AW: AW: Override EAP invalid result in authentication section
PENZ Robert
ROBERT.PENZ at TIROL.GV.AT
Tue Jun 4 09:55:01 CEST 2013
Hi Phil!
do you need something additional from me?
Thx, Robert
-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+robert.penz=tirol.gv.at at lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv.at at lists.freeradius.org] Im Auftrag von PENZ Robert
Gesendet: Dienstag, 28. Mai 2013 17:50
An: FreeRadius users mailing list
Betreff: AW: AW: Override EAP invalid result in authentication section
> You can't do that. EAP is a challenge-response protocol; you can't force
> it to "succeed" - the remote peer will think it failed and drop the link.
ok, so I can't succeed with the NAK stuff. I understand that now. But if the last step (the verification of the CRL with the verify { client} directive fails or the certificate is expired) the challenge-response is at its end. At this point the switch gets an Accept or Reject. I only want to fail soft to get the PC into a remediation network.
> What you want to do isn't possible in general. Instead, you need to look
> into "auth failed VLAN" support on your network equipment - this
> generally only works for wired connections though.
I'm using the "auth failed VLAN", its for guests (= MAC addresses that are not in the DB). But I don't want e.g. company notebooks which were too long not in the network (certificate expired, ...) to fail into the guest network, because then I can't bring the client back to full compliance automatically.
> Also, please stop posting partial debugs with the wrong options; it's
> "radiusd -X" and a full debug. The timestamps are just noise, and you've
> removed most of the debug so it's not possible to infer the full auth
> processing and offer you more specific advice.
sorry I wanted to get more output with the additional -xx, and wanted to past only the relevant part of the config so you don't need to look at the full config. Here is the full current config + log:
# /usr/sbin/radiusd -d /etc/raddb -X
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Sep 24 2012 at 17:14:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/dvtlocal.conf
including configuration file /etc/raddb/proxy.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/local
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/xxxxxx.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 768000
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Creating Acct-Type = Status-Server
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/xxxxxx.tirol.local.pem"
certificate_file = "/etc/raddb/certs/xxxxxx.tirol.local.pem"
CA_file = "/etc/raddb/certs/xxxxxx.pem"
private_key_password = "xxxxxx"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
tmpdir = "/var/tmp/radiusd"
client = "/usr/local/sbin/clrtest/ /etc/raddb/certs/.temp/ %{TLS-Client-Cert-Filename}" # deliberately error to provoke fail
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to module rlm_always
Module: Instantiating module "handled" from file /etc/raddb/modules/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
Module: Instantiating module "ok" from file /etc/raddb/modules/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
Module: Checking authorize {...} for more modules to load
Module: Loading virtual module rewrite.calling_station_id
Module: Instantiating module "noop" from file /etc/raddb/modules/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file /etc/raddb/modules/detail.log
detail auth_log {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = "3306"
login = "xxxxxx"
password = "xxxxxx"
radius_db = "xxxxxx"
read_groups = no
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{Calling-Station-Id}"
default_user_profile = ""
nas_query = xxxxxx
authorize_check_query = xxxxxx
authorize_reply_query = xxxxxx
authorize_group_check_query = ""
authorize_group_reply_query = ""
accounting_onoff_query = ""
accounting_update_query = ""
accounting_update_query_alt = ""
accounting_start_query = ""
accounting_start_query_alt = ""
accounting_stop_query = ""
accounting_stop_query_alt = ""
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = ""
postauth_query = ""
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to xxxxxx at localhost:3306/xxxxxx
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT stacksseq, mgntip, stackname, "Switch", secret FROM tstacks
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry nasname=xxxxxx,shortname=xxxxxx,secret=xxxxxx
...
rlm_sql (sql): Released sql socket id: 4
Module: Loading virtual module do_not_respond
Module: Instantiating module "reject" from file /etc/raddb/modules/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_sql_log
Module: Instantiating module "sql_log" from file /etc/raddb/modules/sql_log
sql_log {
path = "/var/log/radius/radacct/sql-relay"
Post-Auth = xxxxxxxx
sql_user_name = "%{%{User-Name}:-DEFAULT}"
utf8 = yes
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
# Only MAC Authentication
rad_recv: Access-Request packet from host xxxxxx port 48570, id=45, length=101
User-Name = "xxxxxx"
User-Password = "xxxxxx"
NAS-IP-Address = xxxxxx
Service-Type = Login-User
Calling-Station-Id = "xxxxxx"
NAS-Port-Id = "1:15"
NAS-Port = 1015
NAS-Port-Type = Ethernet
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++- entering policy rewrite.calling_station_id {...}
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (Calling-Station-Id) -> TRUE
expand: %{Calling-Station-Id} -> xxxxxx
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx
++++[request] returns notfound
++++[noop] returns noop
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop
+++ ... skipping else for request 0: Preceding "if" was taken
++- policy rewrite.calling_station_id returns noop
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] expand: %t -> Tue May 28 17:31:47 2013
++[auth_log] returns ok
++- entering policy redundant {...}
[sql] expand: %{Calling-Station-Id} -> xxxxxx
[sql] sql_set_user escaped user --> 'xxxxxx'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: xxxxx
[sql] User found in radcheck table
[sql] expand: xxxxx
rlm_sql (sql): Released sql socket id: 3
+++[sql] returns ok
++- policy redundant returns ok
++? if (!ok)
? Evaluating !(ok) -> FALSE
++? if (!ok) -> FALSE
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> TRUE
++? if (!EAP-Message) -> TRUE
++- entering if (!EAP-Message) {...}
+++[control] returns ok
++- if (!EAP-Message) returns ok
++ ... skipping else for request 0: Preceding "if" was taken
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [xxxxxx/xxxxxx] (from client xxxxxx port 1015 cli xxxxxx)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql_log] Processing sql_log_postauth
[sql_log] expand: %{User-Name} -> xxxxxx
[sql_log] expand: %{%{User-Name}:-DEFAULT} -> xxxxxx
[sql_log] sql_set_user escaped user --> 'xxxxxx'
[sql_log] expand: xxxxx
[sql_log] expand: /var/log/radius/radacct/sql-relay -> /var/log/radius/radacct/sql-relay
++[sql_log] returns ok
Sending Access-Accept of id 45 to xxxxxx port 48570
Extreme-Netlogin-Extended-Vlan = "UvlanRemediation"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
# EAP-TLS Request which fails deliberately at verify script
rad_recv: Accounting-Request packet from host xxxxxx port 34903, id=97, length=115
Acct-Status-Type = Start
User-Name = "xxxxxx"
NAS-IP-Address = xxxxxx
Acct-Session-Id = "Tue May 28, 2013 17:31:47"
Service-Type = Login-User
NAS-Port = 1015
NAS-Port-Type = Ethernet
Tunnel-Private-Group-Id:0 = "1561"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1015,Client-IP-Address = xxxxxx,NAS-IP-Address = xxxxxx,Acct-Session-Id = "Tue May 28, 2013 17:31:47",User-Name = "xxxxxx"'
[acct_unique] Acct-Unique-Session-ID = "566059eaf92291ca".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "xxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[sql_log] Processing sql_log_accounting
[sql_log] expand: %{User-Name} -> xxxxxx
[sql_log] expand: %{%{User-Name}:-DEFAULT} -> xxxxxx
[sql_log] sql_set_user escaped user --> 'xxxxxx'
[sql_log] expand: %{Acct-Delay-Time} -> 0
[sql_log] expand: xxxxxxxxx
[sql_log] expand: /var/log/radius/radacct/sql-relay -> /var/log/radius/radacct/sql-relay
++[sql_log] returns ok
Sending Accounting-Response of id 97 to xxxxxx port 34903
Finished request 1.
Cleaning up request 1 ID 97 with timestamp +6
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xxxxxx port 48570, id=46, length=152
User-Name = "host/xxxxxx.tirol.local"
EAP-Message = 0x0273002101686f73742f4456542d334e31344e344a2e7469726f6c2e6c6f63616c
NAS-IP-Address = xxxxxx
Service-Type = Login-User
Calling-Station-Id = "xxxxxx"
NAS-Port-Id = "1:15"
NAS-Port = 1015
NAS-Port-Type = Ethernet
Message-Authenticator = 0x469f68fbf45f1533243eb7eb71b01743
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++- entering policy rewrite.calling_station_id {...}
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (Calling-Station-Id) -> TRUE
expand: %{Calling-Station-Id} -> xxxxxx
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx
++++[request] returns notfound
++++[noop] returns noop
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop
+++ ... skipping else for request 2: Preceding "if" was taken
++- policy rewrite.calling_station_id returns noop
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] expand: %t -> Tue May 28 17:31:47 2013
++[auth_log] returns ok
++- entering policy redundant {...}
[sql] expand: %{Calling-Station-Id} -> xxxxxx
[sql] sql_set_user escaped user --> 'xxxxxx'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: xxxxxxxxx
[sql] User found in radcheck table
[sql] expand: xxxxxxxxxx
rlm_sql (sql): Released sql socket id: 2
+++[sql] returns ok
++- policy redundant returns ok
++? if (!ok)
? Evaluating !(ok) -> FALSE
++? if (!ok) -> FALSE
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 115 length 33
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
+++? if (EAP-Type == "NAK")
? Evaluating (EAP-Type == "NAK") -> FALSE
+++? if (EAP-Type == "NAK") -> FALSE
+++- entering else else {...}
++++[control] returns handled
+++- else else returns handled
++- else else returns handled
Sending Access-Challenge of id 46 to xxxxxx port 48570
EAP-Message = 0x017400060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4cc0b8cd4cb4b553bc1d190550109285
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xxxxxx port 48570, id=47, length=242
User-Name = "host/xxxxxx.tirol.local"
EAP-Message = 0x027400690d800000005f160301005a01000056030151a4cde3d59f34ad73db249b135a4c0c929759d7c9d1b7ec86d074bbd4c7c21f000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
NAS-IP-Address = xxxxxx
Service-Type = Login-User
Calling-Station-Id = "xxxxxx"
NAS-Port-Id = "1:15"
NAS-Port = 1015
NAS-Port-Type = Ethernet
State = 0x4cc0b8cd4cb4b553bc1d190550109285
Message-Authenticator = 0xac93cb6d0ec9e493ad777bf996f85fcc
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++- entering policy rewrite.calling_station_id {...}
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (Calling-Station-Id) -> TRUE
expand: %{Calling-Station-Id} -> xxxxxx
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx
++++[request] returns notfound
++++[noop] returns noop
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop
+++ ... skipping else for request 3: Preceding "if" was taken
++- policy rewrite.calling_station_id returns noop
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] expand: %t -> Tue May 28 17:31:47 2013
++[auth_log] returns ok
++- entering policy redundant {...}
[sql] expand: %{Calling-Station-Id} -> xxxxxx
[sql] sql_set_user escaped user --> 'xxxxxx'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: xxxxxxxx
[sql] User found in radcheck table
[sql] expand: xxxxxxxx
rlm_sql (sql): Released sql socket id: 1
+++[sql] returns ok
++- policy redundant returns ok
++? if (!ok)
? Evaluating !(ok) -> FALSE
++? if (!ok) -> FALSE
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 116 length 105
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 95
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005a], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0bd7], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 0060], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
+++? if (EAP-Type == "NAK")
? Evaluating (EAP-Type == "NAK") -> FALSE
+++? if (EAP-Type == "NAK") -> FALSE
+++- entering else else {...}
++++[control] returns handled
+++- else else returns handled
++- else else returns handled
Sending Access-Challenge of id 47 to xxxxxx port 48570
EAP-Message = 0x017504000dc000000c7716030100310200002d030151a4cde3202752856258ca711aed70cdc673f06ec86a44b5cf72c2824bd28a7200002f000005ff010001001603010bd70b000bd3000bd00007133082070f308205f7a003020102020a6a4ecce40000000192a1300d06092a864886f70d0101050500304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f74204341301e170d3132303331343039303030345a170d3137303331333039303030345a3081a8310b3009060355040613024154310e300c06
EAP-Message = 0x0355040813055469726f6c3112301006035504071309496e6e73627275636b312a3028060355040a13214456542d446174656e2d566572617262656974756e672d5469726f6c20476d6248312a3028060355040b13214456542d446174656e2d566572617262656974756e672d5469726f6c20476d6248311d301b06035504031314766d6163617530312e7469726f6c2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c3af2441653145945b95a4be7e0a1ff52300be4980b2791a9bfb11ebf212b77e434a698e28c3b1567b6860cba7209990b22c47ce0204c46768d3b1b6b87edbe38a0190d735e0
EAP-Message = 0xabb65e151efea8a09898e6bcf9ca6c3b2c247a7fed19f08988ff472b8cc1aee5e9f84edf94fbb4adcac25f37eb0b31d6c19286ff2e891f9a59632a58d42fce681de9100ba189c4717d7eb32d23a71f5a1535017f4073fb5cf536ac61f94d9a8631eec76fcbd90a2411c72ec00eb812ff1c550616121ab2c5f3281ae2a8345bf9da89bdd87bcc64961140bb99e64544f8800092429d68d78017b2c5d39d82aeae2b0cf5bc28fb47975725de26b8de8c5c608637657482d38133790203010001a38203913082038d300b0603551d0f0404030205a0301d0603551d0e04160414727a8ec35267a642744baeb1a6c67bb40d510234303c06092b0601040182
EAP-Message = 0x371507042f302d06252b060104018237150883e4ff7f82dcc104f1913085ddc64382eaa0205d83a0a22583a0a15d020164020109301f0603551d23041830168014f42d3cfb8c85acd11b38899741763faba6a125493082015c0603551d1f048201533082014f3082014ba0820147a08201438681be6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f7425323043412c434e3d63612c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f636572746966696361
EAP-Message = 0x74655265766f636174696f6e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4cc0b8cd4db5b553bc1d190550109285
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xxxxxx port 48570, id=48, length=143
User-Name = "host/xxxxxx.tirol.local"
EAP-Message = 0x027500060d00
NAS-IP-Address = xxxxxx
Service-Type = Login-User
Calling-Station-Id = "xxxxxx"
NAS-Port-Id = "1:15"
NAS-Port = 1015
NAS-Port-Type = Ethernet
State = 0x4cc0b8cd4db5b553bc1d190550109285
Message-Authenticator = 0x780cd08f27fa930221e2e50e5224a558
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++- entering policy rewrite.calling_station_id {...}
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (Calling-Station-Id) -> TRUE
expand: %{Calling-Station-Id} -> xxxxxx
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx
++++[request] returns notfound
++++[noop] returns noop
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop
+++ ... skipping else for request 4: Preceding "if" was taken
++- policy rewrite.calling_station_id returns noop
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] expand: %t -> Tue May 28 17:31:47 2013
++[auth_log] returns ok
++- entering policy redundant {...}
[sql] expand: %{Calling-Station-Id} -> xxxxxx
[sql] sql_set_user escaped user --> 'xxxxxx'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: xxxxxx
[sql] User found in radcheck table
[sql] expand: xxxxxx
rlm_sql (sql): Released sql socket id: 0
+++[sql] returns ok
++- policy redundant returns ok
++? if (!ok)
? Evaluating !(ok) -> FALSE
++? if (!ok) -> FALSE
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 117 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
+++? if (EAP-Type == "NAK")
? Evaluating (EAP-Type == "NAK") -> FALSE
+++? if (EAP-Type == "NAK") -> FALSE
+++- entering else else {...}
++++[control] returns handled
+++- else else returns handled
++- else else returns handled
Sending Access-Challenge of id 48 to xxxxxx port 48570
EAP-Message = 0x017604000dc000000c774c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748641687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f544c52253230456e7465727072697365253230526f6f7425323043412e63726c863d66696c653a2f2f5c5c63612e7469726f6c2e6c6f63616c5c43657274456e726f6c6c5c544c5220456e746572707269736520526f6f742043412e63726c3082015606082b0601050507010104820148308201443081bb06082b060105050730028681ae6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f
EAP-Message = 0x7425323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479305c06082b060105050730018650687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f63612e7469726f6c2e6c6f63616c5f544c52253230456e7465727072697365253230526f6f7425323043412e637274302606082b06010505073001861a68747470
EAP-Message = 0x3a2f2f63612e7469726f6c2e6c6f63616c2f6f637370301d0603551d250416301406082b0601050507030206082b06010505070301302706092b060104018237150a041a3018300a06082b06010505070302300a06082b06010505070301300d06092a864886f70d010105050003820101003d09dba412217ff9f195dff3b2c0bcf275b1f5799fce6afac526ed38b5840decb746d984cf4859acb0ce996d0b5531489c06d51528d3190c58284a02a8e6288792864066239cc3deb7879ae6bc6253974ea9a96f0c4347875f999e48c139cbcca394eeec88d4e1fcff14e7b982f5d060f4e88e9809c0bf97b59a6e3e76f23b0af46eaba2a6290e6a7f25ab
EAP-Message = 0x3d2f1ce80f22c198be073748dbf52aea27604d7e96c851409df39e14a537622dfe17af405cce9f7e11e081e79bc630b7b53bef30b4f78cab5f7aa48bbf0f5f7ef96a00263b94c7fe8c058e79d0fdc8be2caab2e431b167a0c7aef17ffd1e1aaf5015bb755f1e6ae1f4409d724779a399312b2bc4fb0004b7308204b33082039ba0030201020210008d4d5ae04328a34ed7943615edcfa8300d06092a864886f70d0101050500304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f74204341301e170d3035
EAP-Message = 0x303430353131353134365a17
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4cc0b8cd4eb6b553bc1d190550109285
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xxxxxx port 48570, id=49, length=143
User-Name = "host/xxxxxx.tirol.local"
EAP-Message = 0x027600060d00
NAS-IP-Address = xxxxxx
Service-Type = Login-User
Calling-Station-Id = "xxxxxx"
NAS-Port-Id = "1:15"
NAS-Port = 1015
NAS-Port-Type = Ethernet
State = 0x4cc0b8cd4eb6b553bc1d190550109285
Message-Authenticator = 0xf87e621dfa7f0b6cd5153d24919a4262
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++- entering policy rewrite.calling_station_id {...}
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (Calling-Station-Id) -> TRUE
expand: %{Calling-Station-Id} -> xxxxxx
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx
++++[request] returns notfound
++++[noop] returns noop
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop
+++ ... skipping else for request 5: Preceding "if" was taken
++- policy rewrite.calling_station_id returns noop
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] expand: %t -> Tue May 28 17:31:47 2013
++[auth_log] returns ok
++- entering policy redundant {...}
[sql] expand: %{Calling-Station-Id} -> xxxxxx
[sql] sql_set_user escaped user --> 'xxxxxx'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: xxxxx
[sql] User found in radcheck table
[sql] expand: xxxxx
rlm_sql (sql): Released sql socket id: 4
+++[sql] returns ok
++- policy redundant returns ok
++? if (!ok)
? Evaluating !(ok) -> FALSE
++? if (!ok) -> FALSE
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 118 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
+++? if (EAP-Type == "NAK")
? Evaluating (EAP-Type == "NAK") -> FALSE
+++? if (EAP-Type == "NAK") -> FALSE
+++- entering else else {...}
++++[control] returns handled
+++- else else returns handled
++- else else returns handled
Sending Access-Challenge of id 49 to xxxxxx port 48570
EAP-Message = 0x017704000dc000000c770d3235303430353132303032355a304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d74ea54dcaac05385372620935817bca181ca24f7b745a550d83a5d3a3b71c2c8cdc4193e7390ac4fa8b61c4154f9f64be8618bf2044324f14c4fcb60783b10989cfd11c5f0f237b283cdd1e20bda5d9eddaba43e2f3467c0de54940ab19ed0701dded9e46ca4dbb9dece84eed962b963cdcc8
EAP-Message = 0x751c54ce566150c42b7833be7f1a0d01a3c1c40232cd2d095881a8f10c7c12de5c336796b0b3c55a8ccaf90c5ad660e052032aa686f584fe71b5c2c1eee240d668e80b07883f62dcf24f0e466c9c1ed48c3c6e98cacbcb989c7ed20f50463baae477958761f5f835bce99ce04d23b8d4d6d02afeeb9fc80c147a2375c7bf37dc7d232174ec010ae3fbd1baa34b0203010001a382018930820185301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414f42d3cfb8c85acd11b38899741763faba6a125493082011d0603551d1f0482011430820110
EAP-Message = 0x3082010ca0820108a08201048681be6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f7425323043412c434e3d63612c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748641687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f544c52253230456e7465727072
EAP-Message = 0x697365253230526f6f7425323043412e63726c301006092b06010401823715010403020100300d06092a864886f70d01010505000382010100490680b41668ce244b8b08168253df143a496665e3f1f33e1e3374397f14e6bb02d4316f2df09f2df5e8d385a36e3f5c388a823028683d97a1c478df21f4e00e068a76c8c3b71e4a87c93d486bff815aaeec76acf495a330e245ba5d3c761fbd0052188b3fa1fe259e3040b8f6b0231447e118bff040a866a5c36569262820f5a3243e77aa6fbe68e1ef5d5e97f37e608ed539c1397df03f366f22f6c247b3539847c604f2f8aac960b4610006133035ff25f1593214ee556048ec358a1ffda0418a77b6
EAP-Message = 0x9d17e6bfbcad8d663f29d6ea
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4cc0b8cd4fb7b553bc1d190550109285
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xxxxxx port 48570, id=50, length=143
User-Name = "host/xxxxxx.tirol.local"
EAP-Message = 0x027700060d00
NAS-IP-Address = xxxxxx
Service-Type = Login-User
Calling-Station-Id = "xxxxxx"
NAS-Port-Id = "1:15"
NAS-Port = 1015
NAS-Port-Type = Ethernet
State = 0x4cc0b8cd4fb7b553bc1d190550109285
Message-Authenticator = 0x95829ba607a1a2c61d36d0c87642d49d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++- entering policy rewrite.calling_station_id {...}
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (Calling-Station-Id) -> TRUE
expand: %{Calling-Station-Id} -> xxxxxx
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx
++++[request] returns notfound
++++[noop] returns noop
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop
+++ ... skipping else for request 6: Preceding "if" was taken
++- policy rewrite.calling_station_id returns noop
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] expand: %t -> Tue May 28 17:31:47 2013
++[auth_log] returns ok
++- entering policy redundant {...}
[sql] expand: %{Calling-Station-Id} -> xxxxxx
[sql] sql_set_user escaped user --> 'xxxxxx'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: xxxxx
[sql] User found in radcheck table
[sql] expand: xxxxx
rlm_sql (sql): Released sql socket id: 3
+++[sql] returns ok
++- policy redundant returns ok
++? if (!ok)
? Evaluating !(ok) -> FALSE
++? if (!ok) -> FALSE
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 119 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
+++? if (EAP-Type == "NAK")
? Evaluating (EAP-Type == "NAK") -> FALSE
+++? if (EAP-Type == "NAK") -> FALSE
+++- entering else else {...}
++++[control] returns handled
+++- else else returns handled
++- else else returns handled
Sending Access-Challenge of id 50 to xxxxxx port 48570
EAP-Message = 0x0178009f0d8000000c77d31d2c5f00fcb5663f6a461a05f0c5267bad8b41424c61c850a6087361b97e6cfc469816ccf07c99b5b5591152702a7616030100600d00005802010200530051304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f742043410e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4cc0b8cd48b8b553bc1d190550109285
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host xxxxxx port 48570, id=51, length=1639
User-Name = "host/xxxxxx.tirol.local"
EAP-Message = 0x027805d40dc0000007c816030107880b0005f80005f50005f2308205ee308204d6a003020102020a1dd5793c00000001fed8300d06092a864886f70d0101050500304f31153013060a0992268993f22c64011916056c6f63616c31153013060a0992268993f22c64011916057469726f6c311f301d06035504031316544c5220456e746572707269736520526f6f74204341301e170d3133303232363132313030315a170d3134303232363132313030315a30223120301e060355040313174456542d334e31344e344a2e7469726f6c2e6c6f63616c30819f300d06092a864886f70d010101050003818d0030818902818100c5be2126aec1ff7b30e6
EAP-Message = 0x3c70bb6add171f925af3072ecf8cea28abb03d0aa04e6dac47c8612e2ea39bf4db8619566e09b6a48251c3254d80efa99abc420d41b3e71951a2d09132ca7fa88b0fb9b9da96828890454de107b16e27c780a9977e8bd456713b3b9488e259e0491089f3de389d60bffdba38fad7229947f523afe0970203010001a382037b30820377303c06092b0601040182371507042f302d06252b060104018237150883e4ff7f82dcc104f1913085ddc64382eaa0205d8687a30983d8cc4402016502010030130603551d25040c300a06082b06010505070302300b0603551d0f0404030205a0301b06092b060104018237150a040e300c300a06082b06010505
EAP-Message = 0x070302301d0603551d0e041604141195d3b08c1b1b258a8f4e60d3721337bb8b1740301f0603551d23041830168014f42d3cfb8c85acd11b38899741763faba6a125493082015c0603551d1f048201533082014f3082014ba0820147a08201438681be6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f7425323043412c434e3d63612c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f62
EAP-Message = 0x6173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748641687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f544c52253230456e7465727072697365253230526f6f7425323043412e63726c863d66696c653a2f2f5c5c63612e7469726f6c2e6c6f63616c5c43657274456e726f6c6c5c544c5220456e746572707269736520526f6f742043412e63726c3082015606082b0601050507010104820148308201443081bb06082b060105050730028681ae6c6461703a2f2f2f434e3d544c52253230456e7465727072697365253230526f6f7425323043412c434e3d4149412c434e
EAP-Message = 0x3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d7469726f6c2c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479305c06082b060105050730018650687474703a2f2f63612e7469726f6c2e6c6f63616c2f43657274456e726f6c6c2f63612e7469726f6c2e6c6f63616c5f544c52253230456e7465727072697365253230526f6f7425323043412e637274302606082b06010505073001861a687474703a2f2f63612e7469726f6c2e6c6f6361
EAP-Message = 0x6c2f6f637370300d06092a864886f70d01010505000382010100bbd070c97f3cf36f66d6cf8e5c3ddbe8c1129b12f2db35b8e246f9e7a718d87edb4de95e0e323dd3da45512a3ecde36ba178893a24909cbe1c0996f53993e4f28687dace13ad57734e8ee04447e4a637d03785c9cb3674dfe3eec5154b055fcfcb4240544da028667c44046f96487fd481eac219354519b2d2eaaf6aa8e298eb547c7a41f559e4a63a828b0450f14461fb5b5c620c6f4d627d8472538de3af77eba65f019f67d2dbd606f842186e51688e23b006cefe79b5e4c38043cce95b48074a4efbc4e0ae2d86
NAS-IP-Address = xxxxxx
Service-Type = Login-User
Calling-Station-Id = "xxxxxx"
NAS-Port-Id = "1:15"
NAS-Port = 1015
NAS-Port-Type = Ethernet
State = 0x4cc0b8cd48b8b553bc1d190550109285
Message-Authenticator = 0xb0f9c303a89861c7febd447fbda87bee
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++- entering policy rewrite.calling_station_id {...}
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (Calling-Station-Id) -> TRUE
expand: %{Calling-Station-Id} -> xxxxxx
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx
++++[request] returns notfound
++++[noop] returns noop
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop
+++ ... skipping else for request 7: Preceding "if" was taken
++- policy rewrite.calling_station_id returns noop
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] expand: %t -> Tue May 28 17:31:47 2013
++[auth_log] returns ok
++- entering policy redundant {...}
[sql] expand: %{Calling-Station-Id} -> xxxxxx
[sql] sql_set_user escaped user --> 'xxxxxx'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: xxxxxx
[sql] User found in radcheck table
[sql] expand: xxxxxx
rlm_sql (sql): Released sql socket id: 2
+++[sql] returns ok
++- policy redundant returns ok
++? if (!ok)
? Evaluating !(ok) -> FALSE
++? if (!ok) -> FALSE
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 120 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 1992
[tls] Received EAP-TLS First Fragment of the message
[tls] eaptls_verify returned 9
[tls] eaptls_process returned 13
++[eap] returns handled
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
+++? if (EAP-Type == "NAK")
? Evaluating (EAP-Type == "NAK") -> FALSE
+++? if (EAP-Type == "NAK") -> FALSE
+++- entering else else {...}
++++[control] returns handled
+++- else else returns handled
++- else else returns handled
Sending Access-Challenge of id 51 to xxxxxx port 48570
EAP-Message = 0x017900060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4cc0b8cd49b9b553bc1d190550109285
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host xxxxxx port 48570, id=52, length=657
User-Name = "host/xxxxxx.tirol.local"
EAP-Message = 0x027902040d004048e02a79ebcd9e85ac6b426cb1cecc7c379052bb28a1c35065c9f7db85686f527185aa7ed6245c1ac179594aef391059086758d3b23f100001020100a87fe43fc47e3058ab6f8f7d26a9b1ee3d4c0191daa01a69c1ab8af666352aa5a2642f05fa0bae2eb354f3196fc745c766d098198686351b010b9dd143c63d1f3f9b67ebd274facb6c7fd44e167e8d06d8c3c8add4b24b7cae3384dd2c963ce1faf0582697430ad75fc2c8b20ae3430623bbccace6f42b8baa679dbf48ab1f68afcbd449e11a4b7539f914ae98d55fbaa59d80e3d6bc75a22e5390d70198ff446fc2a29bb07a9892285ad0c257806478e37af9a6663d9c01cfc9
EAP-Message = 0x8415bd1fd3adf2c80245e57d7db17392f73cd9b4e359bedfd060819201845b45e3a1c00853e59318bc79e322501a75e28a8d5bb8a9f2a163d4336a577e8459a45bbb782c09860f000082008091a8336a24f4705691940666e3e449b0adec4d6ac3e5783f4e11a18ec3ec9346ed0e39d3eb9f3ea6bf80da24511749e81faba9d9f67594f84cf6498eca548142ac5ff55a84e7f90027969ea1f7bba5043b526bbf03c5c5e1bb1d3354e6a133d65f486c208d81c2b479ddcec24c9cb4ed52d54d230dd9a0d146591eb1c955039c14030100010116030100303fb0dc239c5a1d72a542e08c8f4cf5184f8bd5e6a09094bf9567b7552701c63653b48a9bc4a2
EAP-Message = 0x882c05af515396286fef
NAS-IP-Address = xxxxxx
Service-Type = Login-User
Calling-Station-Id = "xxxxxx"
NAS-Port-Id = "1:15"
NAS-Port = 1015
NAS-Port-Type = Ethernet
State = 0x4cc0b8cd49b9b553bc1d190550109285
Message-Authenticator = 0xf59144ca01da73bd38c95d7f8ec7fd06
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++- entering policy rewrite.calling_station_id {...}
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (Calling-Station-Id) -> TRUE
expand: %{Calling-Station-Id} -> xxxxxx
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> xxxxxx
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> xxxxxx
++++[request] returns notfound
++++[noop] returns noop
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns noop
+++ ... skipping else for request 8: Preceding "if" was taken
++- policy rewrite.calling_station_id returns noop
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxx/auth-detail-20130528
[auth_log] expand: %t -> Tue May 28 17:31:47 2013
++[auth_log] returns ok
++- entering policy redundant {...}
[sql] expand: %{Calling-Station-Id} -> xxxxxx
[sql] sql_set_user escaped user --> 'xxxxxx'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: xxxxx
[sql] User found in radcheck table
[sql] expand: xxxxx
rlm_sql (sql): Released sql socket id: 1
+++[sql] returns ok
++- policy redundant returns ok
++? if (!ok)
? Evaluating !(ok) -> FALSE
++? if (!ok) -> FALSE
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 121 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 05fc], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = host/xxxxxx.tirol.local
[tls] --> BUF-Name = TLR Enterprise Root CA
[tls] --> subject = /DC=local/DC=tirol/CN=TLR Enterprise Root CA
[tls] --> issuer = /DC=local/DC=tirol/CN=TLR Enterprise Root CA
[tls] --> verify return:1
that failing is on purpose!
[tls] Verifying client certificate: /usr/local/sbin/clrtest/ /etc/raddb/certs/.temp/ %{TLS-Client-Cert-Filename}
[tls] expand: %{TLS-Client-Cert-Filename} -> /var/tmp/radiusd/radiusd.client.XXSj2Dlm
Exec-Program output: Exec-Program: FAILED to execute /usr/local/sbin/clrtest/: Not a directory
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /usr/local/sbin/clrtest/: Not a directory
Exec-Program: returned: 1
rlm_eap_tls: Certificate CN (xxxxxx.tirol.local) fails external verification!
[tls] chain-depth=0,
[tls] error=0
[tls] --> User-Name = host/xxxxxx.tirol.local
[tls] --> BUF-Name = xxxxxx.tirol.local
[tls] --> subject = /CN=xxxxxx.tirol.local
[tls] --> issuer = /DC=local/DC=tirol/CN=TLR Enterprise Root CA
[tls] --> verify return:0
[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown
TLS Alert write:fatal:certificate unknown
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
+++? if (EAP-Type == "NAK")
? Evaluating (EAP-Type == "NAK") -> FALSE
+++? if (EAP-Type == "NAK") -> FALSE
+++- entering else else {...}
++++[control] returns invalid
+++- else else returns invalid
++- else else returns invalid
Failed to authenticate the user.
Login incorrect (TLS Alert write:fatal:certificate unknown): [host/xxxxxx.tirol.local/<via Auth-Type = EAP>] (from client xxxxxx port 1015 cli xxxxxx)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[sql_log] Processing sql_log_postauth
[sql_log] expand: %{User-Name} -> host/xxxxxx.tirol.local
[sql_log] expand: %{%{User-Name}:-DEFAULT} -> host/xxxxxx.tirol.local
[sql_log] sql_set_user escaped user --> 'host/xxxxxx.tirol.local'
[sql_log] expand: INSERT INTO tlogauthentication (hostname, mac, nas, portid, porttype, reply, authtype, reason, createtimestamp, createuser) VALUES ('xxxxxx.tirol.local', '%{Calling-Station-Id}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%{reply:Packet-Type}', if('%{EAP-Type}' != '','%{EAP-Type}','MAC'), '%{control:MACAU-Reason}', '%S', 'radsqlrelay') -> INSERT INTO tlogauthentication (hostname, mac, nas, portid, porttype, reply, authtype, reason, createtimestamp, createuser) VALUES ('xxxxxx.tirol.local', 'xxxxxx', 'xxxxxx', '1015', 'Ethernet', 'Access-Reject', if('EAP-TLS' != '','EAP-TLS','MAC'), 'Zertifikat ungueltig (z.b. revoked/abgelaufen)', '2013-05-28 17:31:47', 'radsqlrelay')
[sql_log] expand: /var/log/radius/radacct/sql-relay -> /var/log/radius/radacct/sql-relay
++[sql_log] returns ok
++[reply] returns ok
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 52 to xxxxxx port 48570
EAP-Message = 0x04790004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list