VLAN assignment to HP Switch with 802.1x client

Shaw, Colin M. c.m.shaw at abdn.ac.uk
Thu Aug 8 17:16:33 CEST 2013


Thanks for the reply Phil.

> > difference. Lastly, for testing purposes, if I insert the required
> > attributes into the default post-auth then it all works and the wired
> > client is assigned the correct vlan, so again the switch side must be
> > ok and I also therefore presume all the dictionary entries are there
> > as required. But I shouldn't need (or want) to do this.
>
> Yes you should. You should always aim to set these attributes in post-auth;
> otherwise you'll see what you are seeing, the attributes getting set in access-
> challenge. This is a function of how EAP is processed by the server.

Ok, but the attribute values are going to be different for different clients (as matched & specified in the users file). Can I deal with that in post-auth?
For this particular service we are simply matching the switch from a huntgroup and setting the vlan in the users file (so we are not even doing any of the LDAP lookups we do in some of our wireless services):
So in users we have:
DEFAULT Huntgroup-Name == "resnet-wired-auth-sw"
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = resnet,
        Fall-Through = No

>
> Without a full debug, it's not obvious what you need to change, because it's
> not obvious what you are doing. But it *might* be that you've missed
> "use_tunneled_reply" in the "peap {}" section.

My peap section in eap.conf is:
                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                        proxy_tunneled_request_as_eap = no
                        virtual_server = "inner-tunnel"
                }
> >
> > Hopefully this sort of thing has been done enough times that someone out
> > there has fallen into whatever trap I currently find myself in and can
> > point me in the right direction I need to be looking. But if not, I can
> > of course supply the output of radiusd -X and the switch debug if it's
> > going to help any.
>
> Yes, it will.

Ok. Below is an example of the output from the switch debug and radiusd -x (sorry it's not from the same attempt, but the outcomes seem identical regardless of the session). In this test to keep things a bit simpler I switched off the ldap authorization we normally have enabled - the debug output is big enough as it is and the ldap lookup is not needed for this (I've tried with it enabled as well though).
Note that vlan 120 is the default vlan on the switch port, and is what the switch is wrongly putting the client on when authentication is successful with the new server - it's being put on the default vlan regardless of what vlan that is set as.


radiusd -X:
(Only thing I've removed is a lot of the repeated entries for [preprocess]    expand: %{Client-IP-Address} ->)

Ready to process requests.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=123, length=348
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        EAP-Message = 0x02010018017465737477696669406162646e2e61632e756b
        Message-Authenticator = 0x168dbbb1d5f0c6df099507e2a0b6f02f
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
.
 [preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 24
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 20
++[files] returns ok
++[expiration] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 123 to x.x.x.x port 1812
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "resnet"
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176e74c686cb9198540381901eb
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=124, length=479
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176e74c686cb9198540381901eb
        EAP-Message =
0x0202008919800000007f160301007a01000076030152010d5c1c755b6e7a70e2a637ee6144578d9cc2b51299984a3ebed45860c4c0205936d330d320b58435451ecbc1e0a851a243e1956163a
4fbd4f13713a176ae030018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
        Message-Authenticator = 0x506da8d0b547c788e7fdcc6228030b7a
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->

/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to

/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 137
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 127
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 007a], ClientHello
  SSL: Client requested nonexistent cached session 5936d330d320b58435451ecbc1e0a851a243e1956163a4fbd4f13713a176ae03
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0051], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0d41], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 124 to x.x.x.x port 1812
        EAP-Message =
0x0103040019c000000da516030100510200004d030152010d5c3210cd66496b25a43efe40e34aa5a48092009029aa4be30cbb89f896206165f84387d24004e04f4badfd6f5000bfacd09cad352
3e232e6cef6db3d9b5b002f000005ff010001001603010d410b000d3d000d3a000529308205253082040da0030201020212112162a61e0bc8aaffe89f2f89b3613bc788300d06092a864886f70d
0101050500305d310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361313330310603550403132a476c6f62616c5369676e204f7267616e697a617
4696f6e2056616c69646174696f6e204341202d2047
        EAP-Message =
0x32301e170d3132303731313135343030325a170d3137303731313135333135315a3070310b30090603550406130247423111300f0603550408130853636f746c616e643111300f06035504071
308416265726465656e311f301d060355040a1316556e6976657273697479206f6620416265726465656e311a3018060355040313117261646975732e6162646e2e61632e756b30820122300d06
092a864886f70d01010105000382010f003082010a0282010100c006610261569828f6cd2239da8d6c8b2f32c14a4f3ddc14b00a2bbb458be49c292b00d6af16e913f9790fa3c0e5f9b1f482601
b7d53124297f3f115d827db4f992c78f8b73059a393
        EAP-Message =
0x18b48ac15797b9b1877b28e5b306a5db2fcffc68a8e435c2e5c9db0caea5ca3bb8573aa29d76e4d461e9415243a67589829893b2734b8fb0a04f199639589049b511155dd15e2749f538b69fe
f73a6f917a0f8998cb39785e4c3aa75d8fa35e578bbd80baa3494f0024573f95e3823cdbc7c6a1b663e3f7e643d2958ca0ae9f6be5e8891ad3a21f14727a2adaafd4979782173a6fb516018126a
91ada644b0f4355b227ead7fc041a761450e7087ee27f944266d225a430203010001a38201ca308201c6300e0603551d0f0101ff0404030205a0304c0603551d2004453043304106092b0601040
1a03201143034303206082b06010505070201162668
        EAP-Message =
0x747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f301c0603551d110415301382117261646975732e6162646e2e61632e756b30090603551d1304023
000301d0603551d250416301406082b0601050507030106082b0601050507030230450603551d1f043e303c303aa038a0368634687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f
67732f67736f7267616e697a6174696f6e76616c67322e63726c30819606082b06010505070101048189308186304706082b06010505073002863b687474703a2f2f7365637572652e676c6f626
16c7369676e2e636f6d2f6361636572742f67736f72
        EAP-Message = 0x67616e697a6174696f6e7661
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176e64d686cb9198540381901eb
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=125, length=348
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176e64d686cb9198540381901eb
        EAP-Message = 0x020300061900
        Message-Authenticator = 0x116b1855c08cd970fefe2dd99b22651a
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
.
 [preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 125 to x.x.x.x port 1812
        EAP-Message =
0x010403fc19406c67322e637274303b06082b06010505073001862f687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f67736f7267616e697a6174696f6e76616c6732301d0
603551d0e04160414f78dde93afa8effe4fdbc4932e8d2029a5c06e8b301f0603551d230418301680145d46b28dc44b741cbbedf573b63ab7388f759e7e300d06092a864886f70d010105050003
8201010083c427e4c31f4af6d06897c2829aec0fd2a9d5cccb745effdf7f5a4cfcb28a29071f7e1a9bd5fd5fb9542ece1ebc2c91522c790e9990bf5107e05a59a9cd98874568285d8c667f4a461
f1c23edad40cdd9de0a830d173cb6faf7b0be14eccd
        EAP-Message =
0x78b860d3b5dfcac3e29122557abf70266ea30f5ff2b8a57c953cb60b7eeb7d9897e01a9bb9a8aac01ef96b63ec1075369ae9ad0f547621d4a4bec7d0a28afcb7e7b8d3104c02b8e273052b88b
b0497fc17b07d11fa1759a730b4474ba52206dbc304dd1a52ce5c655e42169d486f301436001dffea9b20d1eeaaf74874475d8fc36413fbc47a5761e57745c90061603035ec9118cfceff1e2a08
1b5f63d9bb779400048f3082048b30820373a003020102020b0400000000012f4ee142f9300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a13104
76c6f62616c5369676e206e762d73613110300e0603
        EAP-Message =
0x55040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3131303431333130303030305a170d3232303431333130303030305a305d310
b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361313330310603550403132a476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69
646174696f6e204341202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100dd351df22054261ad0efa56f81765970dce7f4d403241f240e9d229fd4273
27a2b7cee8be361623817afb44b7a9f67211c2d9554
        EAP-Message =
0xba79bab6c4f20d2174176774e2b16408996078fb67c24bf7278d6f3676cf318ce5f106d7dc570e5baceece2dabaaa9702f0286c8b1d0080795ea2aecd19ee4365c3ba636b5438babf78e3e001
bff85596b62018d82e84aba38b3e0c3f46d19a7ea05dd8467c266c72402735ab5eea419d9fc00ceb6a48ddf7ebd5fb23a9d84314fc8630ce4d80d52a37e011bd467a51828eb01a7823cd98e1de5
470dba8b5914a31f1f4beae2274686ce9d39c46641a7e215236b5647c1edc553e4d4801f6bfa804698b209a60f95be6688930203010001a38201503082014c300e0603551d0f0101ff040403020
10630120603551d130101ff040830060101ff020100
        EAP-Message = 0x301d0603551d0e04
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176e54a686cb9198540381901eb
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=126, length=348
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176e54a686cb9198540381901eb
        EAP-Message = 0x020400061900
        Message-Authenticator = 0xa39534ada4b4b62e8f39dbeb66b46a8c
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 126 to x.x.x.x port 1812
        EAP-Message =
0x010503fc19401604145d46b28dc44b741cbbedf573b63ab7388f759e7e30470603551d200440303e303c0604551d20003034303206082b06010505070201162668747470733a2f2f7777772e6
76c6f62616c7369676e2e636f6d2f7265706f7369746f72792f30330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742e6372
6c303d06082b060105050701010431302f302d06082b060105050730018621687474703a2f2f6f6373702e676c6f62616c7369676e2e636f6d2f726f6f74723130290603551d250422302006082
b0601050507030106082b06010505070302060a2b06
        EAP-Message =
0x01040182370a0303301f0603551d23041830168014607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100737aec012c1722919acab16718a2bac
805899224de1fb8ab449ff7405565f2e0f42ec7deb03f99151f957082e99b4a64242016f07617d21bfeacfa06b477cf98d82aec5715d85e4edd8b96e153331991d5846e25ef0fcbadbfdb4b6b56
ccb5d4403e265eb659f4c590c909c484dfbc267d82e9ebf45bfcc815de09184586b38b4dc76b35279b60f6a45a2a5849b1d83543c632bb5e3bc44a21c1a03b5ec123a9cedbd5bafe5d6dfd007ef
af1943761b900396696a99cb41e11ef55d8b4d8b0c4
        EAP-Message =
0xa5ae320a2ff82df4a2a7ff36d35e638b4e12f7b5288075ee942f70a0567739aa399717fc00f3cf66e7a27192ab059b732e7ae7e72159098d30a1ac5cca197af8000379308203753082025da00
3020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e
060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a30573
10b300906035504061302424531193017060355040a
        EAP-Message =
0x1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a86488
6f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cb
ab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123
c927896d6dc746e934461d18dc746b2750e86e8198a
        EAP-Message = 0xd56d6cd5781695a2
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176e44b686cb9198540381901eb
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=127, length=348
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176e44b686cb9198540381901eb
        EAP-Message = 0x020500061900
        Message-Authenticator = 0x021a9250c5747a74c8497726c945f15f
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 127 to x.x.x.x port 1812
        EAP-Message =
0x010601c91900e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2
ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b
661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3c
a3d614dd34609b33ec3a0e363551bf2baefad39e143
        EAP-Message =
0xb938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b11
5b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f4
2be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e016030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176e348686cb9198540381901eb
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=128, length=680
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176e348686cb9198540381901eb
        EAP-Message =
000206015019800000014616030101061000010201008b00d78219cd2390d34f32fe9caeb4de7c4fe65a91e3c6763b22ba06096d4c7a4573faf0617fede564d7e691eaa7bad9d523f9a965793a7
50548db117f234a151c254d734acc5599387e6dee409410a4531b137887fe973f881c32ce652710b693f3c2e0251e967c19fe656bad3b6caa962a9095f2080b46417cad03e33571392fe6915b0c
a36adf59987b461c291dcf319c707df307190ca927f98e9fe9e8b64e9022db6ee1c18939d6c41f6a59d89417a13cb4cd482b0a4bcc7826a92c92b31731df22488573087e789bb91c13952d0dff8
71cce3b0773c90b45c74e00c0005cf386b04504d3ff
        EAP-Message =
0xb0485b74f7956159fa1704e55ab4d31ed1625bfda2343b68140301000101160301003035585c69924c15007235b8e1e71b8a7827f96c9fd4093b32db8d10e9ea138d01e4e77662e37f6999e99
b96c9072d71d6
        Message-Authenticator = 0x2dee2d2be7996467e6824f731ee3d14f
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
  SSL: adding session 6165f84387d24004e04f4badfd6f5000bfacd09cad3523e232e6cef6db3d9b5b to cache
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 128 to x.x.x.x port 1812
        EAP-Message = 0x0107004119001403010001011603010030eb16e53e55c7b54849272977678e0538dcd33f875800cee2a67eb292ad77e640e9ffec1733ebeccfcdc882168d9f40fa
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176e249686cb9198540381901eb
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=129, length=348
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176e249686cb9198540381901eb
        EAP-Message = 0x020700061900
        Message-Authenticator = 0x562d796d691cd91c89ffb97581861286
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 129 to x.x.x.x port 1812
        EAP-Message = 0x0108002b19001703010020040fc44c91ba44f7bd9bddec59e6e31e17bde5d24d964b64d248b8ab55cfc6a2
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176e146686cb9198540381901eb
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=130, length=401
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176e146686cb9198540381901eb
        EAP-Message = 0x0208003b1900170301003031effb5325043a7d60adabb9b8a0252e9be2e2b2ba985ed1f25fa50ec27fafefed984a3fe1c64d45ca9ddc29923e9100
        Message-Authenticator = 0xbe72500ee8d8531d0fa47b4db221dba2
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testx at abdn.ac.uk
[peap] Got inner identity 'testx at abdn.ac.uk'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x02080018017465737477696669406162646e2e61632e756b
server  {
[peap] Setting User-Name to testx at abdn.ac.uk
Sending tunneled request
        EAP-Message = 0x02080018017465737477696669406162646e2e61632e756b
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "testx at abdn.ac.uk"
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 8 length 24
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
++[files] returns noop
++[expiration] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message = 0x0109002d1a0109002810003ab4b0ebafb4a77061274bf5668fda7465737477696669406162646e2e61632e756b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7e8074c07e896ed096a9cd7911a48739
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 0x0109002d1a0109002810003ab4b0ebafb4a77061274bf5668fda7465737477696669406162646e2e61632e756b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7e8074c07e896ed096a9cd7911a48739
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 130 to x.x.x.x port 1812
        EAP-Message =
0x0109004b19001703010040823a8435990e74e1a1008520cbd9b383a45fc84de1204f3fca3b1e7467552c2a36f3f9acc23692e15a93a6f5e8ba9727cf12d7879c4607dbe7dd36732fa935cc
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176e047686cb9198540381901eb
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=131, length=449
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176e047686cb9198540381901eb
        EAP-Message =
0x0209006b19001703010060182b591b778c6d6203f6eef6c5bb7ac1ed35cbd08d7c2c82b9ddad5d157d845f92dd071a9aa51150d8905464424e708e34fdb6d220256cac4a2010cb34958cd22b3
2e43538c2e9585bda432fc2238f2fdd4abc3bfd44fb24fe186342c37cbba4
        Message-Authenticator = 0x704dc77781b14614a41ea8d814e1ee69
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 9 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x0209004e1a0209004931da2a4b19cf93e70067fa2ed835f0db300000000000000000a0825219da677f2a0f064a344431282f64d355292c323965007465737477696669406162646e2e61632e7
56b
server  {
[peap] Setting User-Name to testx at abdn.ac.uk
Sending tunneled request
        EAP-Message =
0x0209004e1a0209004931da2a4b19cf93e70067fa2ed835f0db300000000000000000a0825219da677f2a0f064a344431282f64d355292c323965007465737477696669406162646e2e61632e7
56b
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "testx at abdn.ac.uk"
        State = 0x7e8074c07e896ed096a9cd7911a48739
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 9 length 78
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
++[files] returns noop
++[expiration] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschapv2] ++? if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/))
[mschapv2] ?? Evaluating (EAP-Type == 1) -> FALSE
[mschapv2] ?? Evaluating (EAP-Message =~ /^0x02..00061a..$/) -> FALSE
[mschapv2] ++? if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) -> FALSE
[mschapv2] ++- entering else else {...}
[mschap] Creating challenge hash with username: testx at abdn.ac.uk
[mschap] Client is using MS-CHAPv2 for testx at abdn.ac.uk, we need NT-Password
[mschap]        expand: %{Stripped-User-Name} -> testx
[mschap]        expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=testx
[mschap] Creating challenge hash with username: testx at abdn.ac.uk
[mschap]        expand: %{mschap:Challenge} -> 8f7e12267adfef9c
[mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=8f7e12267adfef9c
[mschap]        expand: %{mschap:NT-Response} -> a0825219da677f2a0f064a344431282f64d355292c323965
[mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=a0825219da677f2a0f064a344431282f64d355292c323965
Exec-Program output: NT_KEY: 84D49D39C55C2983830A96941BD1D7AA
Exec-Program-Wait: plaintext: NT_KEY: 84D49D39C55C2983830A96941BD1D7AA
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
+++[mschap] returns ok
++- else else returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message = 0x010a00331a0309002e533d41433336464635303544413032374234374543314237464433453631363144384246433334363936
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7e8074c07f8a6ed096a9cd7911a48739
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 0x010a00331a0309002e533d41433336464635303544413032374234374543314237464433453631363144384246433334363936
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7e8074c07f8a6ed096a9cd7911a48739
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 131 to x.x.x.x port 1812
        EAP-Message =
0x010a005b19001703010050099889e745a0cb12423f5c7e64cb1a2f7723411b9adccd81fd40cc0dbfe9828ebdaa8c15412abe265e6c04100de5e9556a707bec78739d33822b2732d2ba050bdf6
40a6ca232a68dd52c4b2757f913af
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176ef44686cb9198540381901eb
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=132, length=385
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176ef44686cb9198540381901eb
        EAP-Message = 0x020a002b19001703010020d8caf6fd9d96650ff344d457d8a8412b78f5fe4dd966d1fae7485f2ed861a27d
        Message-Authenticator = 0x5deaf00357d43558e49095a3f6ca29bc
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020a00061a03
server  {
[peap] Setting User-Name to testx at abdn.ac.uk
Sending tunneled request
        EAP-Message = 0x020a00061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "testx at abdn.ac.uk"
        State = 0x7e8074c07f8a6ed096a9cd7911a48739
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
[files]         expand: %{Client-IP-Address} -> x.x.x.x
++[files] returns noop
++[expiration] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group post-auth {...}
[reply_log]     expand: %{Packet-Src-IP-Address} -> x.x.x.x
[reply_log]     expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/reply-detail-20130806
[reply_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/reply-detail-20130806
[reply_log]     expand: %t -> Tue Aug  6 15:51:08 2013
++[reply_log] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xacbbc63ebd6b3c7e993938ca4acc15cb
        MS-MPPE-Recv-Key = 0xe37c54e02433c82a6f60d5a90b6eceaf
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "testx"
[peap] Got tunneled reply RADIUS code 2
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xacbbc63ebd6b3c7e993938ca4acc15cb
        MS-MPPE-Recv-Key = 0xe37c54e02433c82a6f60d5a90b6eceaf
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "testx"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 132 to x.x.x.x port 1812
        EAP-Message = 0x010b002b190017030100209d098a2bb1a57dba1b3f00ca81dbcc3028ad018d6787771efbb8955ce1263b62
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176ee45686cb9198540381901eb
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=133, length=385
        Framed-MTU = 1480
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx at abdn.ac.uk"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 125
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "F5"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "120"
        State = 0xe74e7176ee45686cb9198540381901eb
        EAP-Message = 0x020b002b190017030100209bc7ce2e9fc0caa38604cade411e3373e153471a8fb8113d5c51e1424baaf4b3
        Message-Authenticator = 0xe48e296335f7379ea7170dee7dec4241
        MS-RAS-Vendor = 11
        HP-Capability-Advert = 0x011a0000000b28
        HP-Capability-Advert = 0x011a0000000b2e
        HP-Capability-Advert = 0x011a0000000b30
        HP-Capability-Advert = 0x011a0000000b3d
        HP-Capability-Advert = 0x0138
        HP-Capability-Advert = 0x013a
        HP-Capability-Advert = 0x0140
        HP-Capability-Advert = 0x0141
        HP-Capability-Advert = 0x0151
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[auth_log]      expand: %{Packet-Src-IP-Address} -> x.x.x.x
[auth_log]      expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/auth-detail-20130806
[auth_log]      expand: %t -> Tue Aug  6 15:51:08 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "abdn.ac.uk" for User-Name = "testx at abdn.ac.uk"
[suffix] Found realm "abdn.ac.uk"
[suffix] Adding Stripped-User-Name = "testx"
[suffix] Adding Realm = "abdn.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
        User-Name = "testx"
[peap] Saving response in the cache
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
[reply_log]     expand: %{Packet-Src-IP-Address} -> x.x.x.x
[reply_log]     expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/reply-detail-20130806
[reply_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/reply-detail-20130806
[reply_log]     expand: %t -> Tue Aug  6 15:51:08 2013
++[reply_log] returns ok
Sending Access-Accept of id 133 to x.x.x.x port 1812
        User-Name = "testx"
        MS-MPPE-Recv-Key = 0x828f7f8bcf286eae0e609f69762db9e7114a5eb5f2dc922a450d175c06f27e1e
        MS-MPPE-Send-Key = 0xe2972bc77c895a34b6bfaf07da5794995b97beeefbe3b12f934653dfa0662cc4
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host x.x.x.x port 1813, id=134, length=118
        Acct-Session-Id = "001200000030"
        Acct-Status-Type = Start
        Service-Type = Framed-User
        Acct-Authentic = RADIUS
        NAS-Port = 125
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        User-Name = "testx"
        MS-RAS-Vendor = 11
        Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
.
.
[preprocess]    expand: %{Client-IP-Address} -> x.x.x.x
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 125,NAS-Identifier = "x.x.x.x",NAS-IP-Address = x.x.x.x,Acct-Session-Id = "001200000030",User-Name = "testx"'
[acct_unique] Acct-Unique-Session-ID = "9d892381f6e04dad".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "testx", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Realm = "DEFAULT"
[suffix] Accounting realm is LOCAL.
++[suffix] returns ok
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]        expand: %{Packet-Src-IP-Address} -> x.x.x.x
[detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d ->
/var/log/radius/radacct/x.x.x.x/detail-20130806
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to
/var/log/radius/radacct/x.x.x.x/detail-20130806
[detail]        expand: %t -> Tue Aug  6 15:51:10 2013
++[detail] returns ok
++[exec] returns noop
[attr_filter.accounting_response]       expand: %{User-Name} -> testx
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 134 to x.x.x.x port 1813
Finished request 11.
Cleaning up request 11 ID 134 with timestamp +23
Going to the next request



"debug security" on HP switch:

0004:20:13:34.92 1X   m8021xCtrl:Port F5: connection detected.
0004:20:13:34.92 1X   m8021xCtrl:Port F5: sent ReqId #1 to 0180c2-000003.
0004:20:13:34.94 1X   m8021xCtrl:Port F5: added new client xxxxxx-xxxxxx.
0004:20:13:34.94 1X   m8021xCtrl:Port F5: received RspId #1 from xxxxxx-xxxxxx.
0004:20:13:34.94 1X   m8021xCtrl:Port F5: started authentication session for
   client xxxxxx-xxxxxx.
0004:20:13:34.94 RAD  mRadiusCtr:Received RADIUS MSG: AUTH REQUEST, session:
   165, access method: PORT-ACCESS.
0004:20:13:34.94 1X   m8021xCtrl:Port F5: received EAP identity request for
   client xxxxxx-xxxxxx.
0004:20:13:34.94 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:34.94 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:34.94 RAD  mRadiusCtr:ACCESS REQUEST id: 95 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   x.x.x.x
0004:20:13:34.95 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:35.45 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:35.95 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:36.45 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:36.95 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:37.95 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:37.96 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:37.96 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:37.98 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:38.02 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:38.03 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:38.03 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:38.06 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:38.50 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:38.79 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:38.79 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:38.79 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:38.79 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:39.55 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:39.55 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:39.55 PSEC eDrvPoll:incoming mac xxxxxx-xxxxxx on port F5 for vlan
   120 rejected by portsec demux. wma does not want this pkt.
0004:20:13:39.93 RAD  mRadiusCtr:ACCESS REQUEST id: 95 to y.y.y.y has
   timed out.
0004:20:13:39.93 1X   m8021xCtrl:Port F5: received notification for client
   xxxxxx-xxxxxx: 'Can't reach RADIUS server...'
0004:20:13:39.93 1X   m8021xCtrl:Port F5: dropped notification for client
   xxxxxx-xxxxxx.
0004:20:13:39.93 RAD  mRadiusCtr:ACCESS REQUEST id: 95 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   x.x.x.x
0004:20:13:39.99 RAD  tRadiusR:ACCESS CHALLENGE id: 95 from y.y.y.y received.
0004:20:13:39.99 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:39.99 1X   m8021xCtrl:Port F5: sent EAP request #2 to 0180c2-000003.
0004:20:13:39.99 RAD  tRadiusR:ACCESS CHALLENGE id: 95 from y.y.y.y received.
0004:20:13:39.99 RAD  tRadiusR:ACCESS CHALLENGE id: 95 from y.y.y.y
   DROPPED, not in waiting for server reply state.
0004:20:13:39.99 1X   m8021xCtrl:Port F5: received type 25 EAP response #2 from
   xxxxxx-xxxxxx.
0004:20:13:39.99 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:39.99 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:39.99 RAD  mRadiusCtr:ACCESS REQUEST id: 96 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   x.x.x.x
0004:20:13:40.05 RAD  tRadiusR:ACCESS CHALLENGE id: 96 from y.y.y.y received.
0004:20:13:40.05 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:40.05 1X   m8021xCtrl:Port F5: sent EAP request #3 to 0180c2-000003.
0004:20:13:40.06 1X   m8021xCtrl:Port F5: received type 25 EAP response #3 from
   xxxxxx-xxxxxx.
0004:20:13:40.06 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:40.06 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:40.06 RAD  mRadiusCtr:ACCESS REQUEST id: 97 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   x.x.x.x
0004:20:13:40.06 RAD  tRadiusR:ACCESS CHALLENGE id: 97 from y.y.y.y received.
0004:20:13:40.06 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:40.06 1X   m8021xCtrl:Port F5: sent EAP request #4 to 0180c2-000003.
0004:20:13:40.06 1X   m8021xCtrl:Port F5: received type 25 EAP response #4 from
   xxxxxx-xxxxxx.
0004:20:13:40.06 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:40.06 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:40.06 RAD  mRadiusCtr:ACCESS REQUEST id: 98 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   x.x.x.x
0004:20:13:40.07 RAD  tRadiusR:ACCESS CHALLENGE id: 98 from y.y.y.y received.
0004:20:13:40.07 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:40.07 1X   m8021xCtrl:Port F5: sent EAP request #5 to 0180c2-000003.
0004:20:13:40.07 1X   m8021xCtrl:Port F5: received type 25 EAP response #5 from
   xxxxxx-xxxxxx.
0004:20:13:40.07 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:40.07 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:40.07 RAD  mRadiusCtr:ACCESS REQUEST id: 99 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   x.x.x.x
0004:20:13:40.07 RAD  tRadiusR:ACCESS CHALLENGE id: 99 from y.y.y.y received.
0004:20:13:40.07 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:40.07 1X   m8021xCtrl:Port F5: sent EAP request #6 to 0180c2-000003.
0004:20:13:40.08 1X   m8021xCtrl:Port F5: received type 25 EAP response #6 from
   xxxxxx-xxxxxx.
0004:20:13:40.08 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:40.08 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:40.08 RAD  mRadiusCtr:ACCESS REQUEST id: 100 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   z.z.z.z
0004:20:13:40.09 RAD  tRadiusR:ACCESS CHALLENGE id: 100 from y.y.y.y received.
0004:20:13:40.09 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:40.09 1X   m8021xCtrl:Port F5: sent EAP request #7 to 0180c2-000003.
0004:20:13:40.09 1X   m8021xCtrl:Port F5: received type 25 EAP response #7 from
   xxxxxx-xxxxxx.
0004:20:13:40.09 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:40.09 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:40.09 RAD  mRadiusCtr:ACCESS REQUEST id: 101 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   z.z.z.z
0004:20:13:40.09 RAD  tRadiusR:ACCESS CHALLENGE id: 101 from y.y.y.y received.
0004:20:13:40.09 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:40.09 1X   m8021xCtrl:Port F5: sent EAP request #8 to 0180c2-000003.
0004:20:13:40.10 1X   m8021xCtrl:Port F5: received type 25 EAP response #8 from
   xxxxxx-xxxxxx.
0004:20:13:40.10 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:40.10 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:40.10 RAD  mRadiusCtr:ACCESS REQUEST id: 102 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   z.z.z.z
0004:20:13:40.10 RAD  tRadiusR:ACCESS CHALLENGE id: 102 from y.y.y.y received.
0004:20:13:40.10 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:40.10 1X   m8021xCtrl:Port F5: sent EAP request #9 to 0180c2-000003.
0004:20:13:40.11 1X   m8021xCtrl:Port F5: received type 25 EAP response #9 from
   xxxxxx-xxxxxx.
0004:20:13:40.11 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:40.11 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:40.11 RAD  mRadiusCtr:ACCESS REQUEST id: 103 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   z.z.z.z
0004:20:13:40.26 RAD  tRadiusR:ACCESS CHALLENGE id: 103 from y.y.y.y received.
0004:20:13:40.26 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:40.26 1X   m8021xCtrl:Port F5: sent EAP request #10 to 0180c2-000003.
0004:20:13:40.27 1X   m8021xCtrl:Port F5: received type 25 EAP response #10 from
   xxxxxx-xxxxxx.
0004:20:13:40.27 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:40.27 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:40.27 RAD  mRadiusCtr:ACCESS REQUEST id: 104 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   z.z.z.z
0004:20:13:40.28 RAD  tRadiusR:ACCESS CHALLENGE id: 104 from y.y.y.y received.
0004:20:13:40.28 1X   m8021xCtrl:Port F5: received EAP request for client
   xxxxxx-xxxxxx.
0004:20:13:40.28 1X   m8021xCtrl:Port F5: sent EAP request #11 to 0180c2-000003.
0004:20:13:40.28 1X   m8021xCtrl:Port F5: received type 25 EAP response #11 from
   xxxxxx-xxxxxx.
0004:20:13:40.28 1X   m8021xCtrl:Port F5: sent EAP response from client
   xxxxxx-xxxxxx to authenticaton server.
0004:20:13:40.28 RAD  mRadiusCtr:Received RADIUS MSG: DATA, session: 165.
0004:20:13:40.28 RAD  mRadiusCtr:ACCESS REQUEST id: 105 to y.y.y.y,
   session: 165, access method: PORT-ACCESS, User-Name: testx at abdn.ac.uk,
   Calling-Station-Id: xxxxxx-xxxxxx, NAS-Port-Id: F5, NAS-IP-Address:
   z.z.z.z
0004:20:13:40.30 RAD  tRadiusR:ACCESS ACCEPT id: 105 from y.y.y.y received.
0004:20:13:40.30 1X   m8021xCtrl:Port F5: received Success for client
   xxxxxx-xxxxxx, finished authentication session.
0004:20:13:40.30 UMIB m8021xCtrl:added new dca client xxxxxx-xxxxxx for new
   client port F5.
0004:20:13:40.30 UMIB m8021xCtrl:Client Mac xxxxxx-xxxxxx, accessMode 8021x
0004:20:13:40.30 1X   m8021xCtrl:Port F5: starting session for client
   xxxxxx-xxxxxx.
0004:20:13:40.30 1X   m8021xCtrl:Port F5: sent Success #11 to xxxxxx-xxxxxx.
0004:20:13:40.30 RAD  tRadiusR:Removing RADIUS REQUEST id: 105 from queue.
0004:20:13:40.30 RAD  mRadiusCtr:Received RADIUS MSG: ACCT REQUEST, session: 83.
0004:20:13:41.81 RAD  mRadiusCtr:ACCOUNTING REQUEST id: 106 to y.y.y.y,
   session: 83, access method: CONSOLE, User-Name: testx, Calling-Station-Id:
   xxxxxx-xxxxxx, NAS-IP-Address: x.x.x.x.
0004:20:13:41.82 RAD  tRadiusR:ACCOUNTING RESPONSE id: 106 from y.y.y.y received.
0004:20:13:41.82 RAD  tRadiusR:Removing RADIUS REQUEST id: 106 from queue.
0004:20:14:27.07 RAD  mRadiusCtr:Received RADIUS MSG: ACCT REQUEST, session: 32.
0004:20:14:27.07 RAD  mRadiusCtr:ACCOUNTING REQUEST id: 107 to y.y.y.y,
   session: 32, access method: CONSOLE, User-Name: manager, Calling-Station-Id:
   a.a.a.a, NAS-IP-Address: x.x.x.x.
0004:20:14:27.08 RAD  tRadiusR:ACCOUNTING RESPONSE id: 107 from y.y.y.y received.
0004:20:14:27.08 RAD  tRadiusR:Removing RADIUS REQUEST id: 107 from queue.
0004:20:14:50.59 SSH  tSsh0:Too many authentication failures, status = -6403
0004:20:15:07.30 RAD  mRadiusCtr:Received RADIUS MSG: ACCT REQUEST, session: 84.
0004:20:15:07.30 RAD  mRadiusCtr:ACCOUNTING REQUEST id: 108 to y.y.y.y,
   session: 84, access method: CONSOLE, User-Name: manager, Calling-Station-Id:
   a.a.a.a, NAS-IP-Address: x.x.x.x.
0004:20:15:07.32 RAD  tRadiusR:ACCOUNTING RESPONSE id: 108 from y.y.y.y received.
0004:20:15:07.32 RAD  tRadiusR:Removing RADIUS REQUEST id: 108 from queue.

Thanks,
Colin




The University of Aberdeen is a charity registered in Scotland, No SC013683.



More information about the Freeradius-Users mailing list