FreeRADIUS Not Storing Cache Data in Redis
Hi everyone, We are currently facing an issue with FreeRADIUS where no cache entries are being created in Redis. We’ve tested the Redis connection, authentication, and database selection, but when we run KEYS * in Redis, it returns an empty array. When running FreeRADIUS in debug mode (radiusd -X), we do not see any Redis-related errors, yet the expected data is not found in Redis. I configured redis, cache, cache_tls and cache_eap modules for testing purpose, and it's still a bit confusing on which one to enable for production (we use only EAP-TLS with Radsec): *mods-enabled/redis:* redis { server = raddb-redis-master.radius.svc.cluster.local port = 6379 password = root } *mods-enabled/cache:* cache cache_redis { driver = "rlm_cache_redis" key = "%{control:State}" ttl = 43200 redis { server = raddb-redis-master.radius.svc.cluster.local port = 6379 password = root } update { &reply: += &reply: &control:State := &request:State } } *mods-enabled/cache_tls:* cache cache_tls_session { driver = rlm_cache_redis key = &Session-Id ttl = 43200 redis { server = raddb-redis-master.radius.svc.cluster.local port = 6379 password = root } update { &reply:TLS-Session-Data := &session-state:TLS-Session-Data } } *mods-enabled/cache_eap:* cache cache_eap { driver = rlm_cache_redis key = "%{control:State}" ttl = 43200 redis { server = raddb-redis-master.radius.svc.cluster.local port = 6379 password = root } update reply { &reply += &reply &control:State := &request:State } } Is there anything wrong with our configuration that could be preventing data from being stored in Redis? Any help would be greatly appreciated. Please let me know if any additional logs or details would be helpful. Best regards, Luca,
On Feb 11, 2025, at 6:56 AM, Luca Borruto via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We are currently facing an issue with FreeRADIUS where no cache entries are being created in Redis. We’ve tested the Redis connection, authentication, and database selection, but when we run KEYS * in Redis, it returns an empty array.
i.e. the server isn't writing anything to redis.
When running FreeRADIUS in debug mode (radiusd -X), we do not see any Redis-related errors, yet the expected data is not found in Redis.
There may be other reasons why it's not writing to redis.
I configured redis, cache, cache_tls and cache_eap modules for testing purpose, and it's still a bit confusing on which one to enable for production (we use only EAP-TLS with Radsec):
*mods-enabled/redis:*
Why? When you join the list, you get a message which explains what information you should include in messages. It explicitly says do NOT include configuration files. DO include debug output.
Is there anything wrong with our configuration that could be preventing data from being stored in Redis?
Any help would be greatly appreciated. Please let me know if any additional logs or details would be helpful.
Read the documentation. Do what it says. http://wiki.freeradius.org/list-help Alan DeKok.
Sorry I've been trying to read the documentation online but it's quite confusing on the cache part imo. Here's the output of my test client connecting: ``` Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server default Listening on command file /var/run/freeradius/freeradius.sock Ready to process requests ... new connection request on TCP socket Listening on auth+acct from client (10.0.2.32, 48352) -> (*, 2083, virtual-server=default) Waking up in 0.7 seconds. (0) (TLS) RADIUS/TLS -Initiating new session (0) (TLS) RADIUS/TLS - Setting verify mode to require certificate from client (0) (TLS) Received PROXY protocol connection from client redacted:34975 -> 10.0.2.32:2083, via proxy 10.0.2.32:48352 -> 0.0.0.0:2083 (0) (TLS) RADIUS/TLS - Handshake state - before SSL initialization (0) (TLS) RADIUS/TLS - Handshake state - Server before SSL initialization (0) (TLS) RADIUS/TLS - Handshake state - Server before SSL initialization (0) (TLS) RADIUS/TLS - recv TLS 1.3 Handshake, ClientHello (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read client hello (0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, ServerHello (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write server hello (0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, Certificate (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write certificate (0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, ServerKeyExchange (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write key exchange (0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, CertificateRequest (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write certificate request (0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, ServerHelloDone (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write server done (0) (TLS) RADIUS/TLS - Server : Need to read more data: SSLv3/TLS write server done (0) (TLS) RADIUS/TLS - In Handshake Phase Waking up in 0.7 seconds. (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write server done (0) (TLS) RADIUS/TLS - recv TLS 1.2 Handshake, Certificate (0) (TLS) RADIUS/TLS - Creating attributes from 2 certificate in chain (0) TLS-Cert-Serial := "11dab57caad571c6d5c4f11e982257350227cb66" (0) TLS-Cert-Expiration := "21040920072654Z" (0) TLS-Cert-Valid-Since := "240919072626Z" (0) TLS-Cert-Subject := "/CN=Cisco Meraki Dashboard Organization No. redacted" (0) TLS-Cert-Issuer := "/CN=Cisco Meraki Dashboard Organization No. redacted" (0) TLS-Cert-Common-Name := "Cisco Meraki Dashboard Organization No. redacted" (0) (TLS) RADIUS/TLS - Creating attributes from 1 certificate in chain (0) TLS-Client-Cert-Serial := "1cb739b0874d133493ea7bdde9f8b39775ca8f0c" (0) TLS-Client-Cert-Expiration := "250328095310Z" (0) TLS-Client-Cert-Valid-Since := "250127095240Z" (0) TLS-Client-Cert-Subject := "/CN=redacted" (0) TLS-Client-Cert-Issuer := "/CN=Cisco Meraki Dashboard Organization No. redacted" (0) TLS-Client-Cert-Common-Name := "redacted" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "5E:F0:78:25:04:34:8F:F4:20:32:FD:00:39:74:7A:A0:FB:C7:CD:4F" (0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "E5:DB:DC:D8:61:A4:67:A1:B6:86:D3:26:57:37:79:3F:2E:D3:A8:84" (0) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.3.6.1.4.1.29671.1" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" Certificate chain - 1 intermediate CA cert(s) untrusted To forbid these certificates see 'reject_unknown_intermediate_ca' (TLS) untrusted certificate with depth [0] subject name /CN=redacted (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read client certificate (0) (TLS) RADIUS/TLS - recv TLS 1.2 Handshake, ClientKeyExchange (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read client key exchange (0) (TLS) RADIUS/TLS - recv TLS 1.2 Handshake, CertificateVerify (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read certificate verify (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read change cipher spec (0) (TLS) RADIUS/TLS - recv TLS 1.2 Handshake, Finished (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read finished (0) (TLS) RADIUS/TLS - send TLS 1.2 ChangeCipherSpec (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write change cipher spec (0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, Finished (0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write finished (0) (TLS) RADIUS/TLS - Handshake state - SSL negotiation finished successfully (0) (TLS) RADIUS/TLS - Connection Established (0) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (0) TLS-Session-Version = "TLS 1.2" Waking up in 0.6 seconds. (0) (TLS): Access-Request packet from host redacted port 34975, id=219, length=382 Threads: total/active/spare threads = 20/0/20 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) (0) Received Access-Request Id 219 from redacted:34975 to 10.0.2.32:2083 length 382 (0) User-Name = "redacted" (0) NAS-IP-Address = redacted (0) NAS-Identifier = "redacted:vap14" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) Calling-Station-Id = "redacted" (0) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 52 / Channel: 132" (0) Acct-Session-Id = "775DEA09A6E6B977" (0) Acct-Multi-Session-Id = "02D5720D8A66E2E0" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Meraki-Network-Name = "redacted - redacted - wireless" (0) Meraki-Ap-Name = "redacted" (0) Meraki-Ap-Tags = " RADIUS " (0) Called-Station-Id = "redacted:redacted" (0) Meraki-Device-Name = "redacted" (0) Framed-MTU = 1400 (0) EAP-Message = 0x02060011014656464a4835505731574659 (0) Message-Authenticator = 0x25e20c0637b50615a50deb95c2f601af (0) Proxy-State = 0x3839 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "redacted", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 6 length 17 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) TLS -Initiating new session (0) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 7 length 10 (0) eap: EAP session adding &reply:State = 0x678ce86b678be506 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 1400 (0) Sent Access-Challenge Id 219 from 10.0.2.32:2083 to redacted:34975 length 72 (0) EAP-Message = 0x0107000a0da000000000 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x678ce86b678be506eecbea7deb819ffb (0) Proxy-State = 0x3839 (0) Finished request Thread 1 waiting to be assigned a request Waking up in 0.6 seconds. (0) (TLS): Access-Request packet from host redacted port 34975, id=22, length=545 Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) (1) Received Access-Request Id 22 from redacted:34975 to 10.0.2.32:2083 length 545 (1) User-Name = "redacted" (1) NAS-IP-Address = redacted (1) NAS-Identifier = "redacted:vap14" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 1 (1) Calling-Station-Id = "redacted" (1) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 52 / Channel: 132" (1) Acct-Session-Id = "775DEA09A6E6B977" (1) Acct-Multi-Session-Id = "02D5720D8A66E2E0" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Meraki-Network-Name = "redacted - redacted - wireless" (1) Meraki-Ap-Name = "redacted" (1) Meraki-Ap-Tags = " RADIUS " (1) Called-Station-Id = "redacted:redacted" (1) Meraki-Device-Name = "redacted" (1) Framed-MTU = 1400 (1) EAP-Message = 0x020700a20d800000009816030100930100008f0303c563583d889ede0ba9495b153484f78b10d85f8c6f678c42120e0293f66966f5000022c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a0100004400170000ff01000100000a000a0008001d001700180019000b00020100000500050100000000000d00160014040308040401050308050805050108060601020100120000 (1) State = 0x678ce86b678be506eecbea7deb819ffb (1) Message-Authenticator = 0x6ca29efb8d12c45734a7bd752fceb400 (1) Proxy-State = 0x3930 (1) Restoring &session-state (1) &session-state:Framed-MTU = 1400 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "redacted", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 7 length 162 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Removing EAP session with state 0x678ce86b678be506 (1) eap: Previous EAP request found for state 0x678ce86b678be506, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: (TLS) EAP Peer says that the final record size will be 152 bytes (1) eap_tls: (TLS) EAP Got all data (152 bytes) (1) eap_tls: (TLS) TLS - Handshake state - before SSL initialization (1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (1) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello (1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client hello (1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHello (1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server hello (1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Certificate (1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate Waking up in 0.6 seconds. (1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange (1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write key exchange (1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, CertificateRequest (1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate request (1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone (1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server done (1) eap_tls: (TLS) TLS - Server : Need to read more data: SSLv3/TLS write server done (1) eap_tls: (TLS) TLS - In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 8 length 1406 (1) eap: EAP session adding &reply:State = 0x678ce86b6684e506 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 1400 (1) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 22 from 10.0.2.32:2083 to redacted:34975 length 1478 (1) EAP-Message = 0x0108057e0dc000000b26160303005d0200005903033e39d453da530dd1a307e7f1f13e08dd8e9055edb33c78f2444f574e4752440120ea1d9428603d161311ba7d9e647f14fd13d2d7bc76a4ce80b892230e641a7911c02f000011ff01000100000b00040300010200170000160303094c0b0009480009450005de308205da308204c2a00302010202134900000037b77a03fa15ec6b16000000000037300d06092a864886f70d01010b0500304131133011060a0992268993f22c6401191603636f6d31163014060a0992268993f22c640119160661676963617031123010060355040313094167696361702d4341301e170d3234303832393132313234325a170d3334303732333130353730355a301c311a3018060355040313117261646975732e6167696361702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c5493f649ed417f3f9a68aa3aa73c262c629dda9de01ea89a19aca61a9a5245eace36469ead3489699 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x678ce86b6684e506eecbea7deb819ffb (1) Proxy-State = 0x3930 (1) Finished request Thread 2 waiting to be assigned a request (0) (TLS): Access-Request packet from host redacted port 34975, id=36, length=389 Waking up in 0.5 seconds. Thread 5 got semaphore Thread 5 handling request 2, (1 handled so far) (2) Received Access-Request Id 36 from redacted:34975 to 10.0.2.32:2083 length 389 (2) User-Name = "redacted" (2) NAS-IP-Address = redacted (2) NAS-Identifier = "redacted:vap14" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) NAS-Port = 1 (2) Calling-Station-Id = "redacted" (2) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 52 / Channel: 132" (2) Acct-Session-Id = "775DEA09A6E6B977" (2) Acct-Multi-Session-Id = "02D5720D8A66E2E0" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027073 (2) Meraki-Network-Name = "redacted - redacted - wireless" (2) Meraki-Ap-Name = "redacted" (2) Meraki-Ap-Tags = " RADIUS " (2) Called-Station-Id = "redacted:redacted" (2) Meraki-Device-Name = "redacted" (2) Framed-MTU = 1400 (2) EAP-Message = 0x020800060d00 (2) State = 0x678ce86b6684e506eecbea7deb819ffb (2) Message-Authenticator = 0x8c2f46530c6a103cd33eca0280c1a2ee (2) Proxy-State = 0x3931 (2) Restoring &session-state (2) &session-state:Framed-MTU = 1400 (2) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "redacted", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 8 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Removing EAP session with state 0x678ce86b6684e506 (2) eap: Previous EAP request found for state 0x678ce86b6684e506, released from the list (2) eap: Peer sent packet with method EAP TLS (13) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 9 length 1406 (2) eap: EAP session adding &reply:State = 0x678ce86b6585e506 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 1400 (2) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 36 from 10.0.2.32:2083 to redacted:34975 length 1478 (2) EAP-Message = 0x0109057e0dc000000b266feb0db610b95cc89010e0d5cb2f3703d107fde81316091f801cc6a853661a2a373c4a214e19e46f0b261ebf06ebbde790ef4975859457f4419c5a4928d775aa4c10d1c440a0c0cb41be4bf2f12ed37e7dc9252ae3dd7fe5ca0e0e500ca68197b1f6c41191f1c84f870a73f818d374e8e9229191f0f6ac1503f9c0d2d1f53be136f859b0e429414289716b96901ffd9d1bc9d77bde61b5e71b2b793dbc2b9b70bbb177b656374e41672c99e39c28668c2bce0172f1772b6e5c409f1713cf582679ca4f66571140294e05d72e19b12ab392925a3ad707e5fcf5ca310003613082035d30820245a00302010202106b92ee8fe3454c9b47b46b05a3e74566300d06092a864886f70d01010b0500304131133011060a0992268993f22c6401191603636f6d31163014060a0992268993f22c640119160661676963617031123010060355040313094167696361702d4341301e170d3234303732333130343730355a170d3334303732333130353730 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x678ce86b6585e506eecbea7deb819ffb (2) Proxy-State = 0x3931 (2) Finished request Thread 5 waiting to be assigned a request (0) (TLS): Access-Request packet from host redacted port 34975, id=168, length=389 Thread 6 got semaphore Thread 6 handling request 3, (1 handled so far) (3) Received Access-Request Id 168 from redacted:34975 to 10.0.2.32:2083 length 389 (3) User-Name = "redacted" (3) NAS-IP-Address = redacted (3) NAS-Identifier = "redacted:vap14" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) NAS-Port = 1 (3) Calling-Station-Id = "redacted" (3) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 52 / Channel: 132" (3) Acct-Session-Id = "775DEA09A6E6B977" (3) Acct-Multi-Session-Id = "02D5720D8A66E2E0" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Meraki-Network-Name = "redacted - redacted - wireless" (3) Meraki-Ap-Name = "redacted" (3) Meraki-Ap-Tags = " RADIUS " (3) Called-Station-Id = "redacted:redacted" (3) Meraki-Device-Name = "redacted" (3) Framed-MTU = 1400 (3) EAP-Message = 0x020900060d00 (3) State = 0x678ce86b6585e506eecbea7deb819ffb (3) Message-Authenticator = 0x8dade919f97ef968cab2d2772e9e2401 (3) Proxy-State = 0x3932 (3) Restoring &session-state (3) &session-state:Framed-MTU = 1400 (3) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "redacted", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 9 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Removing EAP session with state 0x678ce86b6585e506 (3) eap: Previous EAP request found for state 0x678ce86b6585e506, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 10 length 72 (3) eap: EAP session adding &reply:State = 0x678ce86b6486e506 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 1400 (3) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 168 from 10.0.2.32:2083 to redacted:34975 length 134 (3) EAP-Message = 0x010a00480d8000000b26340d000030030102400028040305030603080708080809080a080b080408050806040105010601030303010302040205020602000016030300040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x678ce86b6486e506eecbea7deb819ffb (3) Proxy-State = 0x3932 (3) Finished request Thread 6 waiting to be assigned a request Waking up in 0.5 seconds. (0) (TLS): Access-Request packet from host redacted port 34975, id=33, length=1669 Waking up in 0.4 seconds. Thread 7 got semaphore Thread 7 handling request 4, (1 handled so far) (4) Received Access-Request Id 33 from redacted:34975 to 10.0.2.32:2083 length 1669 (4) User-Name = "redacted" (4) NAS-IP-Address = redacted (4) NAS-Identifier = "redacted:vap14" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) NAS-Port = 1 (4) Calling-Station-Id = "redacted" (4) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 53 / Channel: 132" (4) Acct-Session-Id = "775DEA09A6E6B977" (4) Acct-Multi-Session-Id = "02D5720D8A66E2E0" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027076 (4) WLAN-AKM-Suite = 1027073 (4) Meraki-Network-Name = "redacted - redacted - wireless" (4) Meraki-Ap-Name = "redacted" (4) Meraki-Ap-Tags = " RADIUS " (4) Called-Station-Id = "redacted:redacted" (4) Meraki-Device-Name = "redacted" (4) Framed-MTU = 1400 (4) EAP-Message = 0x020a04fc0dc000000abb160303094c0b0009480009450005de308205da308204c2a003020102021349000010f9f23608014b67362b0000000010f9300d06092a864886f70d01010b0500304131133011060a0992268993f22c6401191603636f6d31163014060a0992268993f22c640119160661676963617031123010060355040313094167696361702d4341301e170d3235303230343038343132335a170d3237303230343038343132335a3017311530130603550403130c4656464a483550573157465930820122300d06092a864886f70d01010105000382010f003082010a0282010100b317c68240bed2e9f5ac41dcc81a1c499f83be1114197d01dc1e1c66d331c26fd7f5f847b7e96fe11928a43d6fcebde6a66ea31a2cf1cd09d347a38f5cd5177b5f3ef1ba2046b7876e65e9c97a1391200fec18aa4ba903f0cea9d1fdb6718dd7b07d9f473185b5d1a31a802ae69f16347e2921a97d60d7c8994c4ae2f6d26d8bfeee8ebd47be3adfedc7648fd19c1cbd (4) State = 0x678ce86b6486e506eecbea7deb819ffb (4) Message-Authenticator = 0xfa55042e700b60cf120fc4526190f520 (4) Proxy-State = 0x3933 (4) Restoring &session-state (4) &session-state:Framed-MTU = 1400 (4) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "redacted", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 10 length 1276 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Removing EAP session with state 0x678ce86b6486e506 (4) eap: Previous EAP request found for state 0x678ce86b6486e506, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: (TLS) EAP Peer says that the final record size will be 2747 bytes (4) eap_tls: (TLS) EAP Expecting 3 fragments (4) eap_tls: (TLS) EAP Got first TLS fragment (1266 bytes). Peer says more fragments will follow (4) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (4) eap: Sending EAP Request (code 1) ID 11 length 6 (4) eap: EAP session adding &reply:State = 0x678ce86b6387e506 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 1400 (4) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 33 from 10.0.2.32:2083 to redacted:34975 length 68 (4) EAP-Message = 0x010b00060d00 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x678ce86b6387e506eecbea7deb819ffb (4) Proxy-State = 0x3933 (4) Finished request Thread 7 waiting to be assigned a request (0) (TLS): Access-Request packet from host redacted port 34975, id=81, length=1669 Waking up in 0.4 seconds. Thread 8 got semaphore Thread 8 handling request 5, (1 handled so far) (5) Received Access-Request Id 81 from redacted:34975 to 10.0.2.32:2083 length 1669 (5) User-Name = "redacted" (5) NAS-IP-Address = redacted (5) NAS-Identifier = "redacted:vap14" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) NAS-Port = 1 (5) Calling-Station-Id = "redacted" (5) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 53 / Channel: 132" (5) Acct-Session-Id = "775DEA09A6E6B977" (5) Acct-Multi-Session-Id = "02D5720D8A66E2E0" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027073 (5) Meraki-Network-Name = "redacted - redacted - wireless" (5) Meraki-Ap-Name = "redacted" (5) Meraki-Ap-Tags = " RADIUS " (5) Called-Station-Id = "redacted:redacted" (5) Meraki-Device-Name = "redacted" (5) Framed-MTU = 1400 (5) EAP-Message = 0x020b04fc0d404cac6da2e18a59159af8d757f4e22f3f8f24a7767d57175fdaf5a60bb2dec6e44ee04e57350d4f75eaa4ded0367774ea48ba9c6f2519d19d37c83469ad325e0cd77223582cf6694f7b8de9e803cefa1d3b1ab00992bc19ff29b5a4de4849ff91b2b9bb5abc822501a54d17be5c09ee29444387bd5f945777cb8f6c24a5701d7562ac335569dcd7f7cf891a65fefa3fa1761ea68a03b8dd5ace199610d9082488b7aa8ff40a68659732f9d3853830403def4f7bf01acc396a9f6084773704ec07b62b3884e26017c62377d6d1e464e90919d9adcd1a71fb3eadb6603da5205087ab337cb1865fdb63e007daedc466102c2435df52f823919ec177260003613082035d30820245a00302010202106b92ee8fe3454c9b47b46b05a3e74566300d06092a864886f70d01010b0500304131133011060a0992268993f22c6401191603636f6d31163014060a0992268993f22c640119160661676963617031123010060355040313094167696361702d4341301e (5) State = 0x678ce86b6387e506eecbea7deb819ffb (5) Message-Authenticator = 0x11bb325168d6a68060564b849692ef80 (5) Proxy-State = 0x3934 (5) Restoring &session-state (5) &session-state:Framed-MTU = 1400 (5) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "redacted", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 11 length 1276 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Removing EAP session with state 0x678ce86b6387e506 (5) eap: Previous EAP request found for state 0x678ce86b6387e506, released from the list (5) eap: Peer sent packet with method EAP TLS (13) (5) eap: Calling submodule eap_tls to process data (5) eap_tls: (TLS) EAP Got additional fragment (1270 bytes). Peer says more fragments will follow (5) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (5) eap: Sending EAP Request (code 1) ID 12 length 6 (5) eap: EAP session adding &reply:State = 0x678ce86b6280e506 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 1400 (5) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (5) Sent Access-Challenge Id 81 from 10.0.2.32:2083 to redacted:34975 length 68 (5) EAP-Message = 0x010c00060d00 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x678ce86b6280e506eecbea7deb819ffb (5) Proxy-State = 0x3934 (5) Finished request Thread 8 waiting to be assigned a request (0) (TLS): Access-Request packet from host redacted port 34975, id=232, length=600 Thread 9 got semaphore Thread 9 handling request 6, (1 handled so far) (6) Received Access-Request Id 232 from redacted:34975 to 10.0.2.32:2083 length 600 (6) User-Name = "redacted" (6) NAS-IP-Address = redacted (6) NAS-Identifier = "redacted:vap14" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) NAS-Port = 1 (6) Calling-Station-Id = "redacted" (6) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 53 / Channel: 132" (6) Acct-Session-Id = "775DEA09A6E6B977" (6) Acct-Multi-Session-Id = "02D5720D8A66E2E0" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027073 (6) Meraki-Network-Name = "redacted - redacted - wireless" (6) Meraki-Ap-Name = "redacted" (6) Meraki-Ap-Tags = " RADIUS " (6) Called-Station-Id = "redacted:redacted" (6) Meraki-Device-Name = "redacted" (6) Framed-MTU = 1400 (6) EAP-Message = 0x020c00d90d00d4008f5e4030e199569f6cacb99687a7cc1255d616b5fea7051110f13bdd06b0b6b8c608f3b08c05da38bf87fe18f2f0b5abb7b49680f2de1f4150aaa85c65fea3fd6e42a1b0714baba76eaa6b95ec214ddac29ade0c1bbf9332767d4e609fa2dc063e725acdc16727ce90853104eeda23fc6e5f89b10b785ce22bcdd7d3b69c59ad068e047079d3764e76f42785191519bfea90723b6a039450888ee1d2b99614030300010116030300280000000000000000eecb7c97731d3918923a14c8975504277e957a5deb5f90e2605edf73c3943d9b (6) State = 0x678ce86b6280e506eecbea7deb819ffb (6) Message-Authenticator = 0xe483f5c24641fe08e6dce12b763efe27 (6) Proxy-State = 0x3935 (6) Restoring &session-state (6) &session-state:Framed-MTU = 1400 (6) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "redacted", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 12 length 217 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) [files] = noop (6) [expiration] = noop (6) [logintime] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Removing EAP session with state 0x678ce86b6280e506 (6) eap: Previous EAP request found for state 0x678ce86b6280e506, released from the list (6) eap: Peer sent packet with method EAP TLS (13) (6) eap: Calling submodule eap_tls to process data (6) eap_tls: (TLS) EAP Got final fragment (211 bytes) (6) eap_tls: (TLS) EAP Done initial handshake (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server done (6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate Waking up in 0.4 seconds. (6) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain (6) eap_tls: TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566" (6) eap_tls: TLS-Cert-Expiration := "340723105705Z" (6) eap_tls: TLS-Cert-Valid-Since := "240723104705Z" (6) eap_tls: TLS-Cert-Subject := "/DC=com/DC=redacted/CN=redacted-CA" (6) eap_tls: TLS-Cert-Issuer := "/DC=com/DC=redacted/CN=redacted-CA" (6) eap_tls: TLS-Cert-Common-Name := "redacted-CA" (6) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain (6) eap_tls: TLS-Client-Cert-Serial := "49000010f9f23608014b67362b0000000010f9" (6) eap_tls: TLS-Client-Cert-Expiration := "270204084123Z" (6) eap_tls: TLS-Client-Cert-Valid-Since := "250204084123Z" (6) eap_tls: TLS-Client-Cert-Subject := "/CN=redacted" (6) eap_tls: TLS-Client-Cert-Issuer := "/DC=com/DC=redacted/CN=redacted-CA" (6) eap_tls: TLS-Client-Cert-Common-Name := "redacted" (6) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "65:2F:67:BC:AB:F5:E6:FA:68:26:07:48:6D:8F:2C:29:AC:D4:E7:FA" (6) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "DB:E9:4E:6C:67:B9:24:1B:0E:CB:22:D7:A3:AA:86:65:F4:85:2F:6C" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, E-mail Protection, Microsoft Encrypted File System" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.4" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.10.3.4" Certificate chain - 1 intermediate CA cert(s) untrusted To forbid these certificates see 'reject_unknown_intermediate_ca' (TLS) untrusted certificate with depth [1] subject name /DC=com/DC=redacted/CN=redacted-CA (TLS) untrusted certificate with depth [0] subject name /CN=redacted (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client certificate (6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client key exchange (6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read certificate verify (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read change cipher spec (6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished (6) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished (6) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished successfully (6) eap_tls: (TLS) TLS - Connection Established (6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) eap_tls: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 13 length 61 (6) eap: EAP session adding &reply:State = 0x678ce86b6181e506 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) Framed-MTU = 1400 (6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify" (6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 232 from 10.0.2.32:2083 to redacted:34975 length 123 (6) EAP-Message = 0x010d003d0d80000000331403030001011603030028d56a4920524bc0c861fb3720087a4bc4f839eb5a96d0a26029b196f251efafa918497cb5f5e37f0a (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x678ce86b6181e506eecbea7deb819ffb (6) Proxy-State = 0x3935 (6) Finished request Thread 9 waiting to be assigned a request (0) (TLS): Access-Request packet from host redacted port 34975, id=223, length=389 Thread 10 got semaphore Thread 10 handling request 7, (1 handled so far) (7) Received Access-Request Id 223 from redacted:34975 to 10.0.2.32:2083 length 389 (7) User-Name = "redacted" (7) NAS-IP-Address = redacted (7) NAS-Identifier = "redacted:vap14" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) NAS-Port = 1 (7) Calling-Station-Id = "redacted" (7) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 53 / Channel: 132" (7) Acct-Session-Id = "775DEA09A6E6B977" (7) Acct-Multi-Session-Id = "02D5720D8A66E2E0" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Meraki-Network-Name = "redacted - redacted - wireless" (7) Meraki-Ap-Name = "redacted" (7) Meraki-Ap-Tags = " RADIUS " (7) Called-Station-Id = "redacted:redacted" (7) Meraki-Device-Name = "redacted" (7) Framed-MTU = 1400 (7) EAP-Message = 0x020d00060d00 (7) State = 0x678ce86b6181e506eecbea7deb819ffb (7) Message-Authenticator = 0xdf8530963d5b6e5c58e534702cd0341c (7) Proxy-State = 0x3936 (7) Restoring &session-state (7) &session-state:Framed-MTU = 1400 (7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify" (7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "redacted", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 13 length 6 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap: Removing EAP session with state 0x678ce86b6181e506 (7) eap: Previous EAP request found for state 0x678ce86b6181e506, released from the list (7) eap: Peer sent packet with method EAP TLS (13) (7) eap: Calling submodule eap_tls to process data (7) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished (7) eap_tls: (TLS) cache - Setting up attributes for session resumption (7) eap_tls: caching EAP-Type = TLS (7) eap_tls: caching TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566" (7) eap_tls: caching TLS-Cert-Expiration := "340723105705Z" (7) eap_tls: caching TLS-Cert-Valid-Since := "240723104705Z" (7) eap_tls: caching TLS-Cert-Subject := "/DC=com/DC=redacted/CN=redacted-CA" (7) eap_tls: caching TLS-Cert-Issuer := "/DC=com/DC=redacted/CN=redacted-CA" (7) eap_tls: caching TLS-Cert-Common-Name := "redacted-CA" (7) eap_tls: caching TLS-Client-Cert-Serial := "49000010f9f23608014b67362b0000000010f9" (7) eap_tls: caching TLS-Client-Cert-Expiration := "270204084123Z" (7) eap_tls: caching TLS-Client-Cert-Valid-Since := "250204084123Z" (7) eap_tls: caching TLS-Client-Cert-Subject := "/CN=redacted" (7) eap_tls: caching TLS-Client-Cert-Issuer := "/DC=com/DC=redacted/CN=redacted-CA" (7) eap_tls: caching TLS-Client-Cert-Common-Name := "redacted" (7) eap_tls: caching TLS-Client-Cert-X509v3-Subject-Key-Identifier += "65:2F:67:BC:AB:F5:E6:FA:68:26:07:48:6D:8F:2C:29:AC:D4:E7:FA" (7) eap_tls: caching TLS-Client-Cert-X509v3-Authority-Key-Identifier += "DB:E9:4E:6C:67:B9:24:1B:0E:CB:22:D7:A3:AA:86:65:F4:85:2F:6C" (7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, E-mail Protection, Microsoft Encrypted File System" (7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.4" (7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.10.3.4" (7) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk. (7) eap: Sending EAP Success (code 3) ID 13 length 4 (7) eap: Freeing handler (7) [eap] = ok (7) } # authenticate = ok (7) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (7) post-auth { (7) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (7) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (7) update { (7) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1400 (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3 Handshake, ClientHello' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, ServerHello' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, Certificate' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 Handshake, Certificate' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 Handshake, Finished' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 ChangeCipherSpec' (7) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, Finished' (7) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256' (7) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (7) } # update = noop (7) [exec] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) if (EAP-Key-Name && &reply:EAP-Session-Id) { (7) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (7) } # post-auth = noop (7) Login OK: [redacted] (from client AP-Meraki-redacted port 1 cli redacted) (7) Sent Access-Accept Id 223 from 10.0.2.32:2083 to redacted:34975 length 184 (7) MS-MPPE-Recv-Key = 0x3848fd9ec720e40b9e637d0303bf4b23124d6b3c28a49724972ccc88121c4310 (7) MS-MPPE-Send-Key = 0xe9ddfecd8cb6924f2b3ee5ed87560b168ebb4a9ece52793af9708b6eb0c751c4 (7) EAP-Message = 0x030d0004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) User-Name = "redacted" (7) Proxy-State = 0x3936 (7) Framed-MTU += 1400 (7) Finished request Thread 10 waiting to be assigned a request Waking up in 0.4 seconds. Waking up in 4.0 seconds. (0) Cleaning up request packet ID 219 with timestamp +77 due to cleanup_delay was reached (1) Cleaning up request packet ID 22 with timestamp +77 due to cleanup_delay was reached (2) Cleaning up request packet ID 36 with timestamp +77 due to cleanup_delay was reached (3) Cleaning up request packet ID 168 with timestamp +77 due to cleanup_delay was reached (4) Cleaning up request packet ID 33 with timestamp +77 due to cleanup_delay was reached (5) Cleaning up request packet ID 81 with timestamp +77 due to cleanup_delay was reached (6) Cleaning up request packet ID 232 with timestamp +77 due to cleanup_delay was reached (7) Cleaning up request packet ID 223 with timestamp +77 due to cleanup_delay was reached Waking up in 24.9 seconds. ``` Le mar. 11 févr. 2025 à 15:48, Alan DeKok <aland@deployingradius.com> a écrit :
On Feb 11, 2025, at 6:56 AM, Luca Borruto via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
We are currently facing an issue with FreeRADIUS where no cache entries are being created in Redis. We’ve tested the Redis connection, authentication, and database selection, but when we run KEYS * in Redis, it returns an empty array.
i.e. the server isn't writing anything to redis.
When running FreeRADIUS in debug mode (radiusd -X), we do not see any Redis-related errors, yet the expected data is not found in Redis.
There may be other reasons why it's not writing to redis.
I configured redis, cache, cache_tls and cache_eap modules for testing purpose, and it's still a bit confusing on which one to enable for production (we use only EAP-TLS with Radsec):
*mods-enabled/redis:*
Why? When you join the list, you get a message which explains what information you should include in messages. It explicitly says do NOT include configuration files. DO include debug output.
Is there anything wrong with our configuration that could be preventing data from being stored in Redis?
Any help would be greatly appreciated. Please let me know if any additional logs or details would be helpful.
Read the documentation. Do what it says.
http://wiki.freeradius.org/list-help
Alan DeKok.
-- [image: logo] <https://redirect.boostmymail.com/4Zm-4f0296580fcf4e5c80a33af00b0322c6> Luca Borruto IT System Administrator luca.borruto@agicap.com <https://redirect.boostmymail.com/4Zm-dc5779b061954defacc05e363a5696e4> <https://redirect.boostmymail.com/4Zm-7a8e60341d744b8bb02d1f09d7d5b840> [image: Linkedin] <https://redirect.boostmymail.com/4Zm-a07de2ddc5c94500afa93e8a4151b576> [image: Youtube] <https://redirect.boostmymail.com/4Zm-f49d8598b69d4a63a6cab44c1497ad69> [image: Campaign Banner] <https://redirect.boostmymail.com/4Zm-bab88183ed3e45d38932a06020f826db>
participants (2)
-
Alan DeKok -
Luca Borruto