Accounting Packet not sent
Hi! My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory backend. FreeRadius should then send an accounting packet to a FortiGate firewall where a SSO agent is running. The authentication part is working find, a user can connect to the WiFi. As far as I understood it, I should configure FreeRadius to write a detail file which is then parsed an an accounting package sent to the Fortigate firewall. I configured a realm in proxy.conf: realm Fortigate { accthost = 172.16.1.253 secret = *********** } And I enabled the site "copy-accounting-to-home-server" with the following configuration: server copy-acct-to-home-server { listen { type = detail filename = ${radacctdir}/detail-* load_factor = 10 } preacct { preprocess suffix files update control { Proxy-To-Realm := 'Fortigate' } } accounting { ok } pre-proxy { } post-proxy { } } Reading the detail file seems to work fine, but no accounting package is sent to the FortiGate firewall (I even checked using Wireshark). See a part of the debug-log here: (9) Login OK: [fimi] (from client private-network-1 port 0 cli F4-60- E2-B3-96-5C) (9) Sent Access-Accept Id 107 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (9) Class := 0x54657374 (9) MS-MPPE-Recv-Key = 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea (9) MS-MPPE-Send-Key = 0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224 (9) EAP-Message = 0x03d10004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name += "fimi" (9) Finished request Waking up in 4.8 seconds. detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Renaming /var/log/radius/radacct/detail-192.168.251.51-20210216 -> /var/log/radius/radacct/detail.work detail (/var/log/radius/radacct/detail-*): Read packet from /var/log/radius/radacct/detail.work Packet-Type = Access-Accept Class = 0x54657374 User-Name = "fimi" MS-MPPE-Recv-Key = 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea MS-MPPE-Send-Key = 0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224 EAP-MSK = 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea1120b 9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224 EAP-EMSK = 0xd3a64e1f290603568302a9f6c13c3ae00eaea0f45caeff1503b5609e2faf9b06be114 12f1243564b0a08b8df5d58cc33235989699b860f0171b9b73a29bb0e36 EAP-Session-Id = 0x19c2bce2a85918a3ba9ea0068fd39acacb8173753f6c2a19ac67249b606157c82923f 2dacd82dc178f0df970ea5031e0e57b82ad5100de437f43b4f8303af37cae EAP-Message = 0x03d10004 Message-Authenticator = 0x00000000000000000000000000000000 Packet-Original-Timestamp = "Feb 16 2021 14:22:24 CET" Packet-Transmit-Counter = 1 Waking up in 4.6 seconds. See full debug-log attached. I would really appreciate your help! Thanks, Mike
On Tue, 2021-02-16 at 14:38 +0100, Michael Fischer wrote:
Hi!
My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory backend. FreeRadius should then send an accounting packet to a FortiGate firewall where a SSO agent is running.
The authentication part is working find, a user can connect to the WiFi.
As far as I understood it, I should configure FreeRadius to write a detail file which is then parsed an an accounting package sent to the Fortigate firewall. I configured a realm in proxy.conf: realm Fortigate { accthost = 172.16.1.253 secret = *********** }
And I enabled the site "copy-accounting-to-home-server" with the following configuration:
server copy-acct-to-home-server { listen { type = detail filename = ${radacctdir}/detail-* load_factor = 10 }
preacct { preprocess suffix files update control { Proxy-To-Realm := 'Fortigate' } }
accounting { ok }
pre-proxy { }
post-proxy { } }
Reading the detail file seems to work fine, but no accounting package is sent to the FortiGate firewall (I even checked using Wireshark). See a part of the debug-log here: (9) Login OK: [fimi] (from client private-network-1 port 0 cli F4-60- E2-B3-96-5C) (9) Sent Access-Accept Id 107 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (9) Class := 0x54657374 (9) MS-MPPE-Recv-Key = 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea (9) MS-MPPE-Send-Key = 0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224 (9) EAP-Message = 0x03d10004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name += "fimi" (9) Finished request Waking up in 4.8 seconds. detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Renaming /var/log/radius/radacct/detail-192.168.251.51-20210216 -> /var/log/radius/radacct/detail.work detail (/var/log/radius/radacct/detail-*): Read packet from /var/log/radius/radacct/detail.work Packet-Type = Access-Accept Class = 0x54657374 User-Name = "fimi" MS-MPPE-Recv-Key = 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea MS-MPPE-Send-Key = 0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224 EAP-MSK = 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea1120b 9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224 EAP-EMSK = 0xd3a64e1f290603568302a9f6c13c3ae00eaea0f45caeff1503b5609e2faf9b06be114 12f1243564b0a08b8df5d58cc33235989699b860f0171b9b73a29bb0e36 EAP-Session-Id = 0x19c2bce2a85918a3ba9ea0068fd39acacb8173753f6c2a19ac67249b606157c82923f 2dacd82dc178f0df970ea5031e0e57b82ad5100de437f43b4f8303af37cae EAP-Message = 0x03d10004 Message-Authenticator = 0x00000000000000000000000000000000 Packet-Original-Timestamp = "Feb 16 2021 14:22:24 CET" Packet-Transmit-Counter = 1 Waking up in 4.6 seconds.
See full debug-log attached.
I would really appreciate your help!
Thanks, Mike Hi again!
As I received my E-Mail from the List without attachment - here is the debug output: FreeRADIUS Version 3.0.21 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb//dictionary including configuration file /etc/raddb//radiusd.conf including configuration file /etc/raddb//proxy.conf including configuration file /etc/raddb//clients.conf including files in directory /etc/raddb//mods-enabled/ including configuration file /etc/raddb//mods-enabled/always including configuration file /etc/raddb//mods-enabled/attr_filter including configuration file /etc/raddb//mods-enabled/cache_eap including configuration file /etc/raddb//mods-enabled/chap including configuration file /etc/raddb//mods-enabled/date including configuration file /etc/raddb//mods-enabled/detail including configuration file /etc/raddb//mods-enabled/digest including configuration file /etc/raddb//mods-enabled/dynamic_clients including configuration file /etc/raddb//mods-enabled/eap including configuration file /etc/raddb//mods-enabled/echo including configuration file /etc/raddb//mods-enabled/exec including configuration file /etc/raddb//mods-enabled/expiration including configuration file /etc/raddb//mods-enabled/expr including configuration file /etc/raddb//mods-enabled/files including configuration file /etc/raddb//mods-enabled/linelog including configuration file /etc/raddb//mods-enabled/logintime including configuration file /etc/raddb//mods-enabled/mschap including configuration file /etc/raddb//mods-enabled/ntlm_auth including configuration file /etc/raddb//mods-enabled/pap including configuration file /etc/raddb//mods-enabled/passwd including configuration file /etc/raddb//mods-enabled/preprocess including configuration file /etc/raddb//mods-enabled/radutmp including configuration file /etc/raddb//mods-enabled/realm including configuration file /etc/raddb//mods-enabled/replicate including configuration file /etc/raddb//mods-enabled/soh including configuration file /etc/raddb//mods-enabled/sradutmp including configuration file /etc/raddb//mods-enabled/unix including configuration file /etc/raddb//mods-enabled/unpack including configuration file /etc/raddb//mods-enabled/utf8 including configuration file /etc/raddb//mods-enabled/ldap including files in directory /etc/raddb//policy.d/ including configuration file /etc/raddb//policy.d/abfab-tr including configuration file /etc/raddb//policy.d/accounting including configuration file /etc/raddb//policy.d/canonicalization including configuration file /etc/raddb//policy.d/control including configuration file /etc/raddb//policy.d/cui including configuration file /etc/raddb//policy.d/debug including configuration file /etc/raddb//policy.d/dhcp including configuration file /etc/raddb//policy.d/eap including configuration file /etc/raddb//policy.d/filter including configuration file /etc/raddb//policy.d/moonshot-targeted-ids including configuration file /etc/raddb//policy.d/operator-name including configuration file /etc/raddb//policy.d/rfc7542 including files in directory /etc/raddb//sites-enabled/ including configuration file /etc/raddb//sites-enabled/default including configuration file /etc/raddb//sites-enabled/inner-tunnel including configuration file /etc/raddb//sites-enabled/copy-acct-to- home-server main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm Fortigate { accthost = 172.16.1.253 secret = <<< secret >>> } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client private-network-1 { ipaddr = 192.168.251.0/24 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = LDAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/raddb//mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb//mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb//mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb//mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb//mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb//mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb//mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb//mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb//mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb//mods- enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb//mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb//mods- enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb//mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb//mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb//mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb//mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb//mods- config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb//mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb//mods- config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb//mods- enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb//mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /etc/raddb//mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/raddb//mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/raddb//mods-enabled/detail detail { filename = "/var/log/radius/radacct/detail-%{Packet-Src-IP- Address}-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb//mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb//mods- enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb//mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb//mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /etc/raddb//mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb//mods- enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb//mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /etc/raddb//mods-enabled/files files { filename = "/etc/raddb//mods-config/files/authorize" acctusersfile = "/etc/raddb//mods-config/files/accounting" preproxy_usersfile = "/etc/raddb//mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb//mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb//mods- enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:- unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb//mods- enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb//mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "ntlm_auth" from file /etc/raddb//mods- enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key -- domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User- Password}" shell_escape = yes } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb//mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb//mods- enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb//mods- enabled/preprocess preprocess { huntgroups = "/etc/raddb//mods-config/preprocess/huntgroups" hints = "/etc/raddb//mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb//mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb//mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb//mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/raddb//mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb//mods- enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb//mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb//mods- enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb//mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /etc/raddb//mods- enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb//mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb//mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb//mods-enabled/utf8 # Loaded module rlm_ldap # Loading module "ldap" from file /etc/raddb//mods-enabled/ldap ldap { server = "ldaps://172.16.1.33" port = 636 identity = "cn=8021xproxy,ou=server,o=htbl" password = <<< secret >>> sasl { } user_dn = "LDAP-UserDn" edir = yes edir_autz = yes user { scope = "sub" access_attribute = "dialupAccess" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_attribute = "memberOf" cacheable_name = no cacheable_dn = no allow_dangling_group_ref = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "o=HTBL" } profile { } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { ca_file = "/etc/raddb//certs/eDirCAcert.pem" start_tls = no require_cert = "allow" } } Creating attribute LDAP-Group instantiate { } # Instantiating module "reject" from file /etc/raddb//mods- enabled/always # Instantiating module "fail" from file /etc/raddb//mods- enabled/always # Instantiating module "ok" from file /etc/raddb//mods-enabled/always # Instantiating module "handled" from file /etc/raddb//mods- enabled/always # Instantiating module "invalid" from file /etc/raddb//mods- enabled/always # Instantiating module "userlock" from file /etc/raddb//mods- enabled/always # Instantiating module "notfound" from file /etc/raddb//mods- enabled/always # Instantiating module "noop" from file /etc/raddb//mods- enabled/always # Instantiating module "updated" from file /etc/raddb//mods- enabled/always # Instantiating module "attr_filter.post-proxy" from file /etc/raddb//mods-enabled/attr_filter reading pairlist file /etc/raddb//mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb//mods-enabled/attr_filter reading pairlist file /etc/raddb//mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb//mods-enabled/attr_filter reading pairlist file /etc/raddb//mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb//mods-enabled/attr_filter reading pairlist file /etc/raddb//mods- config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb//mods-enabled/attr_filter reading pairlist file /etc/raddb//mods- config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /etc/raddb//mods- enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /etc/raddb//mods- enabled/detail # Instantiating module "eap" from file /etc/raddb//mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb//certs" pem_file_type = yes private_key_file = "/etc/raddb//certs/server.pem" certificate_file = "/etc/raddb//certs/server.pem" ca_file = "/etc/raddb//certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb//certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" disable_tlsv1 = no disable_tlsv1_1 = no disable_tlsv1_2 = no tls_max_version = "1.2" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned using only TLS 1.2 for security Please set: tls_min_version = "1.2" # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /etc/raddb//mods- enabled/expiration # Instantiating module "files" from file /etc/raddb//mods- enabled/files reading pairlist file /etc/raddb//mods-config/files/authorize reading pairlist file /etc/raddb//mods-config/files/accounting reading pairlist file /etc/raddb//mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/raddb//mods- enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb//mods- enabled/linelog # Instantiating module "logintime" from file /etc/raddb//mods- enabled/logintime # Instantiating module "mschap" from file /etc/raddb//mods- enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /etc/raddb//mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/raddb//mods- enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /etc/raddb//mods- enabled/preprocess reading pairlist file /etc/raddb//mods-config/preprocess/huntgroups reading pairlist file /etc/raddb//mods-config/preprocess/hints # Instantiating module "IPASS" from file /etc/raddb//mods- enabled/realm # Instantiating module "suffix" from file /etc/raddb//mods- enabled/realm # Instantiating module "bangpath" from file /etc/raddb//mods- enabled/realm # Instantiating module "realmpercent" from file /etc/raddb//mods- enabled/realm # Instantiating module "ntdomain" from file /etc/raddb//mods- enabled/realm # Instantiating module "ldap" from file /etc/raddb//mods-enabled/ldap rlm_ldap: libldap vendor: OpenLDAP, version: 20446 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636 TLS certificate verification: Error, unable to get issuer certificate rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636 TLS certificate verification: Error, unable to get issuer certificate rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636 TLS certificate verification: Error, unable to get issuer certificate rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636 TLS certificate verification: Error, unable to get issuer certificate rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636 TLS certificate verification: Error, unable to get issuer certificate rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb//radiusd.conf } # server server default { # from file /etc/raddb//sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb//sites-enabled/inner- tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb//sites-enabled/inner-tunnel:345 } # server inner-tunnel server copy-acct-to-home-server { # from file /etc/raddb//sites- enabled/copy-acct-to-home-server # Loading preacct {...} # Loading accounting {...} } # server copy-acct-to-home-server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "detail" listen { filename = "/var/log/radius/radacct/detail-*" load_factor = 10 poll_interval = 1 retry_interval = 30 one_shot = no track = no } } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner- tunnel Listening on detail file /var/log/radius/radacct/detail-* as server copy-acct-to-home-server Listening on proxy address * port 33344 Listening on proxy address :: port 45782 Ready to process requests detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 0.769579 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 1.219527 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 1.173822 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 1.129156 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 1.249627 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 1.031091 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 0.840066 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 1.239105 sec (0) Received Access-Request Id 108 from 192.168.251.51:39578 to 172.16.1.104:1812 length 190 (0) User-Name = "fimi" (0) NAS-Identifier = "a22aa8d26c65" (0) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "F4-60-E2-B3-96-5C" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "6A0D6C94095D2E0A" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x028b00090166696d69 (0) Message-Authenticator = 0xed1d56eb859202891d34ba433c96ff60 (0) # Executing section authorize from file /etc/raddb//sites- enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "fimi", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 139 length 9 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb//sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 140 length 6 (0) eap: EAP session adding &reply:State = 0xacb59afcac3983f3 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb//sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 108 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (0) EAP-Message = 0x018c00061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xacb59afcac3983f3c10471c5771ffc72 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 109 from 192.168.251.51:39578 to 172.16.1.104:1812 length 340 (1) User-Name = "fimi" (1) NAS-Identifier = "a22aa8d26c65" (1) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "F4-60-E2-B3-96-5C" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "6A0D6C94095D2E0A" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x028c008d198000000083160301007e0100007a030363c73063457cfb114c1273ccdcd 419324e47cc9d731c536da4118f5ca68b117700001ec02bc02fc02cc030cca9cca8c009 c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a000800060 01d00170018000b00020100000d00140012040308040401050308050501080606010201 (1) State = 0xacb59afcac3983f3c10471c5771ffc72 (1) Message-Authenticator = 0x1eebb054a163ed4d02c96042b2be741d (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb//sites- enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "fimi", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 140 length 141 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb//sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xacb59afcac3983f3 (1) eap: Finished EAP session with state 0xacb59afcac3983f3 (1) eap: Previous EAP request found for state 0xacb59afcac3983f3, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 131 bytes (1) eap_peap: Got complete TLS record (131 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before SSL initialization (1) eap_peap: TLS_accept: before SSL initialization (1) eap_peap: TLS_accept: before SSL initialization (1) eap_peap: <<< recv TLS 1.3 [length 007e] (1) eap_peap: TLS_accept: SSLv3/TLS read client hello (1) eap_peap: >>> send TLS 1.2 [length 003d] (1) eap_peap: TLS_accept: SSLv3/TLS write server hello (1) eap_peap: >>> send TLS 1.2 [length 0903] (1) eap_peap: TLS_accept: SSLv3/TLS write certificate (1) eap_peap: >>> send TLS 1.2 [length 014d] (1) eap_peap: TLS_accept: SSLv3/TLS write key exchange (1) eap_peap: >>> send TLS 1.2 [length 0004] (1) eap_peap: TLS_accept: SSLv3/TLS write server done (1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_peap: TLS - In Handshake Phase (1) eap_peap: TLS - got 2725 bytes of data (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 141 length 1004 (1) eap: EAP session adding &reply:State = 0xacb59afcad3883f3 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb//sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 109 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (1) EAP-Message = 0x018d03ec19c000000aa5160303003d020000390303a6c97603f1cc359df7d25c0b12e 85f72f42fbd5b6cc194d7f4d4eb950ef62b3b00c02f000011ff01000100000b00040300 01020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020 101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f30 0d06035504080c065261646975733112301006035504070c09536f6d657768657265311 53013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d0109 01161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d7 06c6520436572746966696361746520417574686f72697479301e170d32313032313331 36333433395a170d3231303431343136333433395a307c310b300906035504061302465 2310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c65 20496e632e3123302106035504030c1a4578616d70 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xacb59afcad3883f3c10471c5771ffc72 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 110 from 192.168.251.51:39578 to 172.16.1.104:1812 length 205 (2) User-Name = "fimi" (2) NAS-Identifier = "a22aa8d26c65" (2) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Calling-Station-Id = "F4-60-E2-B3-96-5C" (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) Acct-Session-Id = "6A0D6C94095D2E0A" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027073 (2) Framed-MTU = 1400 (2) EAP-Message = 0x028d00061900 (2) State = 0xacb59afcad3883f3c10471c5771ffc72 (2) Message-Authenticator = 0x10a42051d77dc96d1a8fdb6e1790ddc7 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb//sites- enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "fimi", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 141 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb//sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xacb59afcad3883f3 (2) eap: Finished EAP session with state 0xacb59afcad3883f3 (2) eap: Previous EAP request found for state 0xacb59afcad3883f3, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 142 length 1000 (2) eap: EAP session adding &reply:State = 0xacb59afcae3b83f3 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb//sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 110 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (2) EAP-Message = 0x018e03e81940252cedfbf4c3836e44225fdb79c5f5071c20dc8677feb32af525d7756 778521e8aa7957a7d648b1ba1868b19e84857fb8b172605a1f8f8a4a47ab109a8159d2f 8f5b68023e42aa2322f04ae0a25214f052122adb16ea6d8f688e58ae3759cdc84b24c20 e97f5290004fe308204fa308203e2a003020102021404394f2a191606a4278a02c0e327 b5d0dc1a1914300d06092a864886f70d01010b0500308193310b3009060355040613024 652310f300d06035504080c065261646975733112301006035504070c09536f6d657768 65726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a86488 6f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d 4578616d706c6520436572746966696361746520417574686f72697479301e170d32313 03231333136333433395a170d3231303431343136333433395a308193310b3009060355 040613024652310f300d06035504080c0652616469 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xacb59afcae3b83f3c10471c5771ffc72 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 111 from 192.168.251.51:39578 to 172.16.1.104:1812 length 205 (3) User-Name = "fimi" (3) NAS-Identifier = "a22aa8d26c65" (3) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Calling-Station-Id = "F4-60-E2-B3-96-5C" (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) Acct-Session-Id = "6A0D6C94095D2E0A" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Framed-MTU = 1400 (3) EAP-Message = 0x028e00061900 (3) State = 0xacb59afcae3b83f3c10471c5771ffc72 (3) Message-Authenticator = 0xb14601361b16a123aaab75b0b82ba00c (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb//sites- enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "fimi", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 142 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb//sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xacb59afcae3b83f3 (3) eap: Finished EAP session with state 0xacb59afcae3b83f3 (3) eap: Previous EAP request found for state 0xacb59afcae3b83f3, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 143 length 743 (3) eap: EAP session adding &reply:State = 0xacb59afcaf3a83f3 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb//sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 111 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (3) EAP-Message = 0x018f02e7190072746966696361746520417574686f72697479821404394f2a191606a 4278a02c0e327b5d0dc1a1914300f0603551d130101ff040530030101ff30360603551d 1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672 f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010084 0b869b8c26a23a9a120e670346fc3ad59f8b235ee1578ade13cd710668564a9a61b5260 ea04a54c65eaed7e37aac1a23b130517fa45fdf34576991981c3e6793f75d88cb482d64 8dd02ac3a08e2ebc23556b1b76f5f3fad93845bd775e210aa5cefd6d2baa0f871d82f34 710b0eea477ea8e26be0521ab9979c249db93590e7c0c1ad8e76dd8241c19f58ced944e 28442b8d4265a21784cd2103a23e43bcb854ebeb2c1038780b723eaaefe957e1c5d2758 2afce334ed5e623832e0ad69a5e9c5d31915eef72ff1d2115168b50e019f2cf54892574 97281e6efe5b26acc91510ffa40f528f3c1b54aa5a (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xacb59afcaf3a83f3c10471c5771ffc72 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 112 from 192.168.251.51:39578 to 172.16.1.104:1812 length 335 (4) User-Name = "fimi" (4) NAS-Identifier = "a22aa8d26c65" (4) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Calling-Station-Id = "F4-60-E2-B3-96-5C" (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) Acct-Session-Id = "6A0D6C94095D2E0A" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027076 (4) WLAN-AKM-Suite = 1027073 (4) Framed-MTU = 1400 (4) EAP-Message = 0x028f008819800000007e16030300461000004241048fdc417fe1d3fcecaffdcc000a5 1421f8063c74ef6fd3035691c0eb23b7727f1920fcb300efa8b867394dc98d5cea84698 61c3ef699a8b80721e9a487b2dbd8814030300010116030300280000000000000000fd3 e43ecc7209d9245ae40f8cc7d87f77abaa962fd01d56cf55fe9070e075946 (4) State = 0xacb59afcaf3a83f3c10471c5771ffc72 (4) Message-Authenticator = 0x44a410d1eba2411512f46bed2a722cea (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb//sites- enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "fimi", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 143 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb//sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xacb59afcaf3a83f3 (4) eap: Finished EAP session with state 0xacb59afcaf3a83f3 (4) eap: Previous EAP request found for state 0xacb59afcaf3a83f3, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: TLS_accept: SSLv3/TLS write server done (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS read finished (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS write finished (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: TLS - Connection Established (4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (4) eap_peap: TLS-Session-Version = "TLS 1.2" (4) eap_peap: TLS - got 51 bytes of data (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 144 length 57 (4) eap: EAP session adding &reply:State = 0xacb59afca82583f3 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb//sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (4) TLS-Session-Version = "TLS 1.2" (4) Sent Access-Challenge Id 112 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (4) EAP-Message = 0x0190003919001403030001011603030028d7bfce4f731f8923b50d6ba0a6ff17eac0f e578415834ef87798c898e5d1b5230abb0fc49392cd52 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xacb59afca82583f3c10471c5771ffc72 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 113 from 192.168.251.51:39578 to 172.16.1.104:1812 length 205 (5) User-Name = "fimi" (5) NAS-Identifier = "a22aa8d26c65" (5) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Calling-Station-Id = "F4-60-E2-B3-96-5C" (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) Acct-Session-Id = "6A0D6C94095D2E0A" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027073 (5) Framed-MTU = 1400 (5) EAP-Message = 0x029000061900 (5) State = 0xacb59afca82583f3c10471c5771ffc72 (5) Message-Authenticator = 0xf6d9bebdbb69b67dc8d7eb81d451fb22 (5) Restoring &session-state (5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM- SHA256" (5) &session-state:TLS-Session-Version = "TLS 1.2" (5) # Executing section authorize from file /etc/raddb//sites- enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "fimi", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 144 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb//sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xacb59afca82583f3 (5) eap: Finished EAP session with state 0xacb59afca82583f3 (5) eap: Previous EAP request found for state 0xacb59afca82583f3, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 145 length 40 (5) eap: EAP session adding &reply:State = 0xacb59afca92483f3 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb//sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 113 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (5) EAP-Message = 0x019100281900170303001dd7bfce4f731f8924bd8d9b93f79b404ccc3552c051b5803 0a6668f437a (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xacb59afca92483f3c10471c5771ffc72 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 114 from 192.168.251.51:39578 to 172.16.1.104:1812 length 239 (6) User-Name = "fimi" (6) NAS-Identifier = "a22aa8d26c65" (6) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Calling-Station-Id = "F4-60-E2-B3-96-5C" (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) Acct-Session-Id = "6A0D6C94095D2E0A" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027073 (6) Framed-MTU = 1400 (6) EAP-Message = 0x029100281900170303001d00000000000000016cef8464a32987af1dd82e0082a1aa1 d2885a73a67 (6) State = 0xacb59afca92483f3c10471c5771ffc72 (6) Message-Authenticator = 0x1895937a755c97428d05e1a5719571f7 (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM- SHA256" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /etc/raddb//sites- enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "fimi", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 145 length 40 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb//sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xacb59afca92483f3 (6) eap: Finished EAP session with state 0xacb59afca92483f3 (6) eap: Previous EAP request found for state 0xacb59afca92483f3, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - fimi (6) eap_peap: Got inner identity 'fimi' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x029100090166696d69 (6) eap_peap: Setting User-Name to fimi (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x029100090166696d69 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "fimi" (6) eap_peap: NAS-Identifier = "a22aa8d26c65" (6) eap_peap: Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (6) eap_peap: NAS-Port-Type = Wireless-802.11 (6) eap_peap: Service-Type = Framed-User (6) eap_peap: Calling-Station-Id = "F4-60-E2-B3-96-5C" (6) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11b" (6) eap_peap: Acct-Session-Id = "6A0D6C94095D2E0A" (6) eap_peap: WLAN-Pairwise-Cipher = 1027076 (6) eap_peap: WLAN-Group-Cipher = 1027076 (6) eap_peap: WLAN-AKM-Suite = 1027073 (6) eap_peap: Framed-MTU = 1400 (6) eap_peap: Event-Timestamp = "Feb 16 2021 14:31:51 CET" (6) eap_peap: NAS-IP-Address = 192.168.251.51 (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x029100090166696d69 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "fimi" (6) NAS-Identifier = "a22aa8d26c65" (6) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Calling-Station-Id = "F4-60-E2-B3-96-5C" (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) Acct-Session-Id = "6A0D6C94095D2E0A" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027073 (6) Framed-MTU = 1400 (6) Event-Timestamp = "Feb 16 2021 14:31:51 CET" (6) NAS-IP-Address = 192.168.251.51 (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb//sites- enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "fimi", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 145 length 9 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb//sites-enabled/inner- tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 146 length 43 (6) eap: EAP session adding &reply:State = 0xce54cccdcec6d606 (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0192002b1a01920026108a40c95e71e0350f2a078d5cbc650f6766726565726164697 5732d332e302e3231 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xce54cccdcec6d6066e64469f1bba9a6c (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0192002b1a01920026108a40c95e71e0350f2a078d5cbc650f6766726565726164697 5732d332e302e3231 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xce54cccdcec6d6066e64469f1bba9a6c (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0192002b1a01920026108a40c95e71e0350f2a078d5cbc650f6766726565726164697 5732d332e302e3231 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xce54cccdcec6d6066e64469f1bba9a6c (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 146 length 74 (6) eap: EAP session adding &reply:State = 0xacb59afcaa2783f3 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/raddb//sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 114 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (6) EAP-Message = 0x0192004a1900170303003fd7bfce4f731f89250b2de5e4317f7ea66feafcc910fc583 31b209ae3b2f1645748cb849feea90736c1b3dd2fd65985670cf8b0500ebf9f65f4c2cd 9c7666bb (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xacb59afcaa2783f3c10471c5771ffc72 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 115 from 192.168.251.51:39578 to 172.16.1.104:1812 length 293 (7) User-Name = "fimi" (7) NAS-Identifier = "a22aa8d26c65" (7) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Calling-Station-Id = "F4-60-E2-B3-96-5C" (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) Acct-Session-Id = "6A0D6C94095D2E0A" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Framed-MTU = 1400 (7) EAP-Message = 0x0292005e190017030300530000000000000002c33e469fe868a89587b88a78a823d95 ce11565b6bae206f2ab459b4db443f4f19749b732f97a0bb868d5fa960b4195aea1b707 773f8080e9444b35bccc989c93a662e56f8036a8077d5eb9 (7) State = 0xacb59afcaa2783f3c10471c5771ffc72 (7) Message-Authenticator = 0xb9aba9255bb19133efecdb6c7e8efc39 (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM- SHA256" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/raddb//sites- enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "fimi", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 146 length 94 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb//sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xce54cccdcec6d606 (7) eap: Finished EAP session with state 0xacb59afcaa2783f3 (7) eap: Previous EAP request found for state 0xacb59afcaa2783f3, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0292003f1a0292003a31d459203b242256b2671bad6cb9aad4d100000000000000000 2e154a7254fcd1553ac37739e9c987d0efa389627bcf2f30066696d69 (7) eap_peap: Setting User-Name to fimi (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0292003f1a0292003a31d459203b242256b2671bad6cb9aad4d100000000000000000 2e154a7254fcd1553ac37739e9c987d0efa389627bcf2f30066696d69 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "fimi" (7) eap_peap: State = 0xce54cccdcec6d6066e64469f1bba9a6c (7) eap_peap: NAS-Identifier = "a22aa8d26c65" (7) eap_peap: Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (7) eap_peap: NAS-Port-Type = Wireless-802.11 (7) eap_peap: Service-Type = Framed-User (7) eap_peap: Calling-Station-Id = "F4-60-E2-B3-96-5C" (7) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11b" (7) eap_peap: Acct-Session-Id = "6A0D6C94095D2E0A" (7) eap_peap: WLAN-Pairwise-Cipher = 1027076 (7) eap_peap: WLAN-Group-Cipher = 1027076 (7) eap_peap: WLAN-AKM-Suite = 1027073 (7) eap_peap: Framed-MTU = 1400 (7) eap_peap: Event-Timestamp = "Feb 16 2021 14:31:51 CET" (7) eap_peap: NAS-IP-Address = 192.168.251.51 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0292003f1a0292003a31d459203b242256b2671bad6cb9aad4d100000000000000000 2e154a7254fcd1553ac37739e9c987d0efa389627bcf2f30066696d69 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "fimi" (7) State = 0xce54cccdcec6d6066e64469f1bba9a6c (7) NAS-Identifier = "a22aa8d26c65" (7) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Calling-Station-Id = "F4-60-E2-B3-96-5C" (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) Acct-Session-Id = "6A0D6C94095D2E0A" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Framed-MTU = 1400 (7) Event-Timestamp = "Feb 16 2021 14:31:51 CET" (7) NAS-IP-Address = 192.168.251.51 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb//sites- enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "fimi", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 146 length 63 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (0) (7) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (cn=fimi) (7) ldap: Performing search in "o=HTBL" with filter "(cn=fimi)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "cn=FIMI,ou=TEACHERS,ou=EL,o=HTBL" (7) ldap: Added eDirectory password (7) ldap: Binding as user for eDirectory authorization checks (7) ldap: Waiting for bind result... (7) ldap: Bind successful (7) ldap: Bind as user 'cn=FIMI,ou=TEACHERS,ou=EL,o=HTBL' was successful (7) ldap: Processing user attributes (7) ldap: reply:Class := 0x54657374 rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636 TLS certificate verification: Error, unable to get issuer certificate rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) [ldap] = updated (7) if ((ok || updated) && User-Password) { (7) if ((ok || updated) && User-Password) -> FALSE (7) [expiration] = noop (7) [logintime] = noop (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb//sites-enabled/inner- tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xce54cccdcec6d606 (7) eap: Finished EAP session with state 0xce54cccdcec6d606 (7) eap: Previous EAP request found for state 0xce54cccdcec6d606, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/raddb//sites- enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Creating challenge hash with username: fimi (7) mschap: Client is using MS-CHAPv2 (7) mschap: Adding MS-CHAPv2 MPPE keys (7) eap_mschapv2: [mschap] = ok (7) eap_mschapv2: } # authenticate = ok (7) eap_mschapv2: MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 147 length 51 (7) eap: EAP session adding &reply:State = 0xce54cccdcfc7d606 (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) Class := 0x54657374 (7) EAP-Message = 0x019300331a0392002e533d37344538383341333831323330303433453231423444393 831443846304645303534393332434436 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xce54cccdcfc7d6066e64469f1bba9a6c (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: Class := 0x54657374 (7) eap_peap: EAP-Message = 0x019300331a0392002e533d37344538383341333831323330303433453231423444393 831443846304645303534393332434436 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xce54cccdcfc7d6066e64469f1bba9a6c (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: Class := 0x54657374 (7) eap_peap: EAP-Message = 0x019300331a0392002e533d37344538383341333831323330303433453231423444393 831443846304645303534393332434436 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xce54cccdcfc7d6066e64469f1bba9a6c (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 147 length 82 (7) eap: EAP session adding &reply:State = 0xacb59afcab2683f3 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/raddb//sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 115 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (7) EAP-Message = 0x0193005219001703030047d7bfce4f731f8926d0eb5fb2fb64d352a28529a911dc1f1 6f04df90f49ca7b5d558c6aaa9551b79d2aefe09cabc8d6dab3f7ddfd3e1975c56b057b a096a0d20f24ffcf1b0f8b39 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xacb59afcab2683f3c10471c5771ffc72 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 116 from 192.168.251.51:39578 to 172.16.1.104:1812 length 236 (8) User-Name = "fimi" (8) NAS-Identifier = "a22aa8d26c65" (8) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Calling-Station-Id = "F4-60-E2-B3-96-5C" (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) Acct-Session-Id = "6A0D6C94095D2E0A" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) EAP-Message = 0x029300251900170303001a0000000000000003df886c4c4c30475c1e9f179b8e75396 288fa (8) State = 0xacb59afcab2683f3c10471c5771ffc72 (8) Message-Authenticator = 0xc30bd0a5031ba8aa96fa0c1beae66554 (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM- SHA256" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/raddb//sites- enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "fimi", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 147 length 37 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb//sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xce54cccdcfc7d606 (8) eap: Finished EAP session with state 0xacb59afcab2683f3 (8) eap: Previous EAP request found for state 0xacb59afcab2683f3, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x029300061a03 (8) eap_peap: Setting User-Name to fimi (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x029300061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "fimi" (8) eap_peap: State = 0xce54cccdcfc7d6066e64469f1bba9a6c (8) eap_peap: NAS-Identifier = "a22aa8d26c65" (8) eap_peap: Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (8) eap_peap: NAS-Port-Type = Wireless-802.11 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Calling-Station-Id = "F4-60-E2-B3-96-5C" (8) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11b" (8) eap_peap: Acct-Session-Id = "6A0D6C94095D2E0A" (8) eap_peap: WLAN-Pairwise-Cipher = 1027076 (8) eap_peap: WLAN-Group-Cipher = 1027076 (8) eap_peap: WLAN-AKM-Suite = 1027073 (8) eap_peap: Framed-MTU = 1400 (8) eap_peap: Event-Timestamp = "Feb 16 2021 14:31:51 CET" (8) eap_peap: NAS-IP-Address = 192.168.251.51 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x029300061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "fimi" (8) State = 0xce54cccdcfc7d6066e64469f1bba9a6c (8) NAS-Identifier = "a22aa8d26c65" (8) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Calling-Station-Id = "F4-60-E2-B3-96-5C" (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) Acct-Session-Id = "6A0D6C94095D2E0A" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) Event-Timestamp = "Feb 16 2021 14:31:51 CET" (8) NAS-IP-Address = 192.168.251.51 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb//sites- enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "fimi", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 147 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (1) (8) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (cn=fimi) (8) ldap: Performing search in "o=HTBL" with filter "(cn=fimi)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "cn=FIMI,ou=TEACHERS,ou=EL,o=HTBL" (8) ldap: Added eDirectory password (8) ldap: Binding as user for eDirectory authorization checks (8) ldap: Waiting for bind result... (8) ldap: Bind successful (8) ldap: Bind as user 'cn=FIMI,ou=TEACHERS,ou=EL,o=HTBL' was successful (8) ldap: Processing user attributes (8) ldap: reply:Class := 0x54657374 rlm_ldap (ldap): Released connection (1) (8) [ldap] = updated (8) if ((ok || updated) && User-Password) { (8) if ((ok || updated) && User-Password) -> FALSE (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb//sites-enabled/inner- tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xce54cccdcfc7d606 (8) eap: Finished EAP session with state 0xce54cccdcfc7d606 (8) eap: Previous EAP request found for state 0xce54cccdcfc7d606, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 147 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/raddb//sites- enabled/inner-tunnel (8) post-auth { (8) update outer.session-state { (8) User-Name := &User-Name -> 'fimi' (8) } # update outer.session-state = noop (8) if (0) { (8) if (0) -> FALSE (8) } # post-auth = noop (8) Login OK: [fimi] (from client private-network-1 port 0 cli F4-60- E2-B3-96-5C via TLS tunnel) (8) } # server inner-tunnel (8) Virtual server sending reply (8) Class := 0x54657374 (8) MS-MPPE-Encryption-Policy = Encryption-Allowed (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) MS-MPPE-Send-Key = 0x10c1a0afdb990b0c89cbafea1fb5a023 (8) MS-MPPE-Recv-Key = 0x945a04e47cdc6cc2855e4671b019dac8 (8) EAP-Message = 0x03930004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "fimi" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: Class := 0x54657374 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x10c1a0afdb990b0c89cbafea1fb5a023 (8) eap_peap: MS-MPPE-Recv-Key = 0x945a04e47cdc6cc2855e4671b019dac8 (8) eap_peap: EAP-Message = 0x03930004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "fimi" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: Class := 0x54657374 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x10c1a0afdb990b0c89cbafea1fb5a023 (8) eap_peap: MS-MPPE-Recv-Key = 0x945a04e47cdc6cc2855e4671b019dac8 (8) eap_peap: EAP-Message = 0x03930004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "fimi" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap_peap: Saving tunneled attributes for later (8) eap: Sending EAP Request (code 1) ID 148 length 46 (8) eap: EAP session adding &reply:State = 0xacb59afca42183f3 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/raddb//sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (8) TLS-Session-Version = "TLS 1.2" (8) User-Name := "fimi" (8) Sent Access-Challenge Id 116 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (8) EAP-Message = 0x0194002e19001703030023d7bfce4f731f8927e59eccb9a0df53bdd33beb426543316 13c93d58c9b3cb1a370fd58 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xacb59afca42183f3c10471c5771ffc72 (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 117 from 192.168.251.51:39578 to 172.16.1.104:1812 length 245 (9) User-Name = "fimi" (9) NAS-Identifier = "a22aa8d26c65" (9) Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Calling-Station-Id = "F4-60-E2-B3-96-5C" (9) Connect-Info = "CONNECT 0Mbps 802.11b" (9) Acct-Session-Id = "6A0D6C94095D2E0A" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Framed-MTU = 1400 (9) EAP-Message = 0x0294002e1900170303002300000000000000049cbc0856d443a17c57cf0e9696e0be8 29f55af83884de32f3d1fed (9) State = 0xacb59afca42183f3c10471c5771ffc72 (9) Message-Authenticator = 0xbbafaf4a03ca8cd3833cd32b4090599f (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM- SHA256" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) &session-state:User-Name := "fimi" (9) # Executing section authorize from file /etc/raddb//sites- enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "fimi", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 148 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb//sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xacb59afca42183f3 (9) eap: Finished EAP session with state 0xacb59afca42183f3 (9) eap: Previous EAP request found for state 0xacb59afca42183f3, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap_peap: Using saved attributes from the original Access-Accept (9) eap_peap: Class := 0x54657374 (9) eap_peap: User-Name = "fimi" (9) eap: Sending EAP Success (code 3) ID 148 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/raddb//sites- enabled/default (9) post-auth { (9) detail: EXPAND /var/log/radius/radacct/detail-%{Packet-Src-IP- Address}-%Y%m%d (9) detail: --> /var/log/radius/radacct/detail-192.168.251.51- 20210216 (9) detail: /var/log/radius/radacct/detail-%{Packet-Src-IP-Address}- %Y%m%d expands to /var/log/radius/radacct/detail-192.168.251.51- 20210216 (9) detail: EXPAND %t (9) detail: --> Tue Feb 16 14:31:51 2021 (9) [detail] = ok (9) if (session-state:User-Name && reply:User-Name && request:User- Name && (reply:User-Name == request:User-Name)) { (9) if (session-state:User-Name && reply:User-Name && request:User- Name && (reply:User-Name == request:User-Name)) -> TRUE (9) if (session-state:User-Name && reply:User-Name && request:User- Name && (reply:User-Name == request:User-Name)) { (9) update reply { (9) &User-Name !* ANY (9) } # update reply = noop (9) } # if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) = noop (9) update { (9) &reply::TLS-Session-Cipher-Suite += &session-state:TLS- Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256' (9) &reply::TLS-Session-Version += &session-state:TLS-Session- Version[*] -> 'TLS 1.2' (9) &reply::User-Name += &session-state:User-Name[*] -> 'fimi' (9) } # update = noop (9) [exec] = noop (9) } # post-auth = ok (9) Login OK: [fimi] (from client private-network-1 port 0 cli F4-60- E2-B3-96-5C) (9) Sent Access-Accept Id 117 from 172.16.1.104:1812 to 192.168.251.51:39578 length 0 (9) Class := 0x54657374 (9) MS-MPPE-Recv-Key = 0xf050c53e55a61c968578e1eb912fb311a88ac83aa9c8da1b150215372df7e8dd (9) MS-MPPE-Send-Key = 0x44486a1a39cd12bc26a4aa7af8ba5ab15af6d50c0761d5f871e30a0a26319915 (9) EAP-Message = 0x03940004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name += "fimi" (9) Finished request Waking up in 4.8 seconds. detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Renaming /var/log/radius/radacct/detail-192.168.251.51-20210216 -> /var/log/radius/radacct/detail.work detail (/var/log/radius/radacct/detail-*): Read packet from /var/log/radius/radacct/detail.work Packet-Type = Access-Accept Class = 0x54657374 User-Name = "fimi" MS-MPPE-Recv-Key = 0xf050c53e55a61c968578e1eb912fb311a88ac83aa9c8da1b150215372df7e8dd MS-MPPE-Send-Key = 0x44486a1a39cd12bc26a4aa7af8ba5ab15af6d50c0761d5f871e30a0a26319915 EAP-MSK = 0xf050c53e55a61c968578e1eb912fb311a88ac83aa9c8da1b150215372df7e8dd44486 a1a39cd12bc26a4aa7af8ba5ab15af6d50c0761d5f871e30a0a26319915 EAP-EMSK = 0x8e69ff7772e986232fe655bd169495f41d41a92fe5d60073c08629f8cc9a7829381a2 9a5277fbce20a14a70dadd25244e7f53ab509635c741374cd23769d9fe6 EAP-Session-Id = 0x1963c73063457cfb114c1273ccdcd419324e47cc9d731c536da4118f5ca68b1177a6c 97603f1cc359df7d25c0b12e85f72f42fbd5b6cc194d7f4d4eb950ef62b3b EAP-Message = 0x03940004 Message-Authenticator = 0x00000000000000000000000000000000 Packet-Original-Timestamp = "Feb 16 2021 14:31:51 CET" Packet-Transmit-Counter = 1 Waking up in 3.9 seconds. detail (/var/log/radius/radacct/detail-*): Unlinking /var/log/radius/radacct/detail.work detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 0.757665 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 0.917765 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 0.913522 sec detail (/var/log/radius/radacct/detail-*): Polling for detail file detail (/var/log/radius/radacct/detail-*): Detail listener state unopened waiting 1.103471 sec (0) Cleaning up request packet ID 108 with timestamp +8 (1) Cleaning up request packet ID 109 with timestamp +8 (2) Cleaning up request packet ID 110 with timestamp +8 (3) Cleaning up request packet ID 111 with timestamp +8 (4) Cleaning up request packet ID 112 with timestamp +8 (5) Cleaning up request packet ID 113 with timestamp +8 (6) Cleaning up request packet ID 114 with timestamp +8 (7) Cleaning up request packet ID 115 with timestamp +8 (8) Cleaning up request packet ID 116 with timestamp +8 (9) Cleaning up request packet ID 117 with timestamp +8 Ready to process requests Have a nice day, Mike
On Feb 16, 2021, at 8:38 AM, Michael Fischer <michael@webfischer.at> wrote:
My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory backend. FreeRadius should then send an accounting packet to a FortiGate firewall where a SSO agent is running.
The server doesn't really originate accounting packets.
The authentication part is working find, a user can connect to the WiFi.
As far as I understood it, I should configure FreeRadius to write a detail file which is then parsed an an accounting package sent to the Fortigate firewall.
Well... maybe. But you can't write an Access-Accept packet, and have it magically turn into an Accounting-Request packet.
Reading the detail file seems to work fine, but no accounting package is sent to the FortiGate firewall (I even checked using Wireshark). See a part of the debug-log here: ... detail (/var/log/radius/radacct/detail-*): Read packet from /var/log/radius/radacct/detail.work Packet-Type = Access-Accept
That's not an Accounting packet, is it? Further, that packet doesn't contain any normal accounting attributes.
Class = 0x54657374 User-Name = "fimi" MS-MPPE-Recv-Key = 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea MS-MPPE-Send-Key = 0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224 EAP-MSK = 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea1120b 9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224 EAP-EMSK = 0xd3a64e1f290603568302a9f6c13c3ae00eaea0f45caeff1503b5609e2faf9b06be114 12f1243564b0a08b8df5d58cc33235989699b860f0171b9b73a29bb0e36
You really don't want to send EAP-MSK and EAP-EMSK over the wire to another system. TBH, just run "radclient" for now. Or, use the Perl / Python modules to send RADIUS packets. The server isn't really designed to change packet types like this. We've fixed all of this in v4, where this goal is pretty much trivial to do. But we're still a long way from releasing v4. Alan DeKok.
On Tue, 2021-02-16 at 09:02 -0500, Alan DeKok wrote:
On Feb 16, 2021, at 8:38 AM, Michael Fischer <michael@webfischer.at> wrote:
My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory backend. FreeRadius should then send an accounting packet to a FortiGate firewall where a SSO agent is running.
The server doesn't really originate accounting packets.
The authentication part is working find, a user can connect to the WiFi.
As far as I understood it, I should configure FreeRadius to write a detail file which is then parsed an an accounting package sent to the Fortigate firewall.
Well... maybe. But you can't write an Access-Accept packet, and have it magically turn into an Accounting-Request packet. Thank you very much - that was the hint that lead me to the solution!
I enabled "Radius Accounting" on my WiFi Controller. Now the proxying to the Fortigate Firewall works fine! Thanks a lot, Mike
participants (2)
-
Alan DeKok -
Michael Fischer