request { (345) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (345) --> 60-B9-C0-04-C4-40 (345) &Called-Station-Id := 60-B9-C0-04-C4-40 (345) } # update request = noop (345) if ("%{8}") { (345) EXPAND %{8} (345) --> eduroam (345) if ("%{8}") -> TRUE (345) if ("%{8}") { (345) update request { (345) EXPAND %{8} (345) --> eduroam (345) &Called-Station-SSID := eduroam (345) EXPAND %{Called-Station-Id}:%{8} (345) --> 60-B9-C0-04-C4-40:eduroam (345) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (345) } # update request = noop (345) } # if ("%{8}") = noop (345) [updated] = updated (345) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (345) ... skipping else: Preceding "if" was taken (345) } # policy rewrite_called_station_id = updated (345) policy rewrite_calling_station_id { (345) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (345) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (345) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (345) update request { (345) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (345) --> 22-E0-73-F2-50-23 (345) &Calling-Station-Id := 22-E0-73-F2-50-23 (345) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (345) --> 22:E0:73:F2:50:23 (345) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (345) } # update request = noop (345) [updated] = updated (345) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (345) ... skipping else: Preceding "if" was taken (345) } # policy rewrite_calling_station_id = updated (345) if (NAS-Identifier == "uvisrz0215.insel.ch") { (345) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (345) if (Service-Type == Call-Check) { (345) if (Service-Type == Call-Check) -> FALSE (345) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (345) EXPAND Packet-Src-IP-Address (345) --> 130.92.42.15 (345) EXPAND Packet-Src-IP-Address (345) --> 130.92.42.15 (345) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (345) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (345) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (345) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (345) if (EAP-Message) { (345) if (EAP-Message) -> TRUE (345) if (EAP-Message) { (345) policy filter_username { (345) if (&User-Name) { (345) if (&User-Name) -> TRUE (345) if (&User-Name) { (345) if (&User-Name =~ / /) { (345) if (&User-Name =~ / /) -> FALSE (345) if (&User-Name =~ /@[^@]*@/ ) { (345) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (345) if (&User-Name =~ /\.\./ ) { (345) if (&User-Name =~ /\.\./ ) -> FALSE (345) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (345) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (345) if (&User-Name =~ /\.$/) { (345) if (&User-Name =~ /\.$/) -> FALSE (345) if (&User-Name =~ /@\./) { (345) if (&User-Name =~ /@\./) -> FALSE (345) } # if (&User-Name) = updated (345) } # policy filter_username = updated (345) suffix: Checking for suffix after "@" (345) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (345) suffix: Found realm "REALM.COM" (345) suffix: Adding Realm = "REALM.COM" (345) suffix: Authentication realm is LOCAL (345) [suffix] = ok (345) policy deny_no_realm { (345) if (User-Name && (User-Name !~ /@/)) { (345) if (User-Name && (User-Name !~ /@/)) -> FALSE (345) } # policy deny_no_realm = updated (345) update request { (345) EXPAND %{toupper:%{Realm}} (345) --> REALM.COM (345) Realm := REALM.COM (345) } # update request = noop (345) eap: Peer sent EAP Response (code 2) ID 7 length 136 (345) eap: Continuing tunnel setup (345) [eap] = ok (345) } # if (EAP-Message) = ok (345) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (345) } # authorize = updated (345) Found Auth-Type = eap (345) # Executing group from file /etc/freeradius/sites-enabled/default (345) Auth-Type eap { (345) eap: Removing EAP session with state 0x0141131104460af2 (345) eap: Previous EAP request found for state 0x0141131104460af2, released from the list (345) eap: Peer sent packet with method EAP PEAP (25) (345) eap: Calling submodule eap_peap to process data (345) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (345) eap_peap: (TLS) EAP Got all data (126 bytes) (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (345) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (345) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (345) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (345) eap_peap: (TLS) PEAP - Connection Established (345) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (345) eap_peap: TLS-Session-Version = "TLS 1.2" (345) eap: Sending EAP Request (code 1) ID 8 length 57 (345) eap: EAP session adding &reply:State = 0x0141131107490af2 (345) [eap] = handled (345) if (handled && (Response-Packet-Type == Access-Challenge)) { (345) EXPAND Response-Packet-Type (345) --> Access-Challenge (345) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (345) if (handled && (Response-Packet-Type == Access-Challenge)) { (345) attr_filter.access_challenge: EXPAND %{User-Name} (345) attr_filter.access_challenge: --> xyz@realm.com (345) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (345) [attr_filter.access_challenge.post-auth] = updated (345) [handled] = handled (345) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (345) } # Auth-Type eap = handled (345) Using Post-Auth-Type Challenge (345) Post-Auth-Type sub-section not found. Ignoring. (345) # Executing group from file /etc/freeradius/sites-enabled/default (345) session-state: Saving cached attributes (345) Framed-MTU = 1014 (345) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (345) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (345) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (345) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (345) TLS-Session-Version = "TLS 1.2" (345) Sent Access-Challenge Id 231 from 130.92.10.33:1812 to 130.92.42.15:60533 length 115 (345) EAP-Message = 0x01080039190014030300010116030300288d6a1785e1a19b35bff8fec8a4a31fbf0d467203a7ab9d2d33327214fc49606596ea813ecf081d92 (345) Message-Authenticator = 0x00000000000000000000000000000000 (345) State = 0x0141131107490af2159d1101103ebc16 (345) Finished request Waking up in 4.9 seconds. (346) Received Access-Request Id 239 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (346) User-Name = "xyz@realm.com" (346) Service-Type = Framed-User (346) Cisco-AVPair = "service-type=Framed" (346) Framed-MTU = 1485 (346) EAP-Message = 0x020800061900 (346) Message-Authenticator = 0x12c8eb6838048f2a905991bcda9d9973 (346) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (346) Cisco-AVPair = "method=dot1x" (346) Cisco-AVPair = "client-iif-id=2499807523" (346) Cisco-AVPair = "vlan-id=1876" (346) NAS-IP-Address = 130.92.42.15 (346) NAS-Port-Type = Wireless-802.11 (346) NAS-Port = 4211 (346) State = 0x0141131107490af2159d1101103ebc16 (346) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (346) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (346) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (346) Calling-Station-Id = "22-e0-73-f2-50-23" (346) Airespace-Wlan-Id = 98 (346) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (346) WLAN-Group-Cipher = 1027076 (346) WLAN-Pairwise-Cipher = 1027076 (346) WLAN-AKM-Suite = 1027075 (346) Restoring &session-state (346) &session-state:Framed-MTU = 1014 (346) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (346) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (346) &session-state:TLS-Session-Version = "TLS 1.2" (346) # Executing section authorize from file /etc/freeradius/sites-enabled/default (346) authorize { (346) policy rewrite_called_station_id { (346) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (346) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (346) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (346) update request { (346) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (346) --> 60-B9-C0-04-C4-40 (346) &Called-Station-Id := 60-B9-C0-04-C4-40 (346) } # update request = noop (346) if ("%{8}") { (346) EXPAND %{8} (346) --> eduroam (346) if ("%{8}") -> TRUE (346) if ("%{8}") { (346) update request { (346) EXPAND %{8} (346) --> eduroam (346) &Called-Station-SSID := eduroam (346) EXPAND %{Called-Station-Id}:%{8} (346) --> 60-B9-C0-04-C4-40:eduroam (346) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (346) } # update request = noop (346) } # if ("%{8}") = noop (346) [updated] = updated (346) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (346) ... skipping else: Preceding "if" was taken (346) } # policy rewrite_called_station_id = updated (346) policy rewrite_calling_station_id { (346) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (346) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (346) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (346) update request { (346) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (346) --> 22-E0-73-F2-50-23 (346) &Calling-Station-Id := 22-E0-73-F2-50-23 (346) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (346) --> 22:E0:73:F2:50:23 (346) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (346) } # update request = noop (346) [updated] = updated (346) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (346) ... skipping else: Preceding "if" was taken (346) } # policy rewrite_calling_station_id = updated (346) if (NAS-Identifier == "uvisrz0215.insel.ch") { (346) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (346) if (Service-Type == Call-Check) { (346) if (Service-Type == Call-Check) -> FALSE (346) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (346) EXPAND Packet-Src-IP-Address (346) --> 130.92.42.15 (346) EXPAND Packet-Src-IP-Address (346) --> 130.92.42.15 (346) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (346) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (346) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (346) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (346) if (EAP-Message) { (346) if (EAP-Message) -> TRUE (346) if (EAP-Message) { (346) policy filter_username { (346) if (&User-Name) { (346) if (&User-Name) -> TRUE (346) if (&User-Name) { (346) if (&User-Name =~ / /) { (346) if (&User-Name =~ / /) -> FALSE (346) if (&User-Name =~ /@[^@]*@/ ) { (346) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (346) if (&User-Name =~ /\.\./ ) { (346) if (&User-Name =~ /\.\./ ) -> FALSE (346) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (346) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (346) if (&User-Name =~ /\.$/) { (346) if (&User-Name =~ /\.$/) -> FALSE (346) if (&User-Name =~ /@\./) { (346) if (&User-Name =~ /@\./) -> FALSE (346) } # if (&User-Name) = updated (346) } # policy filter_username = updated (346) suffix: Checking for suffix after "@" (346) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (346) suffix: Found realm "REALM.COM" (346) suffix: Adding Realm = "REALM.COM" (346) suffix: Authentication realm is LOCAL (346) [suffix] = ok (346) policy deny_no_realm { (346) if (User-Name && (User-Name !~ /@/)) { (346) if (User-Name && (User-Name !~ /@/)) -> FALSE (346) } # policy deny_no_realm = updated (346) update request { (346) EXPAND %{toupper:%{Realm}} (346) --> REALM.COM (346) Realm := REALM.COM (346) } # update request = noop (346) eap: Peer sent EAP Response (code 2) ID 8 length 6 (346) eap: Continuing tunnel setup (346) [eap] = ok (346) } # if (EAP-Message) = ok (346) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (346) } # authorize = updated (346) Found Auth-Type = eap (346) # Executing group from file /etc/freeradius/sites-enabled/default (346) Auth-Type eap { (346) eap: Removing EAP session with state 0x0141131107490af2 (346) eap: Previous EAP request found for state 0x0141131107490af2, released from the list (346) eap: Peer sent packet with method EAP PEAP (25) (346) eap: Calling submodule eap_peap to process data (346) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (346) eap_peap: Session established. Decoding tunneled attributes (346) eap_peap: PEAP state TUNNEL ESTABLISHED (346) eap: Sending EAP Request (code 1) ID 9 length 40 (346) eap: EAP session adding &reply:State = 0x0141131106480af2 (346) [eap] = handled (346) if (handled && (Response-Packet-Type == Access-Challenge)) { (346) EXPAND Response-Packet-Type (346) --> Access-Challenge (346) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (346) if (handled && (Response-Packet-Type == Access-Challenge)) { (346) attr_filter.access_challenge: EXPAND %{User-Name} (346) attr_filter.access_challenge: --> xyz@realm.com (346) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (346) [attr_filter.access_challenge.post-auth] = updated (346) [handled] = handled (346) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (346) } # Auth-Type eap = handled (346) Using Post-Auth-Type Challenge (346) Post-Auth-Type sub-section not found. Ignoring. (346) # Executing group from file /etc/freeradius/sites-enabled/default (346) session-state: Saving cached attributes (346) Framed-MTU = 1014 (346) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (346) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (346) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (346) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (346) TLS-Session-Version = "TLS 1.2" (346) Sent Access-Challenge Id 239 from 130.92.10.33:1812 to 130.92.42.15:60533 length 98 (346) EAP-Message = 0x010900281900170303001d8d6a1785e1a19b362ccd5b26197e5b168640ab6ed2e41351d039e42e6d (346) Message-Authenticator = 0x00000000000000000000000000000000 (346) State = 0x0141131106480af2159d1101103ebc16 (346) Finished request Waking up in 4.9 seconds. (347) Received Access-Request Id 247 from 130.92.42.15:60533 to 130.92.10.33:1812 length 495 (347) User-Name = "xyz@realm.com" (347) Service-Type = Framed-User (347) Cisco-AVPair = "service-type=Framed" (347) Framed-MTU = 1485 (347) EAP-Message = 0x0209003c190017030300319fbd8407fe6333bb244303616d5739594b13084b45f58810139d95bebfe0725dc0e87e9ce011682f4a68abecc457950423 (347) Message-Authenticator = 0xf21f9a5269c36daa7990d70408a1880d (347) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (347) Cisco-AVPair = "method=dot1x" (347) Cisco-AVPair = "client-iif-id=2499807523" (347) Cisco-AVPair = "vlan-id=1876" (347) NAS-IP-Address = 130.92.42.15 (347) NAS-Port-Type = Wireless-802.11 (347) NAS-Port = 4211 (347) State = 0x0141131106480af2159d1101103ebc16 (347) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (347) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (347) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (347) Calling-Station-Id = "22-e0-73-f2-50-23" (347) Airespace-Wlan-Id = 98 (347) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (347) WLAN-Group-Cipher = 1027076 (347) WLAN-Pairwise-Cipher = 1027076 (347) WLAN-AKM-Suite = 1027075 (347) Restoring &session-state (347) &session-state:Framed-MTU = 1014 (347) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (347) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (347) &session-state:TLS-Session-Version = "TLS 1.2" (347) # Executing section authorize from file /etc/freeradius/sites-enabled/default (347) authorize { (347) policy rewrite_called_station_id { (347) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (347) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (347) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (347) update request { (347) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (347) --> 60-B9-C0-04-C4-40 (347) &Called-Station-Id := 60-B9-C0-04-C4-40 (347) } # update request = noop (347) if ("%{8}") { (347) EXPAND %{8} (347) --> eduroam (347) if ("%{8}") -> TRUE (347) if ("%{8}") { (347) update request { (347) EXPAND %{8} (347) --> eduroam (347) &Called-Station-SSID := eduroam (347) EXPAND %{Called-Station-Id}:%{8} (347) --> 60-B9-C0-04-C4-40:eduroam (347) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (347) } # update request = noop (347) } # if ("%{8}") = noop (347) [updated] = updated (347) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (347) ... skipping else: Preceding "if" was taken (347) } # policy rewrite_called_station_id = updated (347) policy rewrite_calling_station_id { (347) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (347) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (347) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (347) update request { (347) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (347) --> 22-E0-73-F2-50-23 (347) &Calling-Station-Id := 22-E0-73-F2-50-23 (347) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (347) --> 22:E0:73:F2:50:23 (347) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (347) } # update request = noop (347) [updated] = updated (347) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (347) ... skipping else: Preceding "if" was taken (347) } # policy rewrite_calling_station_id = updated (347) if (NAS-Identifier == "uvisrz0215.insel.ch") { (347) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (347) if (Service-Type == Call-Check) { (347) if (Service-Type == Call-Check) -> FALSE (347) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (347) EXPAND Packet-Src-IP-Address (347) --> 130.92.42.15 (347) EXPAND Packet-Src-IP-Address (347) --> 130.92.42.15 (347) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (347) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (347) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (347) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (347) if (EAP-Message) { (347) if (EAP-Message) -> TRUE (347) if (EAP-Message) { (347) policy filter_username { (347) if (&User-Name) { (347) if (&User-Name) -> TRUE (347) if (&User-Name) { (347) if (&User-Name =~ / /) { (347) if (&User-Name =~ / /) -> FALSE (347) if (&User-Name =~ /@[^@]*@/ ) { (347) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (347) if (&User-Name =~ /\.\./ ) { (347) if (&User-Name =~ /\.\./ ) -> FALSE (347) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (347) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (347) if (&User-Name =~ /\.$/) { (347) if (&User-Name =~ /\.$/) -> FALSE (347) if (&User-Name =~ /@\./) { (347) if (&User-Name =~ /@\./) -> FALSE (347) } # if (&User-Name) = updated (347) } # policy filter_username = updated (347) suffix: Checking for suffix after "@" (347) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (347) suffix: Found realm "REALM.COM" (347) suffix: Adding Realm = "REALM.COM" (347) suffix: Authentication realm is LOCAL (347) [suffix] = ok (347) policy deny_no_realm { (347) if (User-Name && (User-Name !~ /@/)) { (347) if (User-Name && (User-Name !~ /@/)) -> FALSE (347) } # policy deny_no_realm = updated (347) update request { (347) EXPAND %{toupper:%{Realm}} (347) --> REALM.COM (347) Realm := REALM.COM (347) } # update request = noop (347) eap: Peer sent EAP Response (code 2) ID 9 length 60 (347) eap: Continuing tunnel setup (347) [eap] = ok (347) } # if (EAP-Message) = ok (347) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (347) } # authorize = updated (347) Found Auth-Type = eap (347) # Executing group from file /etc/freeradius/sites-enabled/default (347) Auth-Type eap { (347) eap: Removing EAP session with state 0x0141131106480af2 (347) eap: Previous EAP request found for state 0x0141131106480af2, released from the list (347) eap: Peer sent packet with method EAP PEAP (25) (347) eap: Calling submodule eap_peap to process data (347) eap_peap: (TLS) EAP Done initial handshake (347) eap_peap: Session established. Decoding tunneled attributes (347) eap_peap: PEAP state WAITING FOR INNER IDENTITY (347) eap_peap: Identity - xyz@realm.com (347) eap_peap: Got inner identity 'xyz@realm.com' (347) eap_peap: Setting default EAP type for tunneled EAP session (347) eap_peap: Got tunneled request (347) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (347) eap_peap: Setting User-Name to xyz@realm.com (347) eap_peap: Sending tunneled request to proxy-inner-tunnel (347) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (347) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (347) eap_peap: User-Name = "xyz@realm.com" (347) eap_peap: Service-Type = Framed-User (347) eap_peap: Cisco-AVPair = "service-type=Framed" (347) eap_peap: Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (347) eap_peap: Cisco-AVPair = "method=dot1x" (347) eap_peap: Cisco-AVPair = "client-iif-id=2499807523" (347) eap_peap: Cisco-AVPair = "vlan-id=1876" (347) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (347) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (347) eap_peap: Framed-MTU = 1485 (347) eap_peap: NAS-IP-Address = 130.92.42.15 (347) eap_peap: NAS-Port-Type = Wireless-802.11 (347) eap_peap: NAS-Port = 4211 (347) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (347) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (347) eap_peap: Airespace-Wlan-Id = 98 (347) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (347) eap_peap: WLAN-Group-Cipher = 1027076 (347) eap_peap: WLAN-Pairwise-Cipher = 1027076 (347) eap_peap: WLAN-AKM-Suite = 1027075 (347) Virtual server proxy-inner-tunnel received request (347) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (347) FreeRADIUS-Proxied-To = 127.0.0.1 (347) User-Name = "xyz@realm.com" (347) Service-Type = Framed-User (347) Cisco-AVPair = "service-type=Framed" (347) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (347) Cisco-AVPair = "method=dot1x" (347) Cisco-AVPair = "client-iif-id=2499807523" (347) Cisco-AVPair = "vlan-id=1876" (347) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (347) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (347) Framed-MTU = 1485 (347) NAS-IP-Address = 130.92.42.15 (347) NAS-Port-Type = Wireless-802.11 (347) NAS-Port = 4211 (347) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (347) Calling-Station-Id := "22-E0-73-F2-50-23" (347) Airespace-Wlan-Id = 98 (347) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (347) WLAN-Group-Cipher = 1027076 (347) WLAN-Pairwise-Cipher = 1027076 (347) WLAN-AKM-Suite = 1027075 (347) WARNING: Outer and inner identities are the same. User privacy is compromised. (347) server proxy-inner-tunnel { (347) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (347) authorize { (347) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (347) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (347) if (!NAS-Port-Type){ (347) if (!NAS-Port-Type) -> FALSE (347) update control { (347) &Proxy-To-Realm := REALM-NPS-DEV (347) } # update control = noop (347) } # authorize = noop (347) } # server proxy-inner-tunnel (347) Virtual server sending reply (347) eap_peap: Got tunneled reply code 0 (347) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (347) eap: WARNING: Tunneled session will be proxied. Not doing EAP (347) [eap] = handled (347) if (handled && (Response-Packet-Type == Access-Challenge)) { (347) EXPAND Response-Packet-Type (347) --> (347) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (347) } # Auth-Type eap = handled (347) Starting proxy to home server 130.92.14.27 port 1812 (347) server default { (347) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (347) pre-proxy { (347) attr_filter.pre-proxy: EXPAND %{Realm} (347) attr_filter.pre-proxy: --> REALM.COM (347) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (347) [attr_filter.pre-proxy] = updated (347) } # pre-proxy = updated (347) } (347) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (347) Sent Access-Request Id 91 from 0.0.0.0:37193 to 130.92.14.27:1812 length 196 (347) Operator-Name := "1realm.com" (347) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (347) User-Name = "xyz@realm.com" (347) NAS-IP-Address = 130.92.42.15 (347) NAS-Port-Type = Wireless-802.11 (347) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (347) Calling-Station-Id := "22-E0-73-F2-50-23" (347) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (347) Message-Authenticator = 0x (347) Proxy-State = 0x323437 Waking up in 0.3 seconds. (347) Clearing existing &reply: attributes (347) Received Access-Challenge Id 91 from 130.92.14.27:1812 to 130.92.10.33:37193 length 128 (347) Proxy-State = 0x323437 (347) Session-Timeout = 60 (347) EAP-Message = 0x010a00271a010a00221032f04e97ca648dea298bc54b39d784b74141492d4e50532d4544555632 (347) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (347) Message-Authenticator = 0xaa8be9fdea2b630c7400322f91ea39ca (347) server default { (347) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (347) post-proxy { (347) attr_filter.post-proxy: EXPAND %{Realm} (347) attr_filter.post-proxy: --> REALM.COM (347) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (347) [attr_filter.post-proxy] = updated (347) eap: Doing post-proxy callback (347) eap: Passing reply from proxy back into the tunnel (347) eap: Got tunneled reply RADIUS code 11 (347) eap: Tunnel-Type := VLAN (347) eap: Tunnel-Medium-Type := IEEE-802 (347) eap: Proxy-State = 0x323437 (347) eap: EAP-Message = 0x010a00271a010a00221032f04e97ca648dea298bc54b39d784b74141492d4e50532d4544555632 (347) eap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (347) eap: Message-Authenticator = 0xaa8be9fdea2b630c7400322f91ea39ca (347) eap: Got tunneled Access-Challenge (347) eap: Reply was handled (347) eap: Sending EAP Request (code 1) ID 10 length 70 (347) eap: EAP session adding &reply:State = 0x01411311094b0af2 (347) [eap] = ok (347) } # post-proxy = updated (347) } (347) session-state: Saving cached attributes (347) Framed-MTU = 1014 (347) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (347) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (347) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (347) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (347) TLS-Session-Version = "TLS 1.2" (347) Using Post-Auth-Type Challenge (347) Post-Auth-Type sub-section not found. Ignoring. (347) # Executing group from file /etc/freeradius/sites-enabled/default (347) Sent Access-Challenge Id 247 from 130.92.10.33:1812 to 130.92.42.15:60533 length 128 (347) EAP-Message = 0x010a00461900170303003b8d6a1785e1a19b37d483644693f104a84978c79786ed2017cad5c263338a244716a02d702b4c15fb010aa386a8a1fd7beabedc25d128d0afb3766c (347) Message-Authenticator = 0x00000000000000000000000000000000 (347) State = 0x01411311094b0af2159d1101103ebc16 (347) Finished request Waking up in 4.8 seconds. (348) Received Access-Request Id 255 from 130.92.42.15:60533 to 130.92.10.33:1812 length 549 (348) User-Name = "xyz@realm.com" (348) Service-Type = Framed-User (348) Cisco-AVPair = "service-type=Framed" (348) Framed-MTU = 1485 (348) EAP-Message = 0x020a0072190017030300679fbd8407fe6333bca7d44d76b3ef3a225ccf9afdd164fe3f7aca7a7d0792abb9534fccfd07c307bee27d438c8396764c73587b33e49063fb07b7d02e49397b5732d6f62ab9934ca0d4414429928983334962453caa57e0e30107e514cab265c4f4f195780b48d8 (348) Message-Authenticator = 0x25e0d4d954b8d943b65166834e832a36 (348) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (348) Cisco-AVPair = "method=dot1x" (348) Cisco-AVPair = "client-iif-id=2499807523" (348) Cisco-AVPair = "vlan-id=1876" (348) NAS-IP-Address = 130.92.42.15 (348) NAS-Port-Type = Wireless-802.11 (348) NAS-Port = 4211 (348) State = 0x01411311094b0af2159d1101103ebc16 (348) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (348) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (348) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (348) Calling-Station-Id = "22-e0-73-f2-50-23" (348) Airespace-Wlan-Id = 98 (348) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (348) WLAN-Group-Cipher = 1027076 (348) WLAN-Pairwise-Cipher = 1027076 (348) WLAN-AKM-Suite = 1027075 (348) session-state: No cached attributes (348) # Executing section authorize from file /etc/freeradius/sites-enabled/default (348) authorize { (348) policy rewrite_called_station_id { (348) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (348) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (348) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (348) update request { (348) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (348) --> 60-B9-C0-04-C4-40 (348) &Called-Station-Id := 60-B9-C0-04-C4-40 (348) } # update request = noop (348) if ("%{8}") { (348) EXPAND %{8} (348) --> eduroam (348) if ("%{8}") -> TRUE (348) if ("%{8}") { (348) update request { (348) EXPAND %{8} (348) --> eduroam (348) &Called-Station-SSID := eduroam (348) EXPAND %{Called-Station-Id}:%{8} (348) --> 60-B9-C0-04-C4-40:eduroam (348) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (348) } # update request = noop (348) } # if ("%{8}") = noop (348) [updated] = updated (348) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (348) ... skipping else: Preceding "if" was taken (348) } # policy rewrite_called_station_id = updated (348) policy rewrite_calling_station_id { (348) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (348) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (348) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (348) update request { (348) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (348) --> 22-E0-73-F2-50-23 (348) &Calling-Station-Id := 22-E0-73-F2-50-23 (348) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (348) --> 22:E0:73:F2:50:23 (348) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (348) } # update request = noop (348) [updated] = updated (348) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (348) ... skipping else: Preceding "if" was taken (348) } # policy rewrite_calling_station_id = updated (348) if (NAS-Identifier == "uvisrz0215.insel.ch") { (348) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (348) if (Service-Type == Call-Check) { (348) if (Service-Type == Call-Check) -> FALSE (348) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (348) EXPAND Packet-Src-IP-Address (348) --> 130.92.42.15 (348) EXPAND Packet-Src-IP-Address (348) --> 130.92.42.15 (348) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (348) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (348) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (348) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (348) if (EAP-Message) { (348) if (EAP-Message) -> TRUE (348) if (EAP-Message) { (348) policy filter_username { (348) if (&User-Name) { (348) if (&User-Name) -> TRUE (348) if (&User-Name) { (348) if (&User-Name =~ / /) { (348) if (&User-Name =~ / /) -> FALSE (348) if (&User-Name =~ /@[^@]*@/ ) { (348) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (348) if (&User-Name =~ /\.\./ ) { (348) if (&User-Name =~ /\.\./ ) -> FALSE (348) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (348) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (348) if (&User-Name =~ /\.$/) { (348) if (&User-Name =~ /\.$/) -> FALSE (348) if (&User-Name =~ /@\./) { (348) if (&User-Name =~ /@\./) -> FALSE (348) } # if (&User-Name) = updated (348) } # policy filter_username = updated (348) suffix: Checking for suffix after "@" (348) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (348) suffix: Found realm "REALM.COM" (348) suffix: Adding Realm = "REALM.COM" (348) suffix: Authentication realm is LOCAL (348) [suffix] = ok (348) policy deny_no_realm { (348) if (User-Name && (User-Name !~ /@/)) { (348) if (User-Name && (User-Name !~ /@/)) -> FALSE (348) } # policy deny_no_realm = updated (348) update request { (348) EXPAND %{toupper:%{Realm}} (348) --> REALM.COM (348) Realm := REALM.COM (348) } # update request = noop (348) eap: Peer sent EAP Response (code 2) ID 10 length 114 (348) eap: Continuing tunnel setup (348) [eap] = ok (348) } # if (EAP-Message) = ok (348) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (348) } # authorize = updated (348) Found Auth-Type = eap (348) # Executing group from file /etc/freeradius/sites-enabled/default (348) Auth-Type eap { (348) eap: Removing EAP session with state 0x01411311094b0af2 (348) eap: Previous EAP request found for state 0x01411311094b0af2, released from the list (348) eap: Peer sent packet with method EAP PEAP (25) (348) eap: Calling submodule eap_peap to process data (348) eap_peap: (TLS) EAP Done initial handshake (348) eap_peap: Session established. Decoding tunneled attributes (348) eap_peap: PEAP state phase2 (348) eap_peap: EAP method MSCHAPv2 (26) (348) eap_peap: Got tunneled request (348) eap_peap: EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368 (348) eap_peap: Setting User-Name to xyz@realm.com (348) eap_peap: Sending tunneled request to proxy-inner-tunnel (348) eap_peap: EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368 (348) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (348) eap_peap: User-Name = "xyz@realm.com" (348) eap_peap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) eap_peap: Service-Type = Framed-User (348) eap_peap: Cisco-AVPair = "service-type=Framed" (348) eap_peap: Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (348) eap_peap: Cisco-AVPair = "method=dot1x" (348) eap_peap: Cisco-AVPair = "client-iif-id=2499807523" (348) eap_peap: Cisco-AVPair = "vlan-id=1876" (348) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (348) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (348) eap_peap: Framed-MTU = 1485 (348) eap_peap: NAS-IP-Address = 130.92.42.15 (348) eap_peap: NAS-Port-Type = Wireless-802.11 (348) eap_peap: NAS-Port = 4211 (348) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (348) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (348) eap_peap: Airespace-Wlan-Id = 98 (348) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (348) eap_peap: WLAN-Group-Cipher = 1027076 (348) eap_peap: WLAN-Pairwise-Cipher = 1027076 (348) eap_peap: WLAN-AKM-Suite = 1027075 (348) Virtual server proxy-inner-tunnel received request (348) EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368 (348) FreeRADIUS-Proxied-To = 127.0.0.1 (348) User-Name = "xyz@realm.com" (348) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) Service-Type = Framed-User (348) Cisco-AVPair = "service-type=Framed" (348) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (348) Cisco-AVPair = "method=dot1x" (348) Cisco-AVPair = "client-iif-id=2499807523" (348) Cisco-AVPair = "vlan-id=1876" (348) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (348) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (348) Framed-MTU = 1485 (348) NAS-IP-Address = 130.92.42.15 (348) NAS-Port-Type = Wireless-802.11 (348) NAS-Port = 4211 (348) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (348) Calling-Station-Id := "22-E0-73-F2-50-23" (348) Airespace-Wlan-Id = 98 (348) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (348) WLAN-Group-Cipher = 1027076 (348) WLAN-Pairwise-Cipher = 1027076 (348) WLAN-AKM-Suite = 1027075 (348) WARNING: Outer and inner identities are the same. User privacy is compromised. (348) server proxy-inner-tunnel { (348) session-state: No cached attributes (348) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (348) authorize { (348) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (348) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (348) if (!NAS-Port-Type){ (348) if (!NAS-Port-Type) -> FALSE (348) update control { (348) &Proxy-To-Realm := REALM-NPS-DEV (348) } # update control = noop (348) } # authorize = noop (348) } # server proxy-inner-tunnel (348) Virtual server sending reply (348) eap_peap: Got tunneled reply code 0 (348) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (348) eap: WARNING: Tunneled session will be proxied. Not doing EAP (348) [eap] = handled (348) if (handled && (Response-Packet-Type == Access-Challenge)) { (348) EXPAND Response-Packet-Type (348) --> (348) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (348) } # Auth-Type eap = handled (348) Starting proxy to home server 130.92.14.27 port 1812 (348) server default { (348) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (348) pre-proxy { (348) attr_filter.pre-proxy: EXPAND %{Realm} (348) attr_filter.pre-proxy: --> REALM.COM (348) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (348) [attr_filter.pre-proxy] = updated (348) } # pre-proxy = updated (348) } (348) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (348) Sent Access-Request Id 92 from 0.0.0.0:37193 to 130.92.14.27:1812 length 288 (348) Operator-Name := "1realm.com" (348) EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368 (348) User-Name = "xyz@realm.com" (348) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) NAS-IP-Address = 130.92.42.15 (348) NAS-Port-Type = Wireless-802.11 (348) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (348) Calling-Station-Id := "22-E0-73-F2-50-23" (348) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (348) Message-Authenticator = 0x (348) Proxy-State = 0x323535 Waking up in 0.3 seconds. (348) Clearing existing &reply: attributes (348) Received Access-Challenge Id 92 from 130.92.14.27:1812 to 130.92.10.33:37193 length 140 (348) Proxy-State = 0x323535 (348) Session-Timeout = 60 (348) EAP-Message = 0x010b00331a030a002e533d37383335434645373334433338443739423442384342424437343139463043373744463844463443 (348) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) Message-Authenticator = 0xf518d1ae53d8771e9e2f854b1cefcea4 (348) server default { (348) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (348) post-proxy { (348) attr_filter.post-proxy: EXPAND %{Realm} (348) attr_filter.post-proxy: --> REALM.COM (348) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (348) [attr_filter.post-proxy] = updated (348) eap: Doing post-proxy callback (348) eap: Passing reply from proxy back into the tunnel (348) eap: Got tunneled reply RADIUS code 11 (348) eap: Tunnel-Type := VLAN (348) eap: Tunnel-Medium-Type := IEEE-802 (348) eap: Proxy-State = 0x323535 (348) eap: EAP-Message = 0x010b00331a030a002e533d37383335434645373334433338443739423442384342424437343139463043373744463844463443 (348) eap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) eap: Message-Authenticator = 0xf518d1ae53d8771e9e2f854b1cefcea4 (348) eap: Got tunneled Access-Challenge (348) eap: Reply was handled (348) eap: Sending EAP Request (code 1) ID 11 length 82 (348) eap: EAP session adding &reply:State = 0x01411311084a0af2 (348) [eap] = ok (348) } # post-proxy = updated (348) } (348) Using Post-Auth-Type Challenge (348) Post-Auth-Type sub-section not found. Ignoring. (348) # Executing group from file /etc/freeradius/sites-enabled/default (348) Sent Access-Challenge Id 255 from 130.92.10.33:1812 to 130.92.42.15:60533 length 140 (348) EAP-Message = 0x010b0052190017030300478d6a1785e1a19b384663d2dc91a1711cef1cb261daa2d4f19a156ca5f8155de69d5c25047974eebe1486ff1d7ad9a76afc7779361d7f5154712c2ec1f6e23de87e74b5a4458758 (348) Message-Authenticator = 0x00000000000000000000000000000000 (348) State = 0x01411311084a0af2159d1101103ebc16 (348) Finished request Waking up in 4.8 seconds. (349) Received Access-Request Id 7 from 130.92.42.15:60533 to 130.92.10.33:1812 length 472 (349) User-Name = "xyz@realm.com" (349) Service-Type = Framed-User (349) Cisco-AVPair = "service-type=Framed" (349) Framed-MTU = 1485 (349) EAP-Message = 0x020b00251900170303001a9fbd8407fe6333bdb6025139e3938bde3390d04c688d35ac81f6 (349) Message-Authenticator = 0xc8367c81169c032270223b7b0ea1ee2a (349) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (349) Cisco-AVPair = "method=dot1x" (349) Cisco-AVPair = "client-iif-id=2499807523" (349) Cisco-AVPair = "vlan-id=1876" (349) NAS-IP-Address = 130.92.42.15 (349) NAS-Port-Type = Wireless-802.11 (349) NAS-Port = 4211 (349) State = 0x01411311084a0af2159d1101103ebc16 (349) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (349) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (349) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (349) Calling-Station-Id = "22-e0-73-f2-50-23" (349) Airespace-Wlan-Id = 98 (349) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (349) WLAN-Group-Cipher = 1027076 (349) WLAN-Pairwise-Cipher = 1027076 (349) WLAN-AKM-Suite = 1027075 (349) session-state: No cached attributes (349) # Executing section authorize from file /etc/freeradius/sites-enabled/default (349) authorize { (349) policy rewrite_called_station_id { (349) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (349) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (349) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (349) update request { (349) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (349) --> 60-B9-C0-04-C4-40 (349) &Called-Station-Id := 60-B9-C0-04-C4-40 (349) } # update request = noop (349) if ("%{8}") { (349) EXPAND %{8} (349) --> eduroam (349) if ("%{8}") -> TRUE (349) if ("%{8}") { (349) update request { (349) EXPAND %{8} (349) --> eduroam (349) &Called-Station-SSID := eduroam (349) EXPAND %{Called-Station-Id}:%{8} (349) --> 60-B9-C0-04-C4-40:eduroam (349) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (349) } # update request = noop (349) } # if ("%{8}") = noop (349) [updated] = updated (349) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (349) ... skipping else: Preceding "if" was taken (349) } # policy rewrite_called_station_id = updated (349) policy rewrite_calling_station_id { (349) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (349) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (349) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (349) update request { (349) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (349) --> 22-E0-73-F2-50-23 (349) &Calling-Station-Id := 22-E0-73-F2-50-23 (349) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (349) --> 22:E0:73:F2:50:23 (349) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (349) } # update request = noop (349) [updated] = updated (349) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (349) ... skipping else: Preceding "if" was taken (349) } # policy rewrite_calling_station_id = updated (349) if (NAS-Identifier == "uvisrz0215.insel.ch") { (349) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (349) if (Service-Type == Call-Check) { (349) if (Service-Type == Call-Check) -> FALSE (349) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (349) EXPAND Packet-Src-IP-Address (349) --> 130.92.42.15 (349) EXPAND Packet-Src-IP-Address (349) --> 130.92.42.15 (349) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (349) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (349) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (349) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (349) if (EAP-Message) { (349) if (EAP-Message) -> TRUE (349) if (EAP-Message) { (349) policy filter_username { (349) if (&User-Name) { (349) if (&User-Name) -> TRUE (349) if (&User-Name) { (349) if (&User-Name =~ / /) { (349) if (&User-Name =~ / /) -> FALSE (349) if (&User-Name =~ /@[^@]*@/ ) { (349) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (349) if (&User-Name =~ /\.\./ ) { (349) if (&User-Name =~ /\.\./ ) -> FALSE (349) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (349) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (349) if (&User-Name =~ /\.$/) { (349) if (&User-Name =~ /\.$/) -> FALSE (349) if (&User-Name =~ /@\./) { (349) if (&User-Name =~ /@\./) -> FALSE (349) } # if (&User-Name) = updated (349) } # policy filter_username = updated (349) suffix: Checking for suffix after "@" (349) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (349) suffix: Found realm "REALM.COM" (349) suffix: Adding Realm = "REALM.COM" (349) suffix: Authentication realm is LOCAL (349) [suffix] = ok (349) policy deny_no_realm { (349) if (User-Name && (User-Name !~ /@/)) { (349) if (User-Name && (User-Name !~ /@/)) -> FALSE (349) } # policy deny_no_realm = updated (349) update request { (349) EXPAND %{toupper:%{Realm}} (349) --> REALM.COM (349) Realm := REALM.COM (349) } # update request = noop (349) eap: Peer sent EAP Response (code 2) ID 11 length 37 (349) eap: Continuing tunnel setup (349) [eap] = ok (349) } # if (EAP-Message) = ok (349) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (349) } # authorize = updated (349) Found Auth-Type = eap (349) # Executing group from file /etc/freeradius/sites-enabled/default (349) Auth-Type eap { (349) eap: Removing EAP session with state 0x01411311084a0af2 (349) eap: Previous EAP request found for state 0x01411311084a0af2, released from the list (349) eap: Peer sent packet with method EAP PEAP (25) (349) eap: Calling submodule eap_peap to process data (349) eap_peap: (TLS) EAP Done initial handshake (349) eap_peap: Session established. Decoding tunneled attributes (349) eap_peap: PEAP state phase2 (349) eap_peap: EAP method MSCHAPv2 (26) (349) eap_peap: Got tunneled request (349) eap_peap: EAP-Message = 0x020b00061a03 (349) eap_peap: Setting User-Name to xyz@realm.com (349) eap_peap: Sending tunneled request to proxy-inner-tunnel (349) eap_peap: EAP-Message = 0x020b00061a03 (349) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (349) eap_peap: User-Name = "xyz@realm.com" (349) eap_peap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (349) eap_peap: Service-Type = Framed-User (349) eap_peap: Cisco-AVPair = "service-type=Framed" (349) eap_peap: Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (349) eap_peap: Cisco-AVPair = "method=dot1x" (349) eap_peap: Cisco-AVPair = "client-iif-id=2499807523" (349) eap_peap: Cisco-AVPair = "vlan-id=1876" (349) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (349) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (349) eap_peap: Framed-MTU = 1485 (349) eap_peap: NAS-IP-Address = 130.92.42.15 (349) eap_peap: NAS-Port-Type = Wireless-802.11 (349) eap_peap: NAS-Port = 4211 (349) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (349) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (349) eap_peap: Airespace-Wlan-Id = 98 (349) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (349) eap_peap: WLAN-Group-Cipher = 1027076 (349) eap_peap: WLAN-Pairwise-Cipher = 1027076 (349) eap_peap: WLAN-AKM-Suite = 1027075 (349) Virtual server proxy-inner-tunnel received request (349) EAP-Message = 0x020b00061a03 (349) FreeRADIUS-Proxied-To = 127.0.0.1 (349) User-Name = "xyz@realm.com" (349) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (349) Service-Type = Framed-User (349) Cisco-AVPair = "service-type=Framed" (349) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (349) Cisco-AVPair = "method=dot1x" (349) Cisco-AVPair = "client-iif-id=2499807523" (349) Cisco-AVPair = "vlan-id=1876" (349) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (349) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (349) Framed-MTU = 1485 (349) NAS-IP-Address = 130.92.42.15 (349) NAS-Port-Type = Wireless-802.11 (349) NAS-Port = 4211 (349) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (349) Calling-Station-Id := "22-E0-73-F2-50-23" (349) Airespace-Wlan-Id = 98 (349) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (349) WLAN-Group-Cipher = 1027076 (349) WLAN-Pairwise-Cipher = 1027076 (349) WLAN-AKM-Suite = 1027075 (349) WARNING: Outer and inner identities are the same. User privacy is compromised. (349) server proxy-inner-tunnel { (349) session-state: No cached attributes (349) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (349) authorize { (349) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (349) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (349) if (!NAS-Port-Type){ (349) if (!NAS-Port-Type) -> FALSE (349) update control { (349) &Proxy-To-Realm := REALM-NPS-DEV (349) } # update control = noop (349) } # authorize = noop (349) } # server proxy-inner-tunnel (349) Virtual server sending reply (349) eap_peap: Got tunneled reply code 0 (349) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (349) eap: WARNING: Tunneled session will be proxied. Not doing EAP (349) [eap] = handled (349) if (handled && (Response-Packet-Type == Access-Challenge)) { (349) EXPAND Response-Packet-Type (349) --> (349) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (349) } # Auth-Type eap = handled (349) Starting proxy to home server 130.92.14.27 port 1812 (349) server default { (349) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (349) pre-proxy { (349) attr_filter.pre-proxy: EXPAND %{Realm} (349) attr_filter.pre-proxy: --> REALM.COM (349) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (349) [attr_filter.pre-proxy] = updated (349) } # pre-proxy = updated (349) } (349) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (349) Sent Access-Request Id 93 from 0.0.0.0:37193 to 130.92.14.27:1812 length 209 (349) Operator-Name := "1realm.com" (349) EAP-Message = 0x020b00061a03 (349) User-Name = "xyz@realm.com" (349) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (349) NAS-IP-Address = 130.92.42.15 (349) NAS-Port-Type = Wireless-802.11 (349) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (349) Calling-Station-Id := "22-E0-73-F2-50-23" (349) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (349) Message-Authenticator = 0x (349) Proxy-State = 0x37 Waking up in 0.3 seconds. (349) Clearing existing &reply: attributes (349) Received Access-Accept Id 93 from 130.92.14.27:1812 to 130.92.10.33:37193 length 287 (349) Proxy-State = 0x37 (349) Class = 0x7374616666 (349) Filter-Id = "staff" (349) Framed-Protocol = PPP (349) Service-Type = Framed-User (349) Tunnel-Medium-Type:0 = IEEE-802 (349) Tunnel-Private-Group-Id:0 = "1874" (349) Tunnel-Type:0 = VLAN (349) EAP-Message = 0x030b0004 (349) Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (349) MS-CHAP-Domain = "\001CAMPUS" (349) MS-MPPE-Send-Key = 0xd687deeb2f77eb638babd3daa38b43f3 (349) MS-MPPE-Recv-Key = 0x9fa8f6207d3942e543a85d7ab15ac0ca (349) MS-CHAP2-Success = 0x01533d37383335434645373334433338443739423442384342424437343139463043373744463844463443 (349) Message-Authenticator = 0xeaadc26a981ab8b1ea5cb2b537eb0a18 (349) server default { (349) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (349) post-proxy { (349) attr_filter.post-proxy: EXPAND %{Realm} (349) attr_filter.post-proxy: --> REALM.COM (349) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (349) [attr_filter.post-proxy] = updated (349) eap: Doing post-proxy callback (349) eap: Passing reply from proxy back into the tunnel (349) eap: Got tunneled reply RADIUS code 2 (349) eap: Tunnel-Type := VLAN (349) eap: Tunnel-Medium-Type := IEEE-802 (349) eap: Proxy-State = 0x37 (349) eap: Class = 0x7374616666 (349) eap: Filter-Id = "staff" (349) eap: Tunnel-Private-Group-Id:0 = "1874" (349) eap: EAP-Message = 0x030b0004 (349) eap: Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (349) eap: MS-MPPE-Send-Key = 0xd687deeb2f77eb638babd3daa38b43f3 (349) eap: MS-MPPE-Recv-Key = 0x9fa8f6207d3942e543a85d7ab15ac0ca (349) eap: Message-Authenticator = 0xeaadc26a981ab8b1ea5cb2b537eb0a18 (349) eap: Tunneled authentication was successful (349) eap: SUCCESS (349) eap: Saving tunneled attributes for later (349) eap: Reply was handled (349) eap: Sending EAP Request (code 1) ID 12 length 46 (349) eap: EAP session adding &reply:State = 0x014113110b4d0af2 (349) [eap] = ok (349) } # post-proxy = updated (349) } (349) Using Post-Auth-Type Challenge (349) Post-Auth-Type sub-section not found. Ignoring. (349) # Executing group from file /etc/freeradius/sites-enabled/default (349) Sent Access-Challenge Id 7 from 130.92.10.33:1812 to 130.92.42.15:60533 length 104 (349) EAP-Message = 0x010c002e190017030300238d6a1785e1a19b39b83c8d767db1a51679cc1ecabf6acedb8a2758d5b5f3203674984e (349) Message-Authenticator = 0x00000000000000000000000000000000 (349) State = 0x014113110b4d0af2159d1101103ebc16 (349) Finished request Waking up in 4.8 seconds. (350) Received Access-Request Id 15 from 130.92.42.15:60533 to 130.92.10.33:1812 length 481 (350) User-Name = "xyz@realm.com" (350) Service-Type = Framed-User (350) Cisco-AVPair = "service-type=Framed" (350) Framed-MTU = 1485 (350) EAP-Message = 0x020c002e190017030300239fbd8407fe6333be27f0732df0c86c2ae6b5faef72ecb9b63dfaadc83292179e360244 (350) Message-Authenticator = 0x2cc88f99728922a86d6615ad0bd7525c (350) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (350) Cisco-AVPair = "method=dot1x" (350) Cisco-AVPair = "client-iif-id=2499807523" (350) Cisco-AVPair = "vlan-id=1876" (350) NAS-IP-Address = 130.92.42.15 (350) NAS-Port-Type = Wireless-802.11 (350) NAS-Port = 4211 (350) State = 0x014113110b4d0af2159d1101103ebc16 (350) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (350) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (350) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (350) Calling-Station-Id = "22-e0-73-f2-50-23" (350) Airespace-Wlan-Id = 98 (350) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (350) WLAN-Group-Cipher = 1027076 (350) WLAN-Pairwise-Cipher = 1027076 (350) WLAN-AKM-Suite = 1027075 (350) session-state: No cached attributes (350) # Executing section authorize from file /etc/freeradius/sites-enabled/default (350) authorize { (350) policy rewrite_called_station_id { (350) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (350) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (350) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (350) update request { (350) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (350) --> 60-B9-C0-04-C4-40 (350) &Called-Station-Id := 60-B9-C0-04-C4-40 (350) } # update request = noop (350) if ("%{8}") { (350) EXPAND %{8} (350) --> eduroam (350) if ("%{8}") -> TRUE (350) if ("%{8}") { (350) update request { (350) EXPAND %{8} (350) --> eduroam (350) &Called-Station-SSID := eduroam (350) EXPAND %{Called-Station-Id}:%{8} (350) --> 60-B9-C0-04-C4-40:eduroam (350) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (350) } # update request = noop (350) } # if ("%{8}") = noop (350) [updated] = updated (350) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (350) ... skipping else: Preceding "if" was taken (350) } # policy rewrite_called_station_id = updated (350) policy rewrite_calling_station_id { (350) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (350) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (350) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (350) update request { (350) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (350) --> 22-E0-73-F2-50-23 (350) &Calling-Station-Id := 22-E0-73-F2-50-23 (350) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (350) --> 22:E0:73:F2:50:23 (350) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (350) } # update request = noop (350) [updated] = updated (350) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (350) ... skipping else: Preceding "if" was taken (350) } # policy rewrite_calling_station_id = updated (350) if (NAS-Identifier == "uvisrz0215.insel.ch") { (350) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (350) if (Service-Type == Call-Check) { (350) if (Service-Type == Call-Check) -> FALSE (350) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (350) EXPAND Packet-Src-IP-Address (350) --> 130.92.42.15 (350) EXPAND Packet-Src-IP-Address (350) --> 130.92.42.15 (350) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (350) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (350) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (350) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (350) if (EAP-Message) { (350) if (EAP-Message) -> TRUE (350) if (EAP-Message) { (350) policy filter_username { (350) if (&User-Name) { (350) if (&User-Name) -> TRUE (350) if (&User-Name) { (350) if (&User-Name =~ / /) { (350) if (&User-Name =~ / /) -> FALSE (350) if (&User-Name =~ /@[^@]*@/ ) { (350) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (350) if (&User-Name =~ /\.\./ ) { (350) if (&User-Name =~ /\.\./ ) -> FALSE (350) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (350) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (350) if (&User-Name =~ /\.$/) { (350) if (&User-Name =~ /\.$/) -> FALSE (350) if (&User-Name =~ /@\./) { (350) if (&User-Name =~ /@\./) -> FALSE (350) } # if (&User-Name) = updated (350) } # policy filter_username = updated (350) suffix: Checking for suffix after "@" (350) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (350) suffix: Found realm "REALM.COM" (350) suffix: Adding Realm = "REALM.COM" (350) suffix: Authentication realm is LOCAL (350) [suffix] = ok (350) policy deny_no_realm { (350) if (User-Name && (User-Name !~ /@/)) { (350) if (User-Name && (User-Name !~ /@/)) -> FALSE (350) } # policy deny_no_realm = updated (350) update request { (350) EXPAND %{toupper:%{Realm}} (350) --> REALM.COM (350) Realm := REALM.COM (350) } # update request = noop (350) eap: Peer sent EAP Response (code 2) ID 12 length 46 (350) eap: Continuing tunnel setup (350) [eap] = ok (350) } # if (EAP-Message) = ok (350) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (350) } # authorize = updated (350) Found Auth-Type = eap (350) # Executing group from file /etc/freeradius/sites-enabled/default (350) Auth-Type eap { (350) eap: Removing EAP session with state 0x014113110b4d0af2 (350) eap: Previous EAP request found for state 0x014113110b4d0af2, released from the list (350) eap: Peer sent packet with method EAP PEAP (25) (350) eap: Calling submodule eap_peap to process data (350) eap_peap: (TLS) EAP Done initial handshake (350) eap_peap: Session established. Decoding tunneled attributes (350) eap_peap: PEAP state send tlv success (350) eap_peap: Received EAP-TLV response (350) eap_peap: Success (350) eap_peap: Using saved attributes from the original Access-Accept (350) eap_peap: Tunnel-Type := VLAN (350) eap_peap: Tunnel-Medium-Type := IEEE-802 (350) eap_peap: Class = 0x7374616666 (350) eap_peap: Filter-Id = "staff" (350) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (350) eap_peap: Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (350) eap: Sending EAP Success (code 3) ID 12 length 4 (350) eap: Freeing handler (350) [eap] = ok (350) if (handled && (Response-Packet-Type == Access-Challenge)) { (350) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (350) } # Auth-Type eap = ok (350) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (350) post-auth { (350) policy debug_all { (350) policy debug_control { (350) if ("%{debug_attr:control:}" == '') { (350) Attributes matching "control:" (350) &control:Auth-Type = eap (350) EXPAND %{debug_attr:control:} (350) --> (350) if ("%{debug_attr:control:}" == '') -> TRUE (350) if ("%{debug_attr:control:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:control:}" == '') = noop (350) } # policy debug_control = noop (350) policy debug_request { (350) if ("%{debug_attr:request:}" == '') { (350) Attributes matching "request:" (350) &request:User-Name = xyz@realm.com (350) &request:Service-Type = Framed-User (350) &request:Cisco-AVPair = service-type=Framed (350) &request:Framed-MTU = 1485 (350) &request:EAP-Message = 0x020c002e190017030300239fbd8407fe6333be27f0732df0c86c2ae6b5faef72ecb9b63dfaadc83292179e360244 (350) &request:Message-Authenticator = 0x2cc88f99728922a86d6615ad0bd7525c (350) &request:Cisco-AVPair = audit-session-id=142A5C820037733BC01D7C58 (350) &request:Cisco-AVPair = method=dot1x (350) &request:Cisco-AVPair = client-iif-id=2499807523 (350) &request:Cisco-AVPair = vlan-id=1876 (350) &request:NAS-IP-Address = 130.92.42.15 (350) &request:NAS-Port-Type = Wireless-802.11 (350) &request:NAS-Port = 4211 (350) &request:State = 0x014113110b4d0af2159d1101103ebc16 (350) &request:Cisco-AVPair = cisco-wlan-ssid=eduroam (350) &request:Cisco-AVPair = wlan-profile-name=eduroam-DEV (350) &request:Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (350) &request:Calling-Station-Id := 22-E0-73-F2-50-23 (350) &request:Airespace-Wlan-Id = 98 (350) &request:NAS-Identifier = 60-b9-c0-04-c4-40:eduroam (350) &request:WLAN-Group-Cipher = 1027076 (350) &request:WLAN-Pairwise-Cipher = 1027076 (350) &request:WLAN-AKM-Suite = 1027075 (350) &request:Called-Station-SSID := eduroam (350) &request:locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (350) &request:Realm := REALM.COM (350) &request:EAP-Type = PEAP (350) EXPAND %{debug_attr:request:} (350) --> (350) if ("%{debug_attr:request:}" == '') -> TRUE (350) if ("%{debug_attr:request:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:request:}" == '') = noop (350) } # policy debug_request = noop (350) policy debug_coa { (350) if ("%{debug_attr:coa:}" == '') { (350) Attributes matching "coa:" (350) WARNING: List "coa" is not available (350) EXPAND %{debug_attr:coa:} (350) --> (350) if ("%{debug_attr:coa:}" == '') -> TRUE (350) if ("%{debug_attr:coa:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:coa:}" == '') = noop (350) } # policy debug_coa = noop (350) policy debug_reply { (350) if ("%{debug_attr:reply:}" == '') { (350) Attributes matching "reply:" (350) &reply:Tunnel-Type:-128 := VLAN (350) &reply:Tunnel-Medium-Type:-128 := IEEE-802 (350) &reply:Class = 0x7374616666 (350) &reply:Filter-Id = staff (350) &reply:Tunnel-Private-Group-Id:0 = 1874 (350) &reply:Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (350) &reply:MS-MPPE-Recv-Key = 0x30de94917d8e20cc27f44672a6f87fbb2196e8fd25f350356e6f5afe6d404ac5 (350) &reply:MS-MPPE-Send-Key = 0x65b71e153439623a162abad3bb04ce3ea34d1116d2c3524d0f8680d6aa6e93a9 (350) &reply:EAP-MSK = 0x30de94917d8e20cc27f44672a6f87fbb2196e8fd25f350356e6f5afe6d404ac565b71e153439623a162abad3bb04ce3ea34d1116d2c3524d0f8680d6aa6e93a9 (350) &reply:EAP-EMSK = 0x2700c8fa3f3c22ec78878753bbf46ce60a211bc408dc33d44079d7dccd51489c9d10b38d2e6a303da3766e1e2b7e38ec4b6e4b344c6be00360f6ae6b255b4236 (350) &reply:EAP-Session-Id = 0x19675c30ff6a9b0b902f1e931a2758f15aa27a75704f9760726e5c03da301ba848c6f0abbfc21ebae81584415260a08bae7625b694abcfc744444f574e47524401 (350) &reply:EAP-Message = 0x030c0004 (350) &reply:Message-Authenticator = 0x00000000000000000000000000000000 (350) &reply:User-Name = xyz@realm.com (350) EXPAND %{debug_attr:reply:} (350) --> (350) if ("%{debug_attr:reply:}" == '') -> TRUE (350) if ("%{debug_attr:reply:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:reply:}" == '') = noop (350) } # policy debug_reply = noop (350) policy debug_session_state { (350) if ("%{debug_attr:session-state:}" == '') { (350) Attributes matching "session-state:" (350) EXPAND %{debug_attr:session-state:} (350) --> (350) if ("%{debug_attr:session-state:}" == '') -> TRUE (350) if ("%{debug_attr:session-state:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:session-state:}" == '') = noop (350) } # policy debug_session_state = noop (350) } # policy debug_all = noop (350) update { (350) No attributes updated for RHS &session-state (350) } # update = noop (350) if (Service-Type == Call-Check) { (350) if (Service-Type == Call-Check) -> FALSE (350) else { (350) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (350) 802.1x_auth_log: --> Fri Dec 13 14:05:04 2024 : AuthZ: (15) Access-Accept: [xyz@realm.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client xyz.wifi.realm.com port 4211 operator-name Unknown) (350) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log (350) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log (350) [802.1x_auth_log] = ok (350) } # else = ok (350) policy remove_reply_message_if_eap { (350) if (&reply:EAP-Message && &reply:Reply-Message) { (350) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (350) else { (350) [noop] = noop (350) } # else = noop (350) } # policy remove_reply_message_if_eap = noop (350) } # post-auth = ok (350) Login OK: [xyz@realm.com] (from client xyz.wifi.realm.com port 4211 cli 22-E0-73-F2-50-23) (350) Sent Access-Accept Id 15 from 130.92.10.33:1812 to 130.92.42.15:60533 length 264 (350) Tunnel-Type := VLAN (350) Tunnel-Medium-Type := IEEE-802 (350) Class = 0x7374616666 (350) Filter-Id = "staff" (350) Tunnel-Private-Group-Id:0 = "1874" (350) Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (350) MS-MPPE-Recv-Key = 0x30de94917d8e20cc27f44672a6f87fbb2196e8fd25f350356e6f5afe6d404ac5 (350) MS-MPPE-Send-Key = 0x65b71e153439623a162abad3bb04ce3ea34d1116d2c3524d0f8680d6aa6e93a9 (350) EAP-Message = 0x030c0004 (350) Message-Authenticator = 0x00000000000000000000000000000000 (350) User-Name = "xyz@realm.com" (350) Finished request Waking up in 4.8 seconds. (351) Received Access-Request Id 23 from 130.92.42.15:60533 to 130.92.10.33:1812 length 445 (351) User-Name = "xyz@realm.com" (351) Service-Type = Framed-User (351) Cisco-AVPair = "service-type=Framed" (351) Framed-MTU = 1485 (351) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368 (351) Message-Authenticator = 0x2933cb4d659e4203d7e8cbc1e21e548d (351) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (351) Cisco-AVPair = "method=dot1x" (351) Cisco-AVPair = "client-iif-id=201332865" (351) Cisco-AVPair = "vlan-id=1876" (351) NAS-IP-Address = 130.92.42.15 (351) NAS-Port-Type = Wireless-802.11 (351) NAS-Port = 4211 (351) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (351) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (351) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (351) Calling-Station-Id = "22-e0-73-f2-50-23" (351) Airespace-Wlan-Id = 98 (351) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (351) WLAN-Group-Cipher = 1027076 (351) WLAN-Pairwise-Cipher = 1027076 (351) WLAN-AKM-Suite = 1027075 (351) # Executing section authorize from file /etc/freeradius/sites-enabled/default (351) authorize { (351) policy rewrite_called_station_id { (351) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (351) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (351) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (351) update request { (351) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (351) --> 60-B9-C0-04-C4-40 (351) &Called-Station-Id := 60-B9-C0-04-C4-40 (351) } # update request = noop (351) if ("%{8}") { (351) EXPAND %{8} (351) --> eduroam (351) if ("%{8}") -> TRUE (351) if ("%{8}") { (351) update request { (351) EXPAND %{8} (351) --> eduroam (351) &Called-Station-SSID := eduroam (351) EXPAND %{Called-Station-Id}:%{8} (351) --> 60-B9-C0-04-C4-40:eduroam (351) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (351) } # update request = noop (351) } # if ("%{8}") = noop (351) [updated] = updated (351) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (351) ... skipping else: Preceding "if" was taken (351) } # policy rewrite_called_station_id = updated (351) policy rewrite_calling_station_id { (351) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (351) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (351) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (351) update request { (351) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (351) --> 22-E0-73-F2-50-23 (351) &Calling-Station-Id := 22-E0-73-F2-50-23 (351) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (351) --> 22:E0:73:F2:50:23 (351) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (351) } # update request = noop (351) [updated] = updated (351) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (351) ... skipping else: Preceding "if" was taken (351) } # policy rewrite_calling_station_id = updated (351) if (NAS-Identifier == "uvisrz0215.insel.ch") { (351) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (351) if (Service-Type == Call-Check) { (351) if (Service-Type == Call-Check) -> FALSE (351) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (351) EXPAND Packet-Src-IP-Address (351) --> 130.92.42.15 (351) EXPAND Packet-Src-IP-Address (351) --> 130.92.42.15 (351) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (351) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (351) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (351) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (351) if (EAP-Message) { (351) if (EAP-Message) -> TRUE (351) if (EAP-Message) { (351) policy filter_username { (351) if (&User-Name) { (351) if (&User-Name) -> TRUE (351) if (&User-Name) { (351) if (&User-Name =~ / /) { (351) if (&User-Name =~ / /) -> FALSE (351) if (&User-Name =~ /@[^@]*@/ ) { (351) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (351) if (&User-Name =~ /\.\./ ) { (351) if (&User-Name =~ /\.\./ ) -> FALSE (351) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (351) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (351) if (&User-Name =~ /\.$/) { (351) if (&User-Name =~ /\.$/) -> FALSE (351) if (&User-Name =~ /@\./) { (351) if (&User-Name =~ /@\./) -> FALSE (351) } # if (&User-Name) = updated (351) } # policy filter_username = updated (351) suffix: Checking for suffix after "@" (351) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (351) suffix: Found realm "REALM.COM" (351) suffix: Adding Realm = "REALM.COM" (351) suffix: Authentication realm is LOCAL (351) [suffix] = ok (351) policy deny_no_realm { (351) if (User-Name && (User-Name !~ /@/)) { (351) if (User-Name && (User-Name !~ /@/)) -> FALSE (351) } # policy deny_no_realm = updated (351) update request { (351) EXPAND %{toupper:%{Realm}} (351) --> REALM.COM (351) Realm := REALM.COM (351) } # update request = noop (351) eap: Peer sent EAP Response (code 2) ID 1 length 29 (351) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (351) [eap] = ok (351) } # if (EAP-Message) = ok (351) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (351) } # authorize = updated (351) Found Auth-Type = eap (351) # Executing group from file /etc/freeradius/sites-enabled/default (351) Auth-Type eap { (351) eap: Peer sent packet with method EAP Identity (1) (351) eap: Calling submodule eap_peap to process data (351) eap_peap: (TLS) PEAP -Initiating new session (351) eap: Sending EAP Request (code 1) ID 2 length 6 (351) eap: EAP session adding &reply:State = 0xceec9f67ceee86c2 (351) [eap] = handled (351) if (handled && (Response-Packet-Type == Access-Challenge)) { (351) EXPAND Response-Packet-Type (351) --> Access-Challenge (351) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (351) if (handled && (Response-Packet-Type == Access-Challenge)) { (351) attr_filter.access_challenge: EXPAND %{User-Name} (351) attr_filter.access_challenge: --> xyz@realm.com (351) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (351) [attr_filter.access_challenge.post-auth] = updated (351) [handled] = handled (351) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (351) } # Auth-Type eap = handled (351) Using Post-Auth-Type Challenge (351) Post-Auth-Type sub-section not found. Ignoring. (351) # Executing group from file /etc/freeradius/sites-enabled/default (351) session-state: Saving cached attributes (351) Framed-MTU = 1014 (351) Sent Access-Challenge Id 23 from 130.92.10.33:1812 to 130.92.42.15:60533 length 64 (351) EAP-Message = 0x010200061920 (351) Message-Authenticator = 0x00000000000000000000000000000000 (351) State = 0xceec9f67ceee86c299469da09cee92a1 (351) Finished request Waking up in 3.9 seconds. (352) Received Access-Request Id 31 from 130.92.42.15:60533 to 130.92.10.33:1812 length 595 (352) User-Name = "xyz@realm.com" (352) Service-Type = Framed-User (352) Cisco-AVPair = "service-type=Framed" (352) Framed-MTU = 1485 (352) EAP-Message = 0x020200a119800000009716030100920100008e0303675c3100dd1c7cdf9f74db6337b13313e75950e07ca8a60ec8a656c84cedb59700002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (352) Message-Authenticator = 0xd7069ec703e1171145ae6fb6ecf1d5a8 (352) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (352) Cisco-AVPair = "method=dot1x" (352) Cisco-AVPair = "client-iif-id=201332865" (352) Cisco-AVPair = "vlan-id=1876" (352) NAS-IP-Address = 130.92.42.15 (352) NAS-Port-Type = Wireless-802.11 (352) NAS-Port = 4211 (352) State = 0xceec9f67ceee86c299469da09cee92a1 (352) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (352) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (352) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (352) Calling-Station-Id = "22-e0-73-f2-50-23" (352) Airespace-Wlan-Id = 98 (352) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (352) WLAN-Group-Cipher = 1027076 (352) WLAN-Pairwise-Cipher = 1027076 (352) WLAN-AKM-Suite = 1027075 (352) Restoring &session-state (352) &session-state:Framed-MTU = 1014 (352) # Executing section authorize from file /etc/freeradius/sites-enabled/default (352) authorize { (352) policy rewrite_called_station_id { (352) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (352) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (352) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (352) update request { (352) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (352) --> 60-B9-C0-04-C4-40 (352) &Called-Station-Id := 60-B9-C0-04-C4-40 (352) } # update request = noop (352) if ("%{8}") { (352) EXPAND %{8} (352) --> eduroam (352) if ("%{8}") -> TRUE (352) if ("%{8}") { (352) update request { (352) EXPAND %{8} (352) --> eduroam (352) &Called-Station-SSID := eduroam (352) EXPAND %{Called-Station-Id}:%{8} (352) --> 60-B9-C0-04-C4-40:eduroam (352) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (352) } # update request = noop (352) } # if ("%{8}") = noop (352) [updated] = updated (352) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (352) ... skipping else: Preceding "if" was taken (352) } # policy rewrite_called_station_id = updated (352) policy rewrite_calling_station_id { (352) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (352) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (352) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (352) update request { (352) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (352) --> 22-E0-73-F2-50-23 (352) &Calling-Station-Id := 22-E0-73-F2-50-23 (352) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (352) --> 22:E0:73:F2:50:23 (352) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (352) } # update request = noop (352) [updated] = updated (352) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (352) ... skipping else: Preceding "if" was taken (352) } # policy rewrite_calling_station_id = updated (352) if (NAS-Identifier == "uvisrz0215.insel.ch") { (352) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (352) if (Service-Type == Call-Check) { (352) if (Service-Type == Call-Check) -> FALSE (352) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (352) EXPAND Packet-Src-IP-Address (352) --> 130.92.42.15 (352) EXPAND Packet-Src-IP-Address (352) --> 130.92.42.15 (352) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (352) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (352) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (352) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (352) if (EAP-Message) { (352) if (EAP-Message) -> TRUE (352) if (EAP-Message) { (352) policy filter_username { (352) if (&User-Name) { (352) if (&User-Name) -> TRUE (352) if (&User-Name) { (352) if (&User-Name =~ / /) { (352) if (&User-Name =~ / /) -> FALSE (352) if (&User-Name =~ /@[^@]*@/ ) { (352) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (352) if (&User-Name =~ /\.\./ ) { (352) if (&User-Name =~ /\.\./ ) -> FALSE (352) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (352) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (352) if (&User-Name =~ /\.$/) { (352) if (&User-Name =~ /\.$/) -> FALSE (352) if (&User-Name =~ /@\./) { (352) if (&User-Name =~ /@\./) -> FALSE (352) } # if (&User-Name) = updated (352) } # policy filter_username = updated (352) suffix: Checking for suffix after "@" (352) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (352) suffix: Found realm "REALM.COM" (352) suffix: Adding Realm = "REALM.COM" (352) suffix: Authentication realm is LOCAL (352) [suffix] = ok (352) policy deny_no_realm { (352) if (User-Name && (User-Name !~ /@/)) { (352) if (User-Name && (User-Name !~ /@/)) -> FALSE (352) } # policy deny_no_realm = updated (352) update request { (352) EXPAND %{toupper:%{Realm}} (352) --> REALM.COM (352) Realm := REALM.COM (352) } # update request = noop (352) eap: Peer sent EAP Response (code 2) ID 2 length 161 (352) eap: Continuing tunnel setup (352) [eap] = ok (352) } # if (EAP-Message) = ok (352) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (352) } # authorize = updated (352) Found Auth-Type = eap (352) # Executing group from file /etc/freeradius/sites-enabled/default (352) Auth-Type eap { (352) eap: Removing EAP session with state 0xceec9f67ceee86c2 (352) eap: Previous EAP request found for state 0xceec9f67ceee86c2, released from the list (352) eap: Peer sent packet with method EAP PEAP (25) (352) eap: Calling submodule eap_peap to process data (352) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (352) eap_peap: (TLS) EAP Got all data (151 bytes) (352) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (352) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (352) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (352) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (352) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (352) eap_peap: (TLS) PEAP - In Handshake Phase (352) eap: Sending EAP Request (code 1) ID 3 length 1024 (352) eap: EAP session adding &reply:State = 0xceec9f67cfef86c2 (352) [eap] = handled (352) if (handled && (Response-Packet-Type == Access-Challenge)) { (352) EXPAND Response-Packet-Type (352) --> Access-Challenge (352) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (352) if (handled && (Response-Packet-Type == Access-Challenge)) { (352) attr_filter.access_challenge: EXPAND %{User-Name} (352) attr_filter.access_challenge: --> xyz@realm.com (352) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (352) [attr_filter.access_challenge.post-auth] = updated (352) [handled] = handled (352) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (352) } # Auth-Type eap = handled (352) Using Post-Auth-Type Challenge (352) Post-Auth-Type sub-section not found. Ignoring. (352) # Executing group from file /etc/freeradius/sites-enabled/default (352) session-state: Saving cached attributes (352) Framed-MTU = 1014 (352) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (352) Sent Access-Challenge Id 31 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1090 (352) EAP-Message = 0x0103040019c000001135160303003d020000390303a19642b1ba520223bc61e483ac418e3f44e0800ee85d2526444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a003020102021006387c8dc0feba6f5f4a0c47e7c561cd300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3234303532393030303030305a170d3235303532383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (352) Message-Authenticator = 0x00000000000000000000000000000000 (352) State = 0xceec9f67cfef86c299469da09cee92a1 (352) Finished request Waking up in 3.9 seconds. (353) Received Access-Request Id 39 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (353) User-Name = "xyz@realm.com" (353) Service-Type = Framed-User (353) Cisco-AVPair = "service-type=Framed" (353) Framed-MTU = 1485 (353) EAP-Message = 0x020300061900 (353) Message-Authenticator = 0xf3796f124c3546a4fff1a4495bc4bc3c (353) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (353) Cisco-AVPair = "method=dot1x" (353) Cisco-AVPair = "client-iif-id=201332865" (353) Cisco-AVPair = "vlan-id=1876" (353) NAS-IP-Address = 130.92.42.15 (353) NAS-Port-Type = Wireless-802.11 (353) NAS-Port = 4211 (353) State = 0xceec9f67cfef86c299469da09cee92a1 (353) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (353) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (353) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (353) Calling-Station-Id = "22-e0-73-f2-50-23" (353) Airespace-Wlan-Id = 98 (353) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (353) WLAN-Group-Cipher = 1027076 (353) WLAN-Pairwise-Cipher = 1027076 (353) WLAN-AKM-Suite = 1027075 (353) Restoring &session-state (353) &session-state:Framed-MTU = 1014 (353) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (353) # Executing section authorize from file /etc/freeradius/sites-enabled/default (353) authorize { (353) policy rewrite_called_station_id { (353) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (353) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (353) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (353) update request { (353) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (353) --> 60-B9-C0-04-C4-40 (353) &Called-Station-Id := 60-B9-C0-04-C4-40 (353) } # update request = noop (353) if ("%{8}") { (353) EXPAND %{8} (353) --> eduroam (353) if ("%{8}") -> TRUE (353) if ("%{8}") { (353) update request { (353) EXPAND %{8} (353) --> eduroam (353) &Called-Station-SSID := eduroam (353) EXPAND %{Called-Station-Id}:%{8} (353) --> 60-B9-C0-04-C4-40:eduroam (353) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (353) } # update request = noop (353) } # if ("%{8}") = noop (353) [updated] = updated (353) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (353) ... skipping else: Preceding "if" was taken (353) } # policy rewrite_called_station_id = updated (353) policy rewrite_calling_station_id { (353) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (353) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (353) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (353) update request { (353) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (353) --> 22-E0-73-F2-50-23 (353) &Calling-Station-Id := 22-E0-73-F2-50-23 (353) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (353) --> 22:E0:73:F2:50:23 (353) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (353) } # update request = noop (353) [updated] = updated (353) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (353) ... skipping else: Preceding "if" was taken (353) } # policy rewrite_calling_station_id = updated (353) if (NAS-Identifier == "uvisrz0215.insel.ch") { (353) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (353) if (Service-Type == Call-Check) { (353) if (Service-Type == Call-Check) -> FALSE (353) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (353) EXPAND Packet-Src-IP-Address (353) --> 130.92.42.15 (353) EXPAND Packet-Src-IP-Address (353) --> 130.92.42.15 (353) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (353) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (353) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (353) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (353) if (EAP-Message) { (353) if (EAP-Message) -> TRUE (353) if (EAP-Message) { (353) policy filter_username { (353) if (&User-Name) { (353) if (&User-Name) -> TRUE (353) if (&User-Name) { (353) if (&User-Name =~ / /) { (353) if (&User-Name =~ / /) -> FALSE (353) if (&User-Name =~ /@[^@]*@/ ) { (353) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (353) if (&User-Name =~ /\.\./ ) { (353) if (&User-Name =~ /\.\./ ) -> FALSE (353) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (353) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (353) if (&User-Name =~ /\.$/) { (353) if (&User-Name =~ /\.$/) -> FALSE (353) if (&User-Name =~ /@\./) { (353) if (&User-Name =~ /@\./) -> FALSE (353) } # if (&User-Name) = updated (353) } # policy filter_username = updated (353) suffix: Checking for suffix after "@" (353) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (353) suffix: Found realm "REALM.COM" (353) suffix: Adding Realm = "REALM.COM" (353) suffix: Authentication realm is LOCAL (353) [suffix] = ok (353) policy deny_no_realm { (353) if (User-Name && (User-Name !~ /@/)) { (353) if (User-Name && (User-Name !~ /@/)) -> FALSE (353) } # policy deny_no_realm = updated (353) update request { (353) EXPAND %{toupper:%{Realm}} (353) --> REALM.COM (353) Realm := REALM.COM (353) } # update request = noop (353) eap: Peer sent EAP Response (code 2) ID 3 length 6 (353) eap: Continuing tunnel setup (353) [eap] = ok (353) } # if (EAP-Message) = ok (353) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (353) } # authorize = updated (353) Found Auth-Type = eap (353) # Executing group from file /etc/freeradius/sites-enabled/default (353) Auth-Type eap { (353) eap: Removing EAP session with state 0xceec9f67cfef86c2 (353) eap: Previous EAP request found for state 0xceec9f67cfef86c2, released from the list (353) eap: Peer sent packet with method EAP PEAP (25) (353) eap: Calling submodule eap_peap to process data (353) eap_peap: (TLS) Peer ACKed our handshake fragment (353) eap: Sending EAP Request (code 1) ID 4 length 1020 (353) eap: EAP session adding &reply:State = 0xceec9f67cce886c2 (353) [eap] = handled (353) if (handled && (Response-Packet-Type == Access-Challenge)) { (353) EXPAND Response-Packet-Type (353) --> Access-Challenge (353) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (353) if (handled && (Response-Packet-Type == Access-Challenge)) { (353) attr_filter.access_challenge: EXPAND %{User-Name} (353) attr_filter.access_challenge: --> xyz@realm.com (353) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (353) [attr_filter.access_challenge.post-auth] = updated (353) [handled] = handled (353) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (353) } # Auth-Type eap = handled (353) Using Post-Auth-Type Challenge (353) Post-Auth-Type sub-section not found. Ignoring. (353) # Executing group from file /etc/freeradius/sites-enabled/default (353) session-state: Saving cached attributes (353) Framed-MTU = 1014 (353) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (353) Sent Access-Challenge Id 39 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (353) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077004e75a3275c9a10c3385b6cd4df3f52eb1df0e08e1b8d69c0b1fa64b1629a39df0000018fc49a2e690000040300483046022100c3703d534899e5150ee51285759f020d6d69574d1db223e7a6fba90105e34a98022100a96786ea2924a95667b25b5efae9fb8e9b5e2b8494 (353) Message-Authenticator = 0x00000000000000000000000000000000 (353) State = 0xceec9f67cce886c299469da09cee92a1 (353) Finished request Waking up in 3.9 seconds. (354) Received Access-Request Id 47 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (354) User-Name = "xyz@realm.com" (354) Service-Type = Framed-User (354) Cisco-AVPair = "service-type=Framed" (354) Framed-MTU = 1485 (354) EAP-Message = 0x020400061900 (354) Message-Authenticator = 0xb510334983626c4527fe4b7d8fce100f (354) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (354) Cisco-AVPair = "method=dot1x" (354) Cisco-AVPair = "client-iif-id=201332865" (354) Cisco-AVPair = "vlan-id=1876" (354) NAS-IP-Address = 130.92.42.15 (354) NAS-Port-Type = Wireless-802.11 (354) NAS-Port = 4211 (354) State = 0xceec9f67cce886c299469da09cee92a1 (354) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (354) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (354) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (354) Calling-Station-Id = "22-e0-73-f2-50-23" (354) Airespace-Wlan-Id = 98 (354) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (354) WLAN-Group-Cipher = 1027076 (354) WLAN-Pairwise-Cipher = 1027076 (354) WLAN-AKM-Suite = 1027075 (354) Restoring &session-state (354) &session-state:Framed-MTU = 1014 (354) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (354) # Executing section authorize from file /etc/freeradius/sites-enabled/default (354) authorize { (354) policy rewrite_called_station_id { (354) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (354) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (354) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (354) update request { (354) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (354) --> 60-B9-C0-04-C4-40 (354) &Called-Station-Id := 60-B9-C0-04-C4-40 (354) } # update request = noop (354) if ("%{8}") { (354) EXPAND %{8} (354) --> eduroam (354) if ("%{8}") -> TRUE (354) if ("%{8}") { (354) update request { (354) EXPAND %{8} (354) --> eduroam (354) &Called-Station-SSID := eduroam (354) EXPAND %{Called-Station-Id}:%{8} (354) --> 60-B9-C0-04-C4-40:eduroam (354) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (354) } # update request = noop (354) } # if ("%{8}") = noop (354) [updated] = updated (354) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (354) ... skipping else: Preceding "if" was taken (354) } # policy rewrite_called_station_id = updated (354) policy rewrite_calling_station_id { (354) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (354) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (354) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (354) update request { (354) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (354) --> 22-E0-73-F2-50-23 (354) &Calling-Station-Id := 22-E0-73-F2-50-23 (354) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (354) --> 22:E0:73:F2:50:23 (354) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (354) } # update request = noop (354) [updated] = updated (354) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (354) ... skipping else: Preceding "if" was taken (354) } # policy rewrite_calling_station_id = updated (354) if (NAS-Identifier == "uvisrz0215.insel.ch") { (354) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (354) if (Service-Type == Call-Check) { (354) if (Service-Type == Call-Check) -> FALSE (354) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (354) EXPAND Packet-Src-IP-Address (354) --> 130.92.42.15 (354) EXPAND Packet-Src-IP-Address (354) --> 130.92.42.15 (354) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (354) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (354) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (354) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (354) if (EAP-Message) { (354) if (EAP-Message) -> TRUE (354) if (EAP-Message) { (354) policy filter_username { (354) if (&User-Name) { (354) if (&User-Name) -> TRUE (354) if (&User-Name) { (354) if (&User-Name =~ / /) { (354) if (&User-Name =~ / /) -> FALSE (354) if (&User-Name =~ /@[^@]*@/ ) { (354) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (354) if (&User-Name =~ /\.\./ ) { (354) if (&User-Name =~ /\.\./ ) -> FALSE (354) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (354) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (354) if (&User-Name =~ /\.$/) { (354) if (&User-Name =~ /\.$/) -> FALSE (354) if (&User-Name =~ /@\./) { (354) if (&User-Name =~ /@\./) -> FALSE (354) } # if (&User-Name) = updated (354) } # policy filter_username = updated (354) suffix: Checking for suffix after "@" (354) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (354) suffix: Found realm "REALM.COM" (354) suffix: Adding Realm = "REALM.COM" (354) suffix: Authentication realm is LOCAL (354) [suffix] = ok (354) policy deny_no_realm { (354) if (User-Name && (User-Name !~ /@/)) { (354) if (User-Name && (User-Name !~ /@/)) -> FALSE (354) } # policy deny_no_realm = updated (354) update request { (354) EXPAND %{toupper:%{Realm}} (354) --> REALM.COM (354) Realm := REALM.COM (354) } # update request = noop (354) eap: Peer sent EAP Response (code 2) ID 4 length 6 (354) eap: Continuing tunnel setup (354) [eap] = ok (354) } # if (EAP-Message) = ok (354) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (354) } # authorize = updated (354) Found Auth-Type = eap (354) # Executing group from file /etc/freeradius/sites-enabled/default (354) Auth-Type eap { (354) eap: Removing EAP session with state 0xceec9f67cce886c2 (354) eap: Previous EAP request found for state 0xceec9f67cce886c2, released from the list (354) eap: Peer sent packet with method EAP PEAP (25) (354) eap: Calling submodule eap_peap to process data (354) eap_peap: (TLS) Peer ACKed our handshake fragment (354) eap: Sending EAP Request (code 1) ID 5 length 1020 (354) eap: EAP session adding &reply:State = 0xceec9f67cde986c2 (354) [eap] = handled (354) if (handled && (Response-Packet-Type == Access-Challenge)) { (354) EXPAND Response-Packet-Type (354) --> Access-Challenge (354) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (354) if (handled && (Response-Packet-Type == Access-Challenge)) { (354) attr_filter.access_challenge: EXPAND %{User-Name} (354) attr_filter.access_challenge: --> xyz@realm.com (354) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (354) [attr_filter.access_challenge.post-auth] = updated (354) [handled] = handled (354) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (354) } # Auth-Type eap = handled (354) Using Post-Auth-Type Challenge (354) Post-Auth-Type sub-section not found. Ignoring. (354) # Executing group from file /etc/freeradius/sites-enabled/default (354) session-state: Saving cached attributes (354) Framed-MTU = 1014 (354) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (354) Sent Access-Challenge Id 47 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (354) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (354) Message-Authenticator = 0x00000000000000000000000000000000 (354) State = 0xceec9f67cde986c299469da09cee92a1 (354) Finished request Waking up in 3.8 seconds. (355) Received Access-Request Id 55 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (355) User-Name = "xyz@realm.com" (355) Service-Type = Framed-User (355) Cisco-AVPair = "service-type=Framed" (355) Framed-MTU = 1485 (355) EAP-Message = 0x020500061900 (355) Message-Authenticator = 0x8e81bbf2bf5fb1fbc216fcb932dee869 (355) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (355) Cisco-AVPair = "method=dot1x" (355) Cisco-AVPair = "client-iif-id=201332865" (355) Cisco-AVPair = "vlan-id=1876" (355) NAS-IP-Address = 130.92.42.15 (355) NAS-Port-Type = Wireless-802.11 (355) NAS-Port = 4211 (355) State = 0xceec9f67cde986c299469da09cee92a1 (355) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (355) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (355) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (355) Calling-Station-Id = "22-e0-73-f2-50-23" (355) Airespace-Wlan-Id = 98 (355) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (355) WLAN-Group-Cipher = 1027076 (355) WLAN-Pairwise-Cipher = 1027076 (355) WLAN-AKM-Suite = 1027075 (355) Restoring &session-state (355) &session-state:Framed-MTU = 1014 (355) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (355) # Executing section authorize from file /etc/freeradius/sites-enabled/default (355) authorize { (355) policy rewrite_called_station_id { (355) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (355) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (355) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (355) update request { (355) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (355) --> 60-B9-C0-04-C4-40 (355) &Called-Station-Id := 60-B9-C0-04-C4-40 (355) } # update request = noop (355) if ("%{8}") { (355) EXPAND %{8} (355) --> eduroam (355) if ("%{8}") -> TRUE (355) if ("%{8}") { (355) update request { (355) EXPAND %{8} (355) --> eduroam (355) &Called-Station-SSID := eduroam (355) EXPAND %{Called-Station-Id}:%{8} (355) --> 60-B9-C0-04-C4-40:eduroam (355) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (355) } # update request = noop (355) } # if ("%{8}") = noop (355) [updated] = updated (355) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (355) ... skipping else: Preceding "if" was taken (355) } # policy rewrite_called_station_id = updated (355) policy rewrite_calling_station_id { (355) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (355) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (355) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (355) update request { (355) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (355) --> 22-E0-73-F2-50-23 (355) &Calling-Station-Id := 22-E0-73-F2-50-23 (355) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (355) --> 22:E0:73:F2:50:23 (355) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (355) } # update request = noop (355) [updated] = updated (355) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (355) ... skipping else: Preceding "if" was taken (355) } # policy rewrite_calling_station_id = updated (355) if (NAS-Identifier == "uvisrz0215.insel.ch") { (355) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (355) if (Service-Type == Call-Check) { (355) if (Service-Type == Call-Check) -> FALSE (355) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (355) EXPAND Packet-Src-IP-Address (355) --> 130.92.42.15 (355) EXPAND Packet-Src-IP-Address (355) --> 130.92.42.15 (355) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (355) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (355) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (355) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (355) if (EAP-Message) { (355) if (EAP-Message) -> TRUE (355) if (EAP-Message) { (355) policy filter_username { (355) if (&User-Name) { (355) if (&User-Name) -> TRUE (355) if (&User-Name) { (355) if (&User-Name =~ / /) { (355) if (&User-Name =~ / /) -> FALSE (355) if (&User-Name =~ /@[^@]*@/ ) { (355) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (355) if (&User-Name =~ /\.\./ ) { (355) if (&User-Name =~ /\.\./ ) -> FALSE (355) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (355) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (355) if (&User-Name =~ /\.$/) { (355) if (&User-Name =~ /\.$/) -> FALSE (355) if (&User-Name =~ /@\./) { (355) if (&User-Name =~ /@\./) -> FALSE (355) } # if (&User-Name) = updated (355) } # policy filter_username = updated (355) suffix: Checking for suffix after "@" (355) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (355) suffix: Found realm "REALM.COM" (355) suffix: Adding Realm = "REALM.COM" (355) suffix: Authentication realm is LOCAL (355) [suffix] = ok (355) policy deny_no_realm { (355) if (User-Name && (User-Name !~ /@/)) { (355) if (User-Name && (User-Name !~ /@/)) -> FALSE (355) } # policy deny_no_realm = updated (355) update request { (355) EXPAND %{toupper:%{Realm}} (355) --> REALM.COM (355) Realm := REALM.COM (355) } # update request = noop (355) eap: Peer sent EAP Response (code 2) ID 5 length 6 (355) eap: Continuing tunnel setup (355) [eap] = ok (355) } # if (EAP-Message) = ok (355) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (355) } # authorize = updated (355) Found Auth-Type = eap (355) # Executing group from file /etc/freeradius/sites-enabled/default (355) Auth-Type eap { (355) eap: Removing EAP session with state 0xceec9f67cde986c2 (355) eap: Previous EAP request found for state 0xceec9f67cde986c2, released from the list (355) eap: Peer sent packet with method EAP PEAP (25) (355) eap: Calling submodule eap_peap to process data (355) eap_peap: (TLS) Peer ACKed our handshake fragment (355) eap: Sending EAP Request (code 1) ID 6 length 1020 (355) eap: EAP session adding &reply:State = 0xceec9f67caea86c2 (355) [eap] = handled (355) if (handled && (Response-Packet-Type == Access-Challenge)) { (355) EXPAND Response-Packet-Type (355) --> Access-Challenge (355) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (355) if (handled && (Response-Packet-Type == Access-Challenge)) { (355) attr_filter.access_challenge: EXPAND %{User-Name} (355) attr_filter.access_challenge: --> xyz@realm.com (355) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (355) [attr_filter.access_challenge.post-auth] = updated (355) [handled] = handled (355) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (355) } # Auth-Type eap = handled (355) Using Post-Auth-Type Challenge (355) Post-Auth-Type sub-section not found. Ignoring. (355) # Executing group from file /etc/freeradius/sites-enabled/default (355) session-state: Saving cached attributes (355) Framed-MTU = 1014 (355) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (355) Sent Access-Challenge Id 55 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (355) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (355) Message-Authenticator = 0x00000000000000000000000000000000 (355) State = 0xceec9f67caea86c299469da09cee92a1 (355) Finished request Waking up in 3.8 seconds. (356) Received Access-Request Id 63 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (356) User-Name = "xyz@realm.com" (356) Service-Type = Framed-User (356) Cisco-AVPair = "service-type=Framed" (356) Framed-MTU = 1485 (356) EAP-Message = 0x020600061900 (356) Message-Authenticator = 0xc44289330177ed5b3c4d95479193adc0 (356) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (356) Cisco-AVPair = "method=dot1x" (356) Cisco-AVPair = "client-iif-id=201332865" (356) Cisco-AVPair = "vlan-id=1876" (356) NAS-IP-Address = 130.92.42.15 (356) NAS-Port-Type = Wireless-802.11 (356) NAS-Port = 4211 (356) State = 0xceec9f67caea86c299469da09cee92a1 (356) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (356) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (356) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (356) Calling-Station-Id = "22-e0-73-f2-50-23" (356) Airespace-Wlan-Id = 98 (356) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (356) WLAN-Group-Cipher = 1027076 (356) WLAN-Pairwise-Cipher = 1027076 (356) WLAN-AKM-Suite = 1027075 (356) Restoring &session-state (356) &session-state:Framed-MTU = 1014 (356) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (356) # Executing section authorize from file /etc/freeradius/sites-enabled/default (356) authorize { (356) policy rewrite_called_station_id { (356) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (356) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (356) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (356) update request { (356) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (356) --> 60-B9-C0-04-C4-40 (356) &Called-Station-Id := 60-B9-C0-04-C4-40 (356) } # update request = noop (356) if ("%{8}") { (356) EXPAND %{8} (356) --> eduroam (356) if ("%{8}") -> TRUE (356) if ("%{8}") { (356) update request { (356) EXPAND %{8} (356) --> eduroam (356) &Called-Station-SSID := eduroam (356) EXPAND %{Called-Station-Id}:%{8} (356) --> 60-B9-C0-04-C4-40:eduroam (356) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (356) } # update request = noop (356) } # if ("%{8}") = noop (356) [updated] = updated (356) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (356) ... skipping else: Preceding "if" was taken (356) } # policy rewrite_called_station_id = updated (356) policy rewrite_calling_station_id { (356) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (356) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (356) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (356) update request { (356) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (356) --> 22-E0-73-F2-50-23 (356) &Calling-Station-Id := 22-E0-73-F2-50-23 (356) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (356) --> 22:E0:73:F2:50:23 (356) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (356) } # update request = noop (356) [updated] = updated (356) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (356) ... skipping else: Preceding "if" was taken (356) } # policy rewrite_calling_station_id = updated (356) if (NAS-Identifier == "uvisrz0215.insel.ch") { (356) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (356) if (Service-Type == Call-Check) { (356) if (Service-Type == Call-Check) -> FALSE (356) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (356) EXPAND Packet-Src-IP-Address (356) --> 130.92.42.15 (356) EXPAND Packet-Src-IP-Address (356) --> 130.92.42.15 (356) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (356) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (356) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (356) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (356) if (EAP-Message) { (356) if (EAP-Message) -> TRUE (356) if (EAP-Message) { (356) policy filter_username { (356) if (&User-Name) { (356) if (&User-Name) -> TRUE (356) if (&User-Name) { (356) if (&User-Name =~ / /) { (356) if (&User-Name =~ / /) -> FALSE (356) if (&User-Name =~ /@[^@]*@/ ) { (356) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (356) if (&User-Name =~ /\.\./ ) { (356) if (&User-Name =~ /\.\./ ) -> FALSE (356) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (356) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (356) if (&User-Name =~ /\.$/) { (356) if (&User-Name =~ /\.$/) -> FALSE (356) if (&User-Name =~ /@\./) { (356) if (&User-Name =~ /@\./) -> FALSE (356) } # if (&User-Name) = updated (356) } # policy filter_username = updated (356) suffix: Checking for suffix after "@" (356) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (356) suffix: Found realm "REALM.COM" (356) suffix: Adding Realm = "REALM.COM" (356) suffix: Authentication realm is LOCAL (356) [suffix] = ok (356) policy deny_no_realm { (356) if (User-Name && (User-Name !~ /@/)) { (356) if (User-Name && (User-Name !~ /@/)) -> FALSE (356) } # policy deny_no_realm = updated (356) update request { (356) EXPAND %{toupper:%{Realm}} (356) --> REALM.COM (356) Realm := REALM.COM (356) } # update request = noop (356) eap: Peer sent EAP Response (code 2) ID 6 length 6 (356) eap: Continuing tunnel setup (356) [eap] = ok (356) } # if (EAP-Message) = ok (356) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (356) } # authorize = updated (356) Found Auth-Type = eap (356) # Executing group from file /etc/freeradius/sites-enabled/default (356) Auth-Type eap { (356) eap: Removing EAP session with state 0xceec9f67caea86c2 (356) eap: Previous EAP request found for state 0xceec9f67caea86c2, released from the list (356) eap: Peer sent packet with method EAP PEAP (25) (356) eap: Calling submodule eap_peap to process data (356) eap_peap: (TLS) Peer ACKed our handshake fragment (356) eap: Sending EAP Request (code 1) ID 7 length 355 (356) eap: EAP session adding &reply:State = 0xceec9f67cbeb86c2 (356) [eap] = handled (356) if (handled && (Response-Packet-Type == Access-Challenge)) { (356) EXPAND Response-Packet-Type (356) --> Access-Challenge (356) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (356) if (handled && (Response-Packet-Type == Access-Challenge)) { (356) attr_filter.access_challenge: EXPAND %{User-Name} (356) attr_filter.access_challenge: --> xyz@realm.com (356) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (356) [attr_filter.access_challenge.post-auth] = updated (356) [handled] = handled (356) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (356) } # Auth-Type eap = handled (356) Using Post-Auth-Type Challenge (356) Post-Auth-Type sub-section not found. Ignoring. (356) # Executing group from file /etc/freeradius/sites-enabled/default (356) session-state: Saving cached attributes (356) Framed-MTU = 1014 (356) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (356) Sent Access-Challenge Id 63 from 130.92.10.33:1812 to 130.92.42.15:60533 length 415 (356) EAP-Message = 0x01070163190032b6160303014d0c0001490300174104fd6e5579656e70bface3d2b6d7664dca8778ee606beca867cc96cbfeba740a9811c4088d3f08e679c201e01ba123428692cf6d1461cc0616e75a09374cbf5a59040101005148dfba1d9ef30df850975688a6168a9bff2732b603dc5588a1fb0940bb209aea2f0a9f68bc21c3405aaa6d12e4eb9a2254e2d66c6574d8c6606725c4e3d892c5ee30cacf546266a1f0ddce941a205c1bb6a8c3954c70cfda7ac819335b97e3fcc50e47058806fa895dd2940de272d1cd4c45ad8955e3aedbf11b406fc63ff963f7938e09f319660f5e9e2aebc29babb851f01af3880331b9cbbf671f154782a62464143d70c240b5ce6ad52a51a0c9f0df0d2337686d044595f6650de8e02702eb257118e24ea2525fd8a8b0d77ed6975ca0cf73e1a2d22148d96f74ef166ba96ae8488ff4c1369ce9998a47d91b145e83bccadd6fff90e44119e661cd482f16030300040e000000 (356) Message-Authenticator = 0x00000000000000000000000000000000 (356) State = 0xceec9f67cbeb86c299469da09cee92a1 (356) Finished request Waking up in 3.8 seconds. (357) Received Access-Request Id 71 from 130.92.42.15:60533 to 130.92.10.33:1812 length 570 (357) User-Name = "xyz@realm.com" (357) Service-Type = Framed-User (357) Cisco-AVPair = "service-type=Framed" (357) Framed-MTU = 1485 (357) EAP-Message = 0x0207008819800000007e1603030046100000424104dc75f0e99c0d10be5910b5ec7c9f9d1c239f795540d3f569fe73a2a28522d16ba31504a1cd5350b4b6bdff5dfc1527a84f9d4d38b82ef18a7a34cdf139cc71691403030001011603030028d818ac38e08209544a07329d759f59053fa0a4d1764f92143881d18b37e116582dc7d0618d43df56 (357) Message-Authenticator = 0x382bd2b906d4f4e2b5d7d11e1b7805a1 (357) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (357) Cisco-AVPair = "method=dot1x" (357) Cisco-AVPair = "client-iif-id=201332865" (357) Cisco-AVPair = "vlan-id=1876" (357) NAS-IP-Address = 130.92.42.15 (357) NAS-Port-Type = Wireless-802.11 (357) NAS-Port = 4211 (357) State = 0xceec9f67cbeb86c299469da09cee92a1 (357) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (357) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (357) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (357) Calling-Station-Id = "22-e0-73-f2-50-23" (357) Airespace-Wlan-Id = 98 (357) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (357) WLAN-Group-Cipher = 1027076 (357) WLAN-Pairwise-Cipher = 1027076 (357) WLAN-AKM-Suite = 1027075 (357) Restoring &session-state (357) &session-state:Framed-MTU = 1014 (357) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (357) # Executing section authorize from file /etc/freeradius/sites-enabled/default (357) authorize { (357) policy rewrite_called_station_id { (357) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (357) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (357) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (357) update request { (357) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (357) --> 60-B9-C0-04-C4-40 (357) &Called-Station-Id := 60-B9-C0-04-C4-40 (357) } # update request = noop (357) if ("%{8}") { (357) EXPAND %{8} (357) --> eduroam (357) if ("%{8}") -> TRUE (357) if ("%{8}") { (357) update request { (357) EXPAND %{8} (357) --> eduroam (357) &Called-Station-SSID := eduroam (357) EXPAND %{Called-Station-Id}:%{8} (357) --> 60-B9-C0-04-C4-40:eduroam (357) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (357) } # update request = noop (357) } # if ("%{8}") = noop (357) [updated] = updated (357) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (357) ... skipping else: Preceding "if" was taken (357) } # policy rewrite_called_station_id = updated (357) policy rewrite_calling_station_id { (357) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (357) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (357) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (357) update request { (357) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (357) --> 22-E0-73-F2-50-23 (357) &Calling-Station-Id := 22-E0-73-F2-50-23 (357) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (357) --> 22:E0:73:F2:50:23 (357) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (357) } # update request = noop (357) [updated] = updated (357) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (357) ... skipping else: Preceding "if" was taken (357) } # policy rewrite_calling_station_id = updated (357) if (NAS-Identifier == "uvisrz0215.insel.ch") { (357) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (357) if (Service-Type == Call-Check) { (357) if (Service-Type == Call-Check) -> FALSE (357) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (357) EXPAND Packet-Src-IP-Address (357) --> 130.92.42.15 (357) EXPAND Packet-Src-IP-Address (357) --> 130.92.42.15 (357) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (357) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (357) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (357) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (357) if (EAP-Message) { (357) if (EAP-Message) -> TRUE (357) if (EAP-Message) { (357) policy filter_username { (357) if (&User-Name) { (357) if (&User-Name) -> TRUE (357) if (&User-Name) { (357) if (&User-Name =~ / /) { (357) if (&User-Name =~ / /) -> FALSE (357) if (&User-Name =~ /@[^@]*@/ ) { (357) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (357) if (&User-Name =~ /\.\./ ) { (357) if (&User-Name =~ /\.\./ ) -> FALSE (357) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (357) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (357) if (&User-Name =~ /\.$/) { (357) if (&User-Name =~ /\.$/) -> FALSE (357) if (&User-Name =~ /@\./) { (357) if (&User-Name =~ /@\./) -> FALSE (357) } # if (&User-Name) = updated (357) } # policy filter_username = updated (357) suffix: Checking for suffix after "@" (357) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (357) suffix: Found realm "REALM.COM" (357) suffix: Adding Realm = "REALM.COM" (357) suffix: Authentication realm is LOCAL (357) [suffix] = ok (357) policy deny_no_realm { (357) if (User-Name && (User-Name !~ /@/)) { (357) if (User-Name && (User-Name !~ /@/)) -> FALSE (357) } # policy deny_no_realm = updated (357) update request { (357) EXPAND %{toupper:%{Realm}} (357) --> REALM.COM (357) Realm := REALM.COM (357) } # update request = noop (357) eap: Peer sent EAP Response (code 2) ID 7 length 136 (357) eap: Continuing tunnel setup (357) [eap] = ok (357) } # if (EAP-Message) = ok (357) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (357) } # authorize = updated (357) Found Auth-Type = eap (357) # Executing group from file /etc/freeradius/sites-enabled/default (357) Auth-Type eap { (357) eap: Removing EAP session with state 0xceec9f67cbeb86c2 (357) eap: Previous EAP request found for state 0xceec9f67cbeb86c2, released from the list (357) eap: Peer sent packet with method EAP PEAP (25) (357) eap: Calling submodule eap_peap to process data (357) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (357) eap_peap: (TLS) EAP Got all data (126 bytes) (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (357) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (357) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (357) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (357) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (357) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (357) eap_peap: (TLS) PEAP - Connection Established (357) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (357) eap_peap: TLS-Session-Version = "TLS 1.2" (357) eap: Sending EAP Request (code 1) ID 8 length 57 (357) eap: EAP session adding &reply:State = 0xceec9f67c8e486c2 (357) [eap] = handled (357) if (handled && (Response-Packet-Type == Access-Challenge)) { (357) EXPAND Response-Packet-Type (357) --> Access-Challenge (357) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (357) if (handled && (Response-Packet-Type == Access-Challenge)) { (357) attr_filter.access_challenge: EXPAND %{User-Name} (357) attr_filter.access_challenge: --> xyz@realm.com (357) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (357) [attr_filter.access_challenge.post-auth] = updated (357) [handled] = handled (357) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (357) } # Auth-Type eap = handled (357) Using Post-Auth-Type Challenge (357) Post-Auth-Type sub-section not found. Ignoring. (357) # Executing group from file /etc/freeradius/sites-enabled/default (357) session-state: Saving cached attributes (357) Framed-MTU = 1014 (357) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (357) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (357) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (357) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (357) TLS-Session-Version = "TLS 1.2" (357) Sent Access-Challenge Id 71 from 130.92.10.33:1812 to 130.92.42.15:60533 length 115 (357) EAP-Message = 0x010800391900140303000101160303002873e2e1347334f5dd971479d4d9917d655bb89c8eb3ccb1feaff891be79433e47510170e89cd75911 (357) Message-Authenticator = 0x00000000000000000000000000000000 (357) State = 0xceec9f67c8e486c299469da09cee92a1 (357) Finished request Waking up in 3.8 seconds. (358) Received Access-Request Id 79 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (358) User-Name = "xyz@realm.com" (358) Service-Type = Framed-User (358) Cisco-AVPair = "service-type=Framed" (358) Framed-MTU = 1485 (358) EAP-Message = 0x020800061900 (358) Message-Authenticator = 0xc637f3644e15e782c86c9fe11b23d1a0 (358) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (358) Cisco-AVPair = "method=dot1x" (358) Cisco-AVPair = "client-iif-id=201332865" (358) Cisco-AVPair = "vlan-id=1876" (358) NAS-IP-Address = 130.92.42.15 (358) NAS-Port-Type = Wireless-802.11 (358) NAS-Port = 4211 (358) State = 0xceec9f67c8e486c299469da09cee92a1 (358) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (358) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (358) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (358) Calling-Station-Id = "22-e0-73-f2-50-23" (358) Airespace-Wlan-Id = 98 (358) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (358) WLAN-Group-Cipher = 1027076 (358) WLAN-Pairwise-Cipher = 1027076 (358) WLAN-AKM-Suite = 1027075 (358) Restoring &session-state (358) &session-state:Framed-MTU = 1014 (358) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (358) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (358) &session-state:TLS-Session-Version = "TLS 1.2" (358) # Executing section authorize from file /etc/freeradius/sites-enabled/default (358) authorize { (358) policy rewrite_called_station_id { (358) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (358) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (358) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (358) update request { (358) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (358) --> 60-B9-C0-04-C4-40 (358) &Called-Station-Id := 60-B9-C0-04-C4-40 (358) } # update request = noop (358) if ("%{8}") { (358) EXPAND %{8} (358) --> eduroam (358) if ("%{8}") -> TRUE (358) if ("%{8}") { (358) update request { (358) EXPAND %{8} (358) --> eduroam (358) &Called-Station-SSID := eduroam (358) EXPAND %{Called-Station-Id}:%{8} (358) --> 60-B9-C0-04-C4-40:eduroam (358) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (358) } # update request = noop (358) } # if ("%{8}") = noop (358) [updated] = updated (358) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (358) ... skipping else: Preceding "if" was taken (358) } # policy rewrite_called_station_id = updated (358) policy rewrite_calling_station_id { (358) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (358) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (358) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (358) update request { (358) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (358) --> 22-E0-73-F2-50-23 (358) &Calling-Station-Id := 22-E0-73-F2-50-23 (358) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (358) --> 22:E0:73:F2:50:23 (358) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (358) } # update request = noop (358) [updated] = updated (358) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (358) ... skipping else: Preceding "if" was taken (358) } # policy rewrite_calling_station_id = updated (358) if (NAS-Identifier == "uvisrz0215.insel.ch") { (358) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (358) if (Service-Type == Call-Check) { (358) if (Service-Type == Call-Check) -> FALSE (358) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (358) EXPAND Packet-Src-IP-Address (358) --> 130.92.42.15 (358) EXPAND Packet-Src-IP-Address (358) --> 130.92.42.15 (358) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (358) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (358) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (358) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (358) if (EAP-Message) { (358) if (EAP-Message) -> TRUE (358) if (EAP-Message) { (358) policy filter_username { (358) if (&User-Name) { (358) if (&User-Name) -> TRUE (358) if (&User-Name) { (358) if (&User-Name =~ / /) { (358) if (&User-Name =~ / /) -> FALSE (358) if (&User-Name =~ /@[^@]*@/ ) { (358) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (358) if (&User-Name =~ /\.\./ ) { (358) if (&User-Name =~ /\.\./ ) -> FALSE (358) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (358) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (358) if (&User-Name =~ /\.$/) { (358) if (&User-Name =~ /\.$/) -> FALSE (358) if (&User-Name =~ /@\./) { (358) if (&User-Name =~ /@\./) -> FALSE (358) } # if (&User-Name) = updated (358) } # policy filter_username = updated (358) suffix: Checking for suffix after "@" (358) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (358) suffix: Found realm "REALM.COM" (358) suffix: Adding Realm = "REALM.COM" (358) suffix: Authentication realm is LOCAL (358) [suffix] = ok (358) policy deny_no_realm { (358) if (User-Name && (User-Name !~ /@/)) { (358) if (User-Name && (User-Name !~ /@/)) -> FALSE (358) } # policy deny_no_realm = updated (358) update request { (358) EXPAND %{toupper:%{Realm}} (358) --> REALM.COM (358) Realm := REALM.COM (358) } # update request = noop (358) eap: Peer sent EAP Response (code 2) ID 8 length 6 (358) eap: Continuing tunnel setup (358) [eap] = ok (358) } # if (EAP-Message) = ok (358) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (358) } # authorize = updated (358) Found Auth-Type = eap (358) # Executing group from file /etc/freeradius/sites-enabled/default (358) Auth-Type eap { (358) eap: Removing EAP session with state 0xceec9f67c8e486c2 (358) eap: Previous EAP request found for state 0xceec9f67c8e486c2, released from the list (358) eap: Peer sent packet with method EAP PEAP (25) (358) eap: Calling submodule eap_peap to process data (358) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (358) eap_peap: Session established. Decoding tunneled attributes (358) eap_peap: PEAP state TUNNEL ESTABLISHED (358) eap: Sending EAP Request (code 1) ID 9 length 40 (358) eap: EAP session adding &reply:State = 0xceec9f67c9e586c2 (358) [eap] = handled (358) if (handled && (Response-Packet-Type == Access-Challenge)) { (358) EXPAND Response-Packet-Type (358) --> Access-Challenge (358) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (358) if (handled && (Response-Packet-Type == Access-Challenge)) { (358) attr_filter.access_challenge: EXPAND %{User-Name} (358) attr_filter.access_challenge: --> xyz@realm.com (358) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (358) [attr_filter.access_challenge.post-auth] = updated (358) [handled] = handled (358) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (358) } # Auth-Type eap = handled (358) Using Post-Auth-Type Challenge (358) Post-Auth-Type sub-section not found. Ignoring. (358) # Executing group from file /etc/freeradius/sites-enabled/default (358) session-state: Saving cached attributes (358) Framed-MTU = 1014 (358) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (358) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (358) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (358) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (358) TLS-Session-Version = "TLS 1.2" (358) Sent Access-Challenge Id 79 from 130.92.10.33:1812 to 130.92.42.15:60533 length 98 (358) EAP-Message = 0x010900281900170303001d73e2e1347334f5dee8b4d42eb4a6ac1f21e84645180ec145b6e6f3c747 (358) Message-Authenticator = 0x00000000000000000000000000000000 (358) State = 0xceec9f67c9e586c299469da09cee92a1 (358) Finished request Waking up in 3.8 seconds. (359) Received Access-Request Id 87 from 130.92.42.15:60533 to 130.92.10.33:1812 length 494 (359) User-Name = "xyz@realm.com" (359) Service-Type = Framed-User (359) Cisco-AVPair = "service-type=Framed" (359) Framed-MTU = 1485 (359) EAP-Message = 0x0209003c19001703030031d818ac38e0820955dfa6371a6b6a589774c9c0627ebd45e6682397c1e3b42b5dc37c9c55586bc468386d5729515b62a634 (359) Message-Authenticator = 0x0b1308903782a64609d4283693fee522 (359) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (359) Cisco-AVPair = "method=dot1x" (359) Cisco-AVPair = "client-iif-id=201332865" (359) Cisco-AVPair = "vlan-id=1876" (359) NAS-IP-Address = 130.92.42.15 (359) NAS-Port-Type = Wireless-802.11 (359) NAS-Port = 4211 (359) State = 0xceec9f67c9e586c299469da09cee92a1 (359) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (359) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (359) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (359) Calling-Station-Id = "22-e0-73-f2-50-23" (359) Airespace-Wlan-Id = 98 (359) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (359) WLAN-Group-Cipher = 1027076 (359) WLAN-Pairwise-Cipher = 1027076 (359) WLAN-AKM-Suite = 1027075 (359) Restoring &session-state (359) &session-state:Framed-MTU = 1014 (359) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (359) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (359) &session-state:TLS-Session-Version = "TLS 1.2" (359) # Executing section authorize from file /etc/freeradius/sites-enabled/default (359) authorize { (359) policy rewrite_called_station_id { (359) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (359) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (359) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (359) update request { (359) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (359) --> 60-B9-C0-04-C4-40 (359) &Called-Station-Id := 60-B9-C0-04-C4-40 (359) } # update request = noop (359) if ("%{8}") { (359) EXPAND %{8} (359) --> eduroam (359) if ("%{8}") -> TRUE (359) if ("%{8}") { (359) update request { (359) EXPAND %{8} (359) --> eduroam (359) &Called-Station-SSID := eduroam (359) EXPAND %{Called-Station-Id}:%{8} (359) --> 60-B9-C0-04-C4-40:eduroam (359) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (359) } # update request = noop (359) } # if ("%{8}") = noop (359) [updated] = updated (359) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (359) ... skipping else: Preceding "if" was taken (359) } # policy rewrite_called_station_id = updated (359) policy rewrite_calling_station_id { (359) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (359) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (359) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (359) update request { (359) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (359) --> 22-E0-73-F2-50-23 (359) &Calling-Station-Id := 22-E0-73-F2-50-23 (359) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (359) --> 22:E0:73:F2:50:23 (359) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (359) } # update request = noop (359) [updated] = updated (359) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (359) ... skipping else: Preceding "if" was taken (359) } # policy rewrite_calling_station_id = updated (359) if (NAS-Identifier == "uvisrz0215.insel.ch") { (359) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (359) if (Service-Type == Call-Check) { (359) if (Service-Type == Call-Check) -> FALSE (359) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (359) EXPAND Packet-Src-IP-Address (359) --> 130.92.42.15 (359) EXPAND Packet-Src-IP-Address (359) --> 130.92.42.15 (359) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (359) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (359) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (359) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (359) if (EAP-Message) { (359) if (EAP-Message) -> TRUE (359) if (EAP-Message) { (359) policy filter_username { (359) if (&User-Name) { (359) if (&User-Name) -> TRUE (359) if (&User-Name) { (359) if (&User-Name =~ / /) { (359) if (&User-Name =~ / /) -> FALSE (359) if (&User-Name =~ /@[^@]*@/ ) { (359) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (359) if (&User-Name =~ /\.\./ ) { (359) if (&User-Name =~ /\.\./ ) -> FALSE (359) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (359) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (359) if (&User-Name =~ /\.$/) { (359) if (&User-Name =~ /\.$/) -> FALSE (359) if (&User-Name =~ /@\./) { (359) if (&User-Name =~ /@\./) -> FALSE (359) } # if (&User-Name) = updated (359) } # policy filter_username = updated (359) suffix: Checking for suffix after "@" (359) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (359) suffix: Found realm "REALM.COM" (359) suffix: Adding Realm = "REALM.COM" (359) suffix: Authentication realm is LOCAL (359) [suffix] = ok (359) policy deny_no_realm { (359) if (User-Name && (User-Name !~ /@/)) { (359) if (User-Name && (User-Name !~ /@/)) -> FALSE (359) } # policy deny_no_realm = updated (359) update request { (359) EXPAND %{toupper:%{Realm}} (359) --> REALM.COM (359) Realm := REALM.COM (359) } # update request = noop (359) eap: Peer sent EAP Response (code 2) ID 9 length 60 (359) eap: Continuing tunnel setup (359) [eap] = ok (359) } # if (EAP-Message) = ok (359) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (359) } # authorize = updated (359) Found Auth-Type = eap (359) # Executing group from file /etc/freeradius/sites-enabled/default (359) Auth-Type eap { (359) eap: Removing EAP session with state 0xceec9f67c9e586c2 (359) eap: Previous EAP request found for state 0xceec9f67c9e586c2, released from the list (359) eap: Peer sent packet with method EAP PEAP (25) (359) eap: Calling submodule eap_peap to process data (359) eap_peap: (TLS) EAP Done initial handshake (359) eap_peap: Session established. Decoding tunneled attributes (359) eap_peap: PEAP state WAITING FOR INNER IDENTITY (359) eap_peap: Identity - xyz@realm.com (359) eap_peap: Got inner identity 'xyz@realm.com' (359) eap_peap: Setting default EAP type for tunneled EAP session (359) eap_peap: Got tunneled request (359) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (359) eap_peap: Setting User-Name to xyz@realm.com (359) eap_peap: Sending tunneled request to proxy-inner-tunnel (359) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (359) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (359) eap_peap: User-Name = "xyz@realm.com" (359) eap_peap: Service-Type = Framed-User (359) eap_peap: Cisco-AVPair = "service-type=Framed" (359) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (359) eap_peap: Cisco-AVPair = "method=dot1x" (359) eap_peap: Cisco-AVPair = "client-iif-id=201332865" (359) eap_peap: Cisco-AVPair = "vlan-id=1876" (359) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (359) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (359) eap_peap: Framed-MTU = 1485 (359) eap_peap: NAS-IP-Address = 130.92.42.15 (359) eap_peap: NAS-Port-Type = Wireless-802.11 (359) eap_peap: NAS-Port = 4211 (359) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (359) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (359) eap_peap: Airespace-Wlan-Id = 98 (359) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (359) eap_peap: WLAN-Group-Cipher = 1027076 (359) eap_peap: WLAN-Pairwise-Cipher = 1027076 (359) eap_peap: WLAN-AKM-Suite = 1027075 (359) Virtual server proxy-inner-tunnel received request (359) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (359) FreeRADIUS-Proxied-To = 127.0.0.1 (359) User-Name = "xyz@realm.com" (359) Service-Type = Framed-User (359) Cisco-AVPair = "service-type=Framed" (359) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (359) Cisco-AVPair = "method=dot1x" (359) Cisco-AVPair = "client-iif-id=201332865" (359) Cisco-AVPair = "vlan-id=1876" (359) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (359) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (359) Framed-MTU = 1485 (359) NAS-IP-Address = 130.92.42.15 (359) NAS-Port-Type = Wireless-802.11 (359) NAS-Port = 4211 (359) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (359) Calling-Station-Id := "22-E0-73-F2-50-23" (359) Airespace-Wlan-Id = 98 (359) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (359) WLAN-Group-Cipher = 1027076 (359) WLAN-Pairwise-Cipher = 1027076 (359) WLAN-AKM-Suite = 1027075 (359) WARNING: Outer and inner identities are the same. User privacy is compromised. (359) server proxy-inner-tunnel { (359) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (359) authorize { (359) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (359) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (359) if (!NAS-Port-Type){ (359) if (!NAS-Port-Type) -> FALSE (359) update control { (359) &Proxy-To-Realm := REALM-NPS-DEV (359) } # update control = noop (359) } # authorize = noop (359) } # server proxy-inner-tunnel (359) Virtual server sending reply (359) eap_peap: Got tunneled reply code 0 (359) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (359) eap: WARNING: Tunneled session will be proxied. Not doing EAP (359) [eap] = handled (359) if (handled && (Response-Packet-Type == Access-Challenge)) { (359) EXPAND Response-Packet-Type (359) --> (359) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (359) } # Auth-Type eap = handled (359) Starting proxy to home server 130.92.14.27 port 1812 (359) server default { (359) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (359) pre-proxy { (359) attr_filter.pre-proxy: EXPAND %{Realm} (359) attr_filter.pre-proxy: --> REALM.COM (359) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (359) [attr_filter.pre-proxy] = updated (359) } # pre-proxy = updated (359) } (359) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (359) Sent Access-Request Id 103 from 0.0.0.0:37193 to 130.92.14.27:1812 length 195 (359) Operator-Name := "1realm.com" (359) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (359) User-Name = "xyz@realm.com" (359) NAS-IP-Address = 130.92.42.15 (359) NAS-Port-Type = Wireless-802.11 (359) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (359) Calling-Station-Id := "22-E0-73-F2-50-23" (359) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (359) Message-Authenticator = 0x (359) Proxy-State = 0x3837 Waking up in 0.3 seconds. (359) Clearing existing &reply: attributes (359) Received Access-Challenge Id 103 from 130.92.14.27:1812 to 130.92.10.33:37193 length 127 (359) Proxy-State = 0x3837 (359) Session-Timeout = 60 (359) EAP-Message = 0x010a00271a010a002210b525a5e4caa7f64b01519323866680a94141492d4e50532d4544555632 (359) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (359) Message-Authenticator = 0x6c901afb83800964ca430f40dbb6a48b (359) server default { (359) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (359) post-proxy { (359) attr_filter.post-proxy: EXPAND %{Realm} (359) attr_filter.post-proxy: --> REALM.COM (359) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (359) [attr_filter.post-proxy] = updated (359) eap: Doing post-proxy callback (359) eap: Passing reply from proxy back into the tunnel (359) eap: Got tunneled reply RADIUS code 11 (359) eap: Tunnel-Type := VLAN (359) eap: Tunnel-Medium-Type := IEEE-802 (359) eap: Proxy-State = 0x3837 (359) eap: EAP-Message = 0x010a00271a010a002210b525a5e4caa7f64b01519323866680a94141492d4e50532d4544555632 (359) eap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (359) eap: Message-Authenticator = 0x6c901afb83800964ca430f40dbb6a48b (359) eap: Got tunneled Access-Challenge (359) eap: Reply was handled (359) eap: Sending EAP Request (code 1) ID 10 length 70 (359) eap: EAP session adding &reply:State = 0xceec9f67c6e686c2 (359) [eap] = ok (359) } # post-proxy = updated (359) } (359) session-state: Saving cached attributes (359) Framed-MTU = 1014 (359) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (359) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (359) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (359) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (359) TLS-Session-Version = "TLS 1.2" (359) Using Post-Auth-Type Challenge (359) Post-Auth-Type sub-section not found. Ignoring. (359) # Executing group from file /etc/freeradius/sites-enabled/default (359) Sent Access-Challenge Id 87 from 130.92.10.33:1812 to 130.92.42.15:60533 length 128 (359) EAP-Message = 0x010a00461900170303003b73e2e1347334f5df1334975397eb27f2ea72218216b601e30cf6534633cacf5a4f96d474e4bffc863fe12f3e090719d63005d2a90bc4c033687695 (359) Message-Authenticator = 0x00000000000000000000000000000000 (359) State = 0xceec9f67c6e686c299469da09cee92a1 (359) Finished request Waking up in 3.8 seconds. (360) Received Access-Request Id 95 from 130.92.42.15:60533 to 130.92.10.33:1812 length 548 (360) User-Name = "xyz@realm.com" (360) Service-Type = Framed-User (360) Cisco-AVPair = "service-type=Framed" (360) Framed-MTU = 1485 (360) EAP-Message = 0x020a007219001703030067d818ac38e0820956a55dbc84dc8dbff396eccf45bb84d17cc4414d36aa58a10bfade9f10e4c8549941c34c865f02def6b2a999172f24205fd30a5703670a8fe6fc25539a682f648d3b9335e448383a088e0a335073a2f1eaa5928e025acc5025caa3e63b446141 (360) Message-Authenticator = 0x5d740b470e2d200c7136d0498c3882b5 (360) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (360) Cisco-AVPair = "method=dot1x" (360) Cisco-AVPair = "client-iif-id=201332865" (360) Cisco-AVPair = "vlan-id=1876" (360) NAS-IP-Address = 130.92.42.15 (360) NAS-Port-Type = Wireless-802.11 (360) NAS-Port = 4211 (360) State = 0xceec9f67c6e686c299469da09cee92a1 (360) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (360) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (360) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (360) Calling-Station-Id = "22-e0-73-f2-50-23" (360) Airespace-Wlan-Id = 98 (360) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (360) WLAN-Group-Cipher = 1027076 (360) WLAN-Pairwise-Cipher = 1027076 (360) WLAN-AKM-Suite = 1027075 (360) session-state: No cached attributes (360) # Executing section authorize from file /etc/freeradius/sites-enabled/default (360) authorize { (360) policy rewrite_called_station_id { (360) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (360) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (360) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (360) update request { (360) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (360) --> 60-B9-C0-04-C4-40 (360) &Called-Station-Id := 60-B9-C0-04-C4-40 (360) } # update request = noop (360) if ("%{8}") { (360) EXPAND %{8} (360) --> eduroam (360) if ("%{8}") -> TRUE (360) if ("%{8}") { (360) update request { (360) EXPAND %{8} (360) --> eduroam (360) &Called-Station-SSID := eduroam (360) EXPAND %{Called-Station-Id}:%{8} (360) --> 60-B9-C0-04-C4-40:eduroam (360) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (360) } # update request = noop (360) } # if ("%{8}") = noop (360) [updated] = updated (360) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (360) ... skipping else: Preceding "if" was taken (360) } # policy rewrite_called_station_id = updated (360) policy rewrite_calling_station_id { (360) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (360) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (360) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (360) update request { (360) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (360) --> 22-E0-73-F2-50-23 (360) &Calling-Station-Id := 22-E0-73-F2-50-23 (360) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (360) --> 22:E0:73:F2:50:23 (360) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (360) } # update request = noop (360) [updated] = updated (360) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (360) ... skipping else: Preceding "if" was taken (360) } # policy rewrite_calling_station_id = updated (360) if (NAS-Identifier == "uvisrz0215.insel.ch") { (360) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (360) if (Service-Type == Call-Check) { (360) if (Service-Type == Call-Check) -> FALSE (360) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (360) EXPAND Packet-Src-IP-Address (360) --> 130.92.42.15 (360) EXPAND Packet-Src-IP-Address (360) --> 130.92.42.15 (360) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (360) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (360) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (360) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (360) if (EAP-Message) { (360) if (EAP-Message) -> TRUE (360) if (EAP-Message) { (360) policy filter_username { (360) if (&User-Name) { (360) if (&User-Name) -> TRUE (360) if (&User-Name) { (360) if (&User-Name =~ / /) { (360) if (&User-Name =~ / /) -> FALSE (360) if (&User-Name =~ /@[^@]*@/ ) { (360) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (360) if (&User-Name =~ /\.\./ ) { (360) if (&User-Name =~ /\.\./ ) -> FALSE (360) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (360) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (360) if (&User-Name =~ /\.$/) { (360) if (&User-Name =~ /\.$/) -> FALSE (360) if (&User-Name =~ /@\./) { (360) if (&User-Name =~ /@\./) -> FALSE (360) } # if (&User-Name) = updated (360) } # policy filter_username = updated (360) suffix: Checking for suffix after "@" (360) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (360) suffix: Found realm "REALM.COM" (360) suffix: Adding Realm = "REALM.COM" (360) suffix: Authentication realm is LOCAL (360) [suffix] = ok (360) policy deny_no_realm { (360) if (User-Name && (User-Name !~ /@/)) { (360) if (User-Name && (User-Name !~ /@/)) -> FALSE (360) } # policy deny_no_realm = updated (360) update request { (360) EXPAND %{toupper:%{Realm}} (360) --> REALM.COM (360) Realm := REALM.COM (360) } # update request = noop (360) eap: Peer sent EAP Response (code 2) ID 10 length 114 (360) eap: Continuing tunnel setup (360) [eap] = ok (360) } # if (EAP-Message) = ok (360) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (360) } # authorize = updated (360) Found Auth-Type = eap (360) # Executing group from file /etc/freeradius/sites-enabled/default (360) Auth-Type eap { (360) eap: Removing EAP session with state 0xceec9f67c6e686c2 (360) eap: Previous EAP request found for state 0xceec9f67c6e686c2, released from the list (360) eap: Peer sent packet with method EAP PEAP (25) (360) eap: Calling submodule eap_peap to process data (360) eap_peap: (TLS) EAP Done initial handshake (360) eap_peap: Session established. Decoding tunneled attributes (360) eap_peap: PEAP state phase2 (360) eap_peap: EAP method MSCHAPv2 (26) (360) eap_peap: Got tunneled request (360) eap_peap: EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368 (360) eap_peap: Setting User-Name to xyz@realm.com (360) eap_peap: Sending tunneled request to proxy-inner-tunnel (360) eap_peap: EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368 (360) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (360) eap_peap: User-Name = "xyz@realm.com" (360) eap_peap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) eap_peap: Service-Type = Framed-User (360) eap_peap: Cisco-AVPair = "service-type=Framed" (360) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (360) eap_peap: Cisco-AVPair = "method=dot1x" (360) eap_peap: Cisco-AVPair = "client-iif-id=201332865" (360) eap_peap: Cisco-AVPair = "vlan-id=1876" (360) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (360) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (360) eap_peap: Framed-MTU = 1485 (360) eap_peap: NAS-IP-Address = 130.92.42.15 (360) eap_peap: NAS-Port-Type = Wireless-802.11 (360) eap_peap: NAS-Port = 4211 (360) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (360) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (360) eap_peap: Airespace-Wlan-Id = 98 (360) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (360) eap_peap: WLAN-Group-Cipher = 1027076 (360) eap_peap: WLAN-Pairwise-Cipher = 1027076 (360) eap_peap: WLAN-AKM-Suite = 1027075 (360) Virtual server proxy-inner-tunnel received request (360) EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368 (360) FreeRADIUS-Proxied-To = 127.0.0.1 (360) User-Name = "xyz@realm.com" (360) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) Service-Type = Framed-User (360) Cisco-AVPair = "service-type=Framed" (360) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (360) Cisco-AVPair = "method=dot1x" (360) Cisco-AVPair = "client-iif-id=201332865" (360) Cisco-AVPair = "vlan-id=1876" (360) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (360) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (360) Framed-MTU = 1485 (360) NAS-IP-Address = 130.92.42.15 (360) NAS-Port-Type = Wireless-802.11 (360) NAS-Port = 4211 (360) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (360) Calling-Station-Id := "22-E0-73-F2-50-23" (360) Airespace-Wlan-Id = 98 (360) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (360) WLAN-Group-Cipher = 1027076 (360) WLAN-Pairwise-Cipher = 1027076 (360) WLAN-AKM-Suite = 1027075 (360) WARNING: Outer and inner identities are the same. User privacy is compromised. (360) server proxy-inner-tunnel { (360) session-state: No cached attributes (360) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (360) authorize { (360) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (360) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (360) if (!NAS-Port-Type){ (360) if (!NAS-Port-Type) -> FALSE (360) update control { (360) &Proxy-To-Realm := REALM-NPS-DEV (360) } # update control = noop (360) } # authorize = noop (360) } # server proxy-inner-tunnel (360) Virtual server sending reply (360) eap_peap: Got tunneled reply code 0 (360) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (360) eap: WARNING: Tunneled session will be proxied. Not doing EAP (360) [eap] = handled (360) if (handled && (Response-Packet-Type == Access-Challenge)) { (360) EXPAND Response-Packet-Type (360) --> (360) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (360) } # Auth-Type eap = handled (360) Starting proxy to home server 130.92.14.27 port 1812 (360) server default { (360) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (360) pre-proxy { (360) attr_filter.pre-proxy: EXPAND %{Realm} (360) attr_filter.pre-proxy: --> REALM.COM (360) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (360) [attr_filter.pre-proxy] = updated (360) } # pre-proxy = updated (360) } (360) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (360) Sent Access-Request Id 104 from 0.0.0.0:37193 to 130.92.14.27:1812 length 287 (360) Operator-Name := "1realm.com" (360) EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368 (360) User-Name = "xyz@realm.com" (360) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) NAS-IP-Address = 130.92.42.15 (360) NAS-Port-Type = Wireless-802.11 (360) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (360) Calling-Station-Id := "22-E0-73-F2-50-23" (360) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (360) Message-Authenticator = 0x (360) Proxy-State = 0x3935 Waking up in 0.3 seconds. (360) Clearing existing &reply: attributes (360) Received Access-Challenge Id 104 from 130.92.14.27:1812 to 130.92.10.33:37193 length 139 (360) Proxy-State = 0x3935 (360) Session-Timeout = 60 (360) EAP-Message = 0x010b00331a030a002e533d37303432393739324338443032374436374337313037313343324335364334414338354532443632 (360) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) Message-Authenticator = 0xee40e7346c5b8d679a4dc1c43877c728 (360) server default { (360) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (360) post-proxy { (360) attr_filter.post-proxy: EXPAND %{Realm} (360) attr_filter.post-proxy: --> REALM.COM (360) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (360) [attr_filter.post-proxy] = updated (360) eap: Doing post-proxy callback (360) eap: Passing reply from proxy back into the tunnel (360) eap: Got tunneled reply RADIUS code 11 (360) eap: Tunnel-Type := VLAN (360) eap: Tunnel-Medium-Type := IEEE-802 (360) eap: Proxy-State = 0x3935 (360) eap: EAP-Message = 0x010b00331a030a002e533d37303432393739324338443032374436374337313037313343324335364334414338354532443632 (360) eap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) eap: Message-Authenticator = 0xee40e7346c5b8d679a4dc1c43877c728 (360) eap: Got tunneled Access-Challenge (360) eap: Reply was handled (360) eap: Sending EAP Request (code 1) ID 11 length 82 (360) eap: EAP session adding &reply:State = 0xceec9f67c7e786c2 (360) [eap] = ok (360) } # post-proxy = updated (360) } (360) Using Post-Auth-Type Challenge (360) Post-Auth-Type sub-section not found. Ignoring. (360) # Executing group from file /etc/freeradius/sites-enabled/default (360) Sent Access-Challenge Id 95 from 130.92.10.33:1812 to 130.92.42.15:60533 length 140 (360) EAP-Message = 0x010b00521900170303004773e2e1347334f5e09bc24daa64eee9138e1f2e55345df04bbcd5dd711c6c333de68f50de7d780d87c6d6336c23586f6b0fd197b261dd6213360e814416f8f2b07957dcacdce9c6 (360) Message-Authenticator = 0x00000000000000000000000000000000 (360) State = 0xceec9f67c7e786c299469da09cee92a1 (360) Finished request Waking up in 3.8 seconds. (361) Received Access-Request Id 103 from 130.92.42.15:60533 to 130.92.10.33:1812 length 471 (361) User-Name = "xyz@realm.com" (361) Service-Type = Framed-User (361) Cisco-AVPair = "service-type=Framed" (361) Framed-MTU = 1485 (361) EAP-Message = 0x020b00251900170303001ad818ac38e082095774adfff902d724d0af5865cbe4c9b8c4b279 (361) Message-Authenticator = 0x2b9af5a6d3cafcc76039c652203d8380 (361) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (361) Cisco-AVPair = "method=dot1x" (361) Cisco-AVPair = "client-iif-id=201332865" (361) Cisco-AVPair = "vlan-id=1876" (361) NAS-IP-Address = 130.92.42.15 (361) NAS-Port-Type = Wireless-802.11 (361) NAS-Port = 4211 (361) State = 0xceec9f67c7e786c299469da09cee92a1 (361) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (361) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (361) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (361) Calling-Station-Id = "22-e0-73-f2-50-23" (361) Airespace-Wlan-Id = 98 (361) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (361) WLAN-Group-Cipher = 1027076 (361) WLAN-Pairwise-Cipher = 1027076 (361) WLAN-AKM-Suite = 1027075 (361) session-state: No cached attributes (361) # Executing section authorize from file /etc/freeradius/sites-enabled/default (361) authorize { (361) policy rewrite_called_station_id { (361) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (361) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (361) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (361) update request { (361) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (361) --> 60-B9-C0-04-C4-40 (361) &Called-Station-Id := 60-B9-C0-04-C4-40 (361) } # update request = noop (361) if ("%{8}") { (361) EXPAND %{8} (361) --> eduroam (361) if ("%{8}") -> TRUE (361) if ("%{8}") { (361) update request { (361) EXPAND %{8} (361) --> eduroam (361) &Called-Station-SSID := eduroam (361) EXPAND %{Called-Station-Id}:%{8} (361) --> 60-B9-C0-04-C4-40:eduroam (361) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (361) } # update request = noop (361) } # if ("%{8}") = noop (361) [updated] = updated (361) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (361) ... skipping else: Preceding "if" was taken (361) } # policy rewrite_called_station_id = updated (361) policy rewrite_calling_station_id { (361) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (361) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (361) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (361) update request { (361) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (361) --> 22-E0-73-F2-50-23 (361) &Calling-Station-Id := 22-E0-73-F2-50-23 (361) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (361) --> 22:E0:73:F2:50:23 (361) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (361) } # update request = noop (361) [updated] = updated (361) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (361) ... skipping else: Preceding "if" was taken (361) } # policy rewrite_calling_station_id = updated (361) if (NAS-Identifier == "uvisrz0215.insel.ch") { (361) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (361) if (Service-Type == Call-Check) { (361) if (Service-Type == Call-Check) -> FALSE (361) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (361) EXPAND Packet-Src-IP-Address (361) --> 130.92.42.15 (361) EXPAND Packet-Src-IP-Address (361) --> 130.92.42.15 (361) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (361) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (361) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (361) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (361) if (EAP-Message) { (361) if (EAP-Message) -> TRUE (361) if (EAP-Message) { (361) policy filter_username { (361) if (&User-Name) { (361) if (&User-Name) -> TRUE (361) if (&User-Name) { (361) if (&User-Name =~ / /) { (361) if (&User-Name =~ / /) -> FALSE (361) if (&User-Name =~ /@[^@]*@/ ) { (361) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (361) if (&User-Name =~ /\.\./ ) { (361) if (&User-Name =~ /\.\./ ) -> FALSE (361) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (361) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (361) if (&User-Name =~ /\.$/) { (361) if (&User-Name =~ /\.$/) -> FALSE (361) if (&User-Name =~ /@\./) { (361) if (&User-Name =~ /@\./) -> FALSE (361) } # if (&User-Name) = updated (361) } # policy filter_username = updated (361) suffix: Checking for suffix after "@" (361) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (361) suffix: Found realm "REALM.COM" (361) suffix: Adding Realm = "REALM.COM" (361) suffix: Authentication realm is LOCAL (361) [suffix] = ok (361) policy deny_no_realm { (361) if (User-Name && (User-Name !~ /@/)) { (361) if (User-Name && (User-Name !~ /@/)) -> FALSE (361) } # policy deny_no_realm = updated (361) update request { (361) EXPAND %{toupper:%{Realm}} (361) --> REALM.COM (361) Realm := REALM.COM (361) } # update request = noop (361) eap: Peer sent EAP Response (code 2) ID 11 length 37 (361) eap: Continuing tunnel setup (361) [eap] = ok (361) } # if (EAP-Message) = ok (361) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (361) } # authorize = updated (361) Found Auth-Type = eap (361) # Executing group from file /etc/freeradius/sites-enabled/default (361) Auth-Type eap { (361) eap: Removing EAP session with state 0xceec9f67c7e786c2 (361) eap: Previous EAP request found for state 0xceec9f67c7e786c2, released from the list (361) eap: Peer sent packet with method EAP PEAP (25) (361) eap: Calling submodule eap_peap to process data (361) eap_peap: (TLS) EAP Done initial handshake (361) eap_peap: Session established. Decoding tunneled attributes (361) eap_peap: PEAP state phase2 (361) eap_peap: EAP method MSCHAPv2 (26) (361) eap_peap: Got tunneled request (361) eap_peap: EAP-Message = 0x020b00061a03 (361) eap_peap: Setting User-Name to xyz@realm.com (361) eap_peap: Sending tunneled request to proxy-inner-tunnel (361) eap_peap: EAP-Message = 0x020b00061a03 (361) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (361) eap_peap: User-Name = "xyz@realm.com" (361) eap_peap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (361) eap_peap: Service-Type = Framed-User (361) eap_peap: Cisco-AVPair = "service-type=Framed" (361) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (361) eap_peap: Cisco-AVPair = "method=dot1x" (361) eap_peap: Cisco-AVPair = "client-iif-id=201332865" (361) eap_peap: Cisco-AVPair = "vlan-id=1876" (361) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (361) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (361) eap_peap: Framed-MTU = 1485 (361) eap_peap: NAS-IP-Address = 130.92.42.15 (361) eap_peap: NAS-Port-Type = Wireless-802.11 (361) eap_peap: NAS-Port = 4211 (361) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (361) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (361) eap_peap: Airespace-Wlan-Id = 98 (361) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (361) eap_peap: WLAN-Group-Cipher = 1027076 (361) eap_peap: WLAN-Pairwise-Cipher = 1027076 (361) eap_peap: WLAN-AKM-Suite = 1027075 (361) Virtual server proxy-inner-tunnel received request (361) EAP-Message = 0x020b00061a03 (361) FreeRADIUS-Proxied-To = 127.0.0.1 (361) User-Name = "xyz@realm.com" (361) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (361) Service-Type = Framed-User (361) Cisco-AVPair = "service-type=Framed" (361) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (361) Cisco-AVPair = "method=dot1x" (361) Cisco-AVPair = "client-iif-id=201332865" (361) Cisco-AVPair = "vlan-id=1876" (361) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (361) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (361) Framed-MTU = 1485 (361) NAS-IP-Address = 130.92.42.15 (361) NAS-Port-Type = Wireless-802.11 (361) NAS-Port = 4211 (361) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (361) Calling-Station-Id := "22-E0-73-F2-50-23" (361) Airespace-Wlan-Id = 98 (361) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (361) WLAN-Group-Cipher = 1027076 (361) WLAN-Pairwise-Cipher = 1027076 (361) WLAN-AKM-Suite = 1027075 (361) WARNING: Outer and inner identities are the same. User privacy is compromised. (361) server proxy-inner-tunnel { (361) session-state: No cached attributes (361) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (361) authorize { (361) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (361) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (361) if (!NAS-Port-Type){ (361) if (!NAS-Port-Type) -> FALSE (361) update control { (361) &Proxy-To-Realm := REALM-NPS-DEV (361) } # update control = noop (361) } # authorize = noop (361) } # server proxy-inner-tunnel (361) Virtual server sending reply (361) eap_peap: Got tunneled reply code 0 (361) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (361) eap: WARNING: Tunneled session will be proxied. Not doing EAP (361) [eap] = handled (361) if (handled && (Response-Packet-Type == Access-Challenge)) { (361) EXPAND Response-Packet-Type (361) --> (361) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (361) } # Auth-Type eap = handled (361) Starting proxy to home server 130.92.14.27 port 1812 (361) server default { (361) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (361) pre-proxy { (361) attr_filter.pre-proxy: EXPAND %{Realm} (361) attr_filter.pre-proxy: --> REALM.COM (361) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (361) [attr_filter.pre-proxy] = updated (361) } # pre-proxy = updated (361) } (361) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (361) Sent Access-Request Id 105 from 0.0.0.0:37193 to 130.92.14.27:1812 length 211 (361) Operator-Name := "1realm.com" (361) EAP-Message = 0x020b00061a03 (361) User-Name = "xyz@realm.com" (361) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (361) NAS-IP-Address = 130.92.42.15 (361) NAS-Port-Type = Wireless-802.11 (361) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (361) Calling-Station-Id := "22-E0-73-F2-50-23" (361) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (361) Message-Authenticator = 0x (361) Proxy-State = 0x313033 Waking up in 0.3 seconds. (361) Clearing existing &reply: attributes (361) Received Access-Accept Id 105 from 130.92.14.27:1812 to 130.92.10.33:37193 length 289 (361) Proxy-State = 0x313033 (361) Class = 0x7374616666 (361) Filter-Id = "staff" (361) Framed-Protocol = PPP (361) Service-Type = Framed-User (361) Tunnel-Medium-Type:0 = IEEE-802 (361) Tunnel-Private-Group-Id:0 = "1874" (361) Tunnel-Type:0 = VLAN (361) EAP-Message = 0x030b0004 (361) Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (361) MS-CHAP-Domain = "\001CAMPUS" (361) MS-MPPE-Send-Key = 0xa60a3993fdf2f10954366e08c310b7db (361) MS-MPPE-Recv-Key = 0x0952b4931153bd484c9c87e2891a374f (361) MS-CHAP2-Success = 0x01533d37303432393739324338443032374436374337313037313343324335364334414338354532443632 (361) Message-Authenticator = 0xf2e723cb6be9221293681e605767b8f6 (361) server default { (361) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (361) post-proxy { (361) attr_filter.post-proxy: EXPAND %{Realm} (361) attr_filter.post-proxy: --> REALM.COM (361) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (361) [attr_filter.post-proxy] = updated (361) eap: Doing post-proxy callback (361) eap: Passing reply from proxy back into the tunnel (361) eap: Got tunneled reply RADIUS code 2 (361) eap: Tunnel-Type := VLAN (361) eap: Tunnel-Medium-Type := IEEE-802 (361) eap: Proxy-State = 0x313033 (361) eap: Class = 0x7374616666 (361) eap: Filter-Id = "staff" (361) eap: Tunnel-Private-Group-Id:0 = "1874" (361) eap: EAP-Message = 0x030b0004 (361) eap: Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (361) eap: MS-MPPE-Send-Key = 0xa60a3993fdf2f10954366e08c310b7db (361) eap: MS-MPPE-Recv-Key = 0x0952b4931153bd484c9c87e2891a374f (361) eap: Message-Authenticator = 0xf2e723cb6be9221293681e605767b8f6 (361) eap: Tunneled authentication was successful (361) eap: SUCCESS (361) eap: Saving tunneled attributes for later (361) eap: Reply was handled (361) eap: Sending EAP Request (code 1) ID 12 length 46 (361) eap: EAP session adding &reply:State = 0xceec9f67c4e086c2 (361) [eap] = ok (361) } # post-proxy = updated (361) } (361) Using Post-Auth-Type Challenge (361) Post-Auth-Type sub-section not found. Ignoring. (361) # Executing group from file /etc/freeradius/sites-enabled/default (361) Sent Access-Challenge Id 103 from 130.92.10.33:1812 to 130.92.42.15:60533 length 104 (361) EAP-Message = 0x010c002e1900170303002373e2e1347334f5e1bba381c4911add30b08c615c0d0362241c25f21eb1ff0cf311aab6 (361) Message-Authenticator = 0x00000000000000000000000000000000 (361) State = 0xceec9f67c4e086c299469da09cee92a1 (361) Finished request Waking up in 3.7 seconds. (362) Received Access-Request Id 111 from 130.92.42.15:60533 to 130.92.10.33:1812 length 480 (362) User-Name = "xyz@realm.com" (362) Service-Type = Framed-User (362) Cisco-AVPair = "service-type=Framed" (362) Framed-MTU = 1485 (362) EAP-Message = 0x020c002e19001703030023d818ac38e0820958689f4ed07787c227590ec1912b79c63017ac770cf137f4e047aae4 (362) Message-Authenticator = 0x356431e13542aff242df4e9cd2f24d4a (362) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (362) Cisco-AVPair = "method=dot1x" (362) Cisco-AVPair = "client-iif-id=201332865" (362) Cisco-AVPair = "vlan-id=1876" (362) NAS-IP-Address = 130.92.42.15 (362) NAS-Port-Type = Wireless-802.11 (362) NAS-Port = 4211 (362) State = 0xceec9f67c4e086c299469da09cee92a1 (362) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (362) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (362) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (362) Calling-Station-Id = "22-e0-73-f2-50-23" (362) Airespace-Wlan-Id = 98 (362) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (362) WLAN-Group-Cipher = 1027076 (362) WLAN-Pairwise-Cipher = 1027076 (362) WLAN-AKM-Suite = 1027075 (362) session-state: No cached attributes (362) # Executing section authorize from file /etc/freeradius/sites-enabled/default (362) authorize { (362) policy rewrite_called_station_id { (362) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (362) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (362) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (362) update request { (362) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (362) --> 60-B9-C0-04-C4-40 (362) &Called-Station-Id := 60-B9-C0-04-C4-40 (362) } # update request = noop (362) if ("%{8}") { (362) EXPAND %{8} (362) --> eduroam (362) if ("%{8}") -> TRUE (362) if ("%{8}") { (362) update request { (362) EXPAND %{8} (362) --> eduroam (362) &Called-Station-SSID := eduroam (362) EXPAND %{Called-Station-Id}:%{8} (362) --> 60-B9-C0-04-C4-40:eduroam (362) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (362) } # update request = noop (362) } # if ("%{8}") = noop (362) [updated] = updated (362) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (362) ... skipping else: Preceding "if" was taken (362) } # policy rewrite_called_station_id = updated (362) policy rewrite_calling_station_id { (362) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (362) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (362) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (362) update request { (362) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (362) --> 22-E0-73-F2-50-23 (362) &Calling-Station-Id := 22-E0-73-F2-50-23 (362) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (362) --> 22:E0:73:F2:50:23 (362) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (362) } # update request = noop (362) [updated] = updated (362) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (362) ... skipping else: Preceding "if" was taken (362) } # policy rewrite_calling_station_id = updated (362) if (NAS-Identifier == "uvisrz0215.insel.ch") { (362) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (362) if (Service-Type == Call-Check) { (362) if (Service-Type == Call-Check) -> FALSE (362) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (362) EXPAND Packet-Src-IP-Address (362) --> 130.92.42.15 (362) EXPAND Packet-Src-IP-Address (362) --> 130.92.42.15 (362) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (362) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (362) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (362) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (362) if (EAP-Message) { (362) if (EAP-Message) -> TRUE (362) if (EAP-Message) { (362) policy filter_username { (362) if (&User-Name) { (362) if (&User-Name) -> TRUE (362) if (&User-Name) { (362) if (&User-Name =~ / /) { (362) if (&User-Name =~ / /) -> FALSE (362) if (&User-Name =~ /@[^@]*@/ ) { (362) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (362) if (&User-Name =~ /\.\./ ) { (362) if (&User-Name =~ /\.\./ ) -> FALSE (362) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (362) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (362) if (&User-Name =~ /\.$/) { (362) if (&User-Name =~ /\.$/) -> FALSE (362) if (&User-Name =~ /@\./) { (362) if (&User-Name =~ /@\./) -> FALSE (362) } # if (&User-Name) = updated (362) } # policy filter_username = updated (362) suffix: Checking for suffix after "@" (362) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (362) suffix: Found realm "REALM.COM" (362) suffix: Adding Realm = "REALM.COM" (362) suffix: Authentication realm is LOCAL (362) [suffix] = ok (362) policy deny_no_realm { (362) if (User-Name && (User-Name !~ /@/)) { (362) if (User-Name && (User-Name !~ /@/)) -> FALSE (362) } # policy deny_no_realm = updated (362) update request { (362) EXPAND %{toupper:%{Realm}} (362) --> REALM.COM (362) Realm := REALM.COM (362) } # update request = noop (362) eap: Peer sent EAP Response (code 2) ID 12 length 46 (362) eap: Continuing tunnel setup (362) [eap] = ok (362) } # if (EAP-Message) = ok (362) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (362) } # authorize = updated (362) Found Auth-Type = eap (362) # Executing group from file /etc/freeradius/sites-enabled/default (362) Auth-Type eap { (362) eap: Removing EAP session with state 0xceec9f67c4e086c2 (362) eap: Previous EAP request found for state 0xceec9f67c4e086c2, released from the list (362) eap: Peer sent packet with method EAP PEAP (25) (362) eap: Calling submodule eap_peap to process data (362) eap_peap: (TLS) EAP Done initial handshake (362) eap_peap: Session established. Decoding tunneled attributes (362) eap_peap: PEAP state send tlv success (362) eap_peap: Received EAP-TLV response (362) eap_peap: Success (362) eap_peap: Using saved attributes from the original Access-Accept (362) eap_peap: Tunnel-Type := VLAN (362) eap_peap: Tunnel-Medium-Type := IEEE-802 (362) eap_peap: Class = 0x7374616666 (362) eap_peap: Filter-Id = "staff" (362) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (362) eap_peap: Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (362) eap: Sending EAP Success (code 3) ID 12 length 4 (362) eap: Freeing handler (362) [eap] = ok (362) if (handled && (Response-Packet-Type == Access-Challenge)) { (362) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (362) } # Auth-Type eap = ok (362) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (362) post-auth { (362) policy debug_all { (362) policy debug_control { (362) if ("%{debug_attr:control:}" == '') { (362) Attributes matching "control:" (362) &control:Auth-Type = eap (362) EXPAND %{debug_attr:control:} (362) --> (362) if ("%{debug_attr:control:}" == '') -> TRUE (362) if ("%{debug_attr:control:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:control:}" == '') = noop (362) } # policy debug_control = noop (362) policy debug_request { (362) if ("%{debug_attr:request:}" == '') { (362) Attributes matching "request:" (362) &request:User-Name = xyz@realm.com (362) &request:Service-Type = Framed-User (362) &request:Cisco-AVPair = service-type=Framed (362) &request:Framed-MTU = 1485 (362) &request:EAP-Message = 0x020c002e19001703030023d818ac38e0820958689f4ed07787c227590ec1912b79c63017ac770cf137f4e047aae4 (362) &request:Message-Authenticator = 0x356431e13542aff242df4e9cd2f24d4a (362) &request:Cisco-AVPair = audit-session-id=0F2A5C8200001021C01F69E1 (362) &request:Cisco-AVPair = method=dot1x (362) &request:Cisco-AVPair = client-iif-id=201332865 (362) &request:Cisco-AVPair = vlan-id=1876 (362) &request:NAS-IP-Address = 130.92.42.15 (362) &request:NAS-Port-Type = Wireless-802.11 (362) &request:NAS-Port = 4211 (362) &request:State = 0xceec9f67c4e086c299469da09cee92a1 (362) &request:Cisco-AVPair = cisco-wlan-ssid=eduroam (362) &request:Cisco-AVPair = wlan-profile-name=eduroam-DEV (362) &request:Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (362) &request:Calling-Station-Id := 22-E0-73-F2-50-23 (362) &request:Airespace-Wlan-Id = 98 (362) &request:NAS-Identifier = 60-b9-c0-04-c4-40:eduroam (362) &request:WLAN-Group-Cipher = 1027076 (362) &request:WLAN-Pairwise-Cipher = 1027076 (362) &request:WLAN-AKM-Suite = 1027075 (362) &request:Called-Station-SSID := eduroam (362) &request:locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (362) &request:Realm := REALM.COM (362) &request:EAP-Type = PEAP (362) EXPAND %{debug_attr:request:} (362) --> (362) if ("%{debug_attr:request:}" == '') -> TRUE (362) if ("%{debug_attr:request:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:request:}" == '') = noop (362) } # policy debug_request = noop (362) policy debug_coa { (362) if ("%{debug_attr:coa:}" == '') { (362) Attributes matching "coa:" (362) WARNING: List "coa" is not available (362) EXPAND %{debug_attr:coa:} (362) --> (362) if ("%{debug_attr:coa:}" == '') -> TRUE (362) if ("%{debug_attr:coa:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:coa:}" == '') = noop (362) } # policy debug_coa = noop (362) policy debug_reply { (362) if ("%{debug_attr:reply:}" == '') { (362) Attributes matching "reply:" (362) &reply:Tunnel-Type:-128 := VLAN (362) &reply:Tunnel-Medium-Type:-128 := IEEE-802 (362) &reply:Class = 0x7374616666 (362) &reply:Filter-Id = staff (362) &reply:Tunnel-Private-Group-Id:0 = 1874 (362) &reply:Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (362) &reply:MS-MPPE-Recv-Key = 0x61178aafdea2c28ba065e567e0094e7e8cf727509d76d4f6de7a09f4878d7a6c (362) &reply:MS-MPPE-Send-Key = 0xaf30a32b5acec9ee771c1a065ff1707fae023734e263873c185acb4c4fde39e8 (362) &reply:EAP-MSK = 0x61178aafdea2c28ba065e567e0094e7e8cf727509d76d4f6de7a09f4878d7a6caf30a32b5acec9ee771c1a065ff1707fae023734e263873c185acb4c4fde39e8 (362) &reply:EAP-EMSK = 0xc424a437bf386f3c790b6d4e981ac218f7bb39ecb682c0f7174da275922e64d1ab7db6825d96e096b8875bb8b777543c642771e9f1f4f877593bd2425a7b1a13 (362) &reply:EAP-Session-Id = 0x19675c3100dd1c7cdf9f74db6337b13313e75950e07ca8a60ec8a656c84cedb597a19642b1ba520223bc61e483ac418e3f44e0800ee85d2526444f574e47524401 (362) &reply:EAP-Message = 0x030c0004 (362) &reply:Message-Authenticator = 0x00000000000000000000000000000000 (362) &reply:User-Name = xyz@realm.com (362) EXPAND %{debug_attr:reply:} (362) --> (362) if ("%{debug_attr:reply:}" == '') -> TRUE (362) if ("%{debug_attr:reply:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:reply:}" == '') = noop (362) } # policy debug_reply = noop (362) policy debug_session_state { (362) if ("%{debug_attr:session-state:}" == '') { (362) Attributes matching "session-state:" (362) EXPAND %{debug_attr:session-state:} (362) --> (362) if ("%{debug_attr:session-state:}" == '') -> TRUE (362) if ("%{debug_attr:session-state:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:session-state:}" == '') = noop (362) } # policy debug_session_state = noop (362) } # policy debug_all = noop (362) update { (362) No attributes updated for RHS &session-state (362) } # update = noop (362) if (Service-Type == Call-Check) { (362) if (Service-Type == Call-Check) -> FALSE (362) else { (362) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (362) 802.1x_auth_log: --> Fri Dec 13 14:05:05 2024 : AuthZ: (111) Access-Accept: [xyz@realm.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client xyz.wifi.realm.com port 4211 operator-name Unknown) (362) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log (362) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log (362) [802.1x_auth_log] = ok (362) } # else = ok (362) policy remove_reply_message_if_eap { (362) if (&reply:EAP-Message && &reply:Reply-Message) { (362) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (362) else { (362) [noop] = noop (362) } # else = noop (362) } # policy remove_reply_message_if_eap = noop (362) } # post-auth = ok (362) Login OK: [xyz@realm.com] (from client xyz.wifi.realm.com port 4211 cli 22-E0-73-F2-50-23) (362) Sent Access-Accept Id 111 from 130.92.10.33:1812 to 130.92.42.15:60533 length 264 (362) Tunnel-Type := VLAN (362) Tunnel-Medium-Type := IEEE-802 (362) Class = 0x7374616666 (362) Filter-Id = "staff" (362) Tunnel-Private-Group-Id:0 = "1874" (362) Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (362) MS-MPPE-Recv-Key = 0x61178aafdea2c28ba065e567e0094e7e8cf727509d76d4f6de7a09f4878d7a6c (362) MS-MPPE-Send-Key = 0xaf30a32b5acec9ee771c1a065ff1707fae023734e263873c185acb4c4fde39e8 (362) EAP-Message = 0x030c0004 (362) Message-Authenticator = 0x00000000000000000000000000000000 (362) User-Name = "xyz@realm.com" (362) Finished request Waking up in 3.7 seconds.
On Dec 13, 2024, at 8:33 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
As suggested, I added „debug_all" in the post-auth section before anything else:
post-auth { debug_all
if (Service-Type == Call-Check) { MAC_auth_log } else { 802.1x_auth_log }
Which shows there's no attribute session-state for packet 362, or for many earlier ones. If you look at the last few lines of the debug output, and see "no TLS-Session-Version", then the suspicion is that the TLS-Session-Version attribute is having issues. If, however, there's nothing in session-state, then the problem is elsewhere. That's why we always need (and read) the full debug log, ... (359) session-state: Saving cached attributes (359) Framed-MTU = 1014 And then in packet 360 and after: (360) WLAN-AKM-Suite = 1027075 (360) session-state: No cached attributes The State attribute in the Access-Challenge reply (packet 359) is the same as in the Access-Request (packet 360). So I'm not sure why it's not finding the saved attributes. I think the issue is that you're proxying to an internal virtual server, and somehow the session-state isn't saved / restored correctly. For now, don't do internal proxying, and it should work. I'll see if I can find time to track this down. Alan DeKok.
Hi Alan Sorry for my late response, but I was not able to get back to this topic earlier:
I think the issue is that you're proxying to an internal virtual server, and somehow the session-state isn't saved / restored correctly.
I am not sure if I get your question right, but our proxy configuration for different realms looks mostly like this (almost emtpy brackets {}): ## Phase 1: outer authentication (needed even if empty: process outer identity) realm NULL { } realm LOCAL { } realm "ABC.ch" { nostrip } realm "XYZ.ch" { nostrip } This is then proxied to the virtual server proxy-inner-tunnel for phase 2. I think this is meant by "proxying to an internal virtual server" in your sense, correct?
For now, don't do internal proxying, and it should work. I'll see if I can find time to track this down.
As stated before, this exact configuration was working with FreeRADIUS 3.0.26, but not anymore since upgrading to 3.2.4. In the meantime we are running 3.2.6 (git #a69627989). For the meantime, we just log w/o the TLS version, but I would appreciate, if you or your team could track it down? Regards Dominic
participants (4)
-
Alan DeKok -
Dominic Stalder -
dominic.stalder@unibe.ch -
Matthew Newton