ntlm_auth fails for usernames that contain underscores
Joshua Essar
jessar at kvcc.edu
Wed Sep 17 01:50:35 CEST 2014
I was fighting a problems with a specific user authentication to our radius server, and I discovered that any username that contains a underscore will fail. The user "ipad_user" will fail with the error message "NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)". This error can be seen in the radius output, and also when you use the command "ntlm_auth --username="ipad_user"". If you use the user "ipadcart" then it will work without any problems. This is true for freeradius and using the ntlm_auth command.
So, I get the following when the user has an underscore in the name
ntlm_auth --username="ipad_user"
Password:
NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
And I get this when the user does not have an underscore.
ntlm_auth --username="ipadcart"
Password:
NT_STATUS_OK: Success (0x0)
I have been unable to find anything useful online. Any help is appreciated.
Here is the full debug output
freeradius -X
freeradius: FreeRADIUS Version 3.0.3, for host x86_64-pc-linux-gnu, built on Jun 3 2014 at 09:56:35
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/dhcp
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/ldap
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/utf8
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/cui
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 60
cleanup_delay = 15
max_requests = 90240
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
WARNING: Ignoring "cleanup_delay = 15", forcing to "cleanup_delay = 10"
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client SERVER {
ipaddr = IP
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client SERVER {
ipaddr = IP
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client internal_networks {
ipaddr = 10.0.0.0
netmask = 8
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 90240
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/SERVER-key.pem"
certificate_file = "/etc/freeradius/certs/SERVER-cert.pem"
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Loaded module rlm_expiration
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_radutmp
# Instantiating module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_detail
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/freeradius/mods-enabled/digest
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/freeradius/mods-enabled/dhcp
# Loaded module rlm_exec
# Instantiating module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=OUR.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Loaded module rlm_files
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
usersfile = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/freeradius/mods-config/files/authorize
[/etc/freeradius/mods-config/files/authorize]:1 Cistron compatibility checks for entry rad-test ...
[/etc/freeradius/mods-config/files/authorize]:177 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ...
reading pairlist file /etc/freeradius/mods-config/files/authorize
[/etc/freeradius/mods-config/files/authorize]:1 Cistron compatibility checks for entry rad-test ...
[/etc/freeradius/mods-config/files/authorize]:177 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ...
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Instantiating module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-OUR.DOMAIN} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
passchange {
}
allow_retry = yes
}
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_ldap
# Instantiating module "ldap" from file /etc/freeradius/mods-enabled/ldap
ldap {
server = "SERVER"
port = 389
password = <<< secret >>>
identity = "SERVER_USER"
user {
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}})"
scope = "sub"
base_dn = "dc=OUR,dc=DOMAIN"
access_positive = yes
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
base_dn = "dc=OUR,dc=DOMAIN"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=frClient)"
scope = "sub"
base_dn = "dc=Our,dc=DOMAIN"
attribute {
identifier = "radiusClientIdentifier"
shortname = "cn"
secret = "radiusClientSecret"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = yes
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 2
min = 1
max = 32
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to ad-ttc.OUR.DOMAIN:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to ad-ttc.OUR.DOMAIN:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = yes
}
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Instantiating module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/freeradius/mods-enabled/utf8
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Creating Auth-Type = ntlm_auth
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = 10.59.5.21
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = 10.59.5.21
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Listening on auth address 10.59.5.21 port 1812 as server default
Listening on acct address 10.59.5.21 port 1813 as server default
Ready to process requests.
Received Access-Request Id 32 from 10.254.3.37:1028 to 10.59.5.21:1812 length 157
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
Attr-26 = 0x000026ef030302
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026a000e01697061645f75736572
Message-Authenticator = 0x36e0a70138e28e2b0df65482f314b04d
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /@\\./)
(0) if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [files] = noop
(0) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(0) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(0) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(0) auth_log : EXPAND %t
(0) auth_log : --> Tue Sep 16 19:39:07 2014
(0) [auth_log] = ok
(0) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(0) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(0) eap : EAP packet type response id 106 length 14
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995e65b4d0
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge Id 32 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016b00160410ba0c46d38201a0b1ae3f9a1beb34eecf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995e65b4d079be2e2bed2a9ad7
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 33 from 10.254.3.37:1028 to 10.59.5.21:1812 length 158
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026b00060319
State = 0x5e0eb0995e65b4d079be2e2bed2a9ad7
Message-Authenticator = 0x24a3b47dacac1729ecf96b6e3b058b5a
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (User-Name =~ / /)
(1) if (User-Name =~ / /) -> FALSE
(1) if (User-Name =~ /@.*@/ )
(1) if (User-Name =~ /@.*@/ ) -> FALSE
(1) if (User-Name =~ /\\.\\./ )
(1) if (User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(1) if (User-Name =~ /\\.$/)
(1) if (User-Name =~ /\\.$/) -> FALSE
(1) if (User-Name =~ /@\\./)
(1) if (User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [files] = noop
(1) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(1) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(1) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(1) auth_log : EXPAND %t
(1) auth_log : --> Tue Sep 16 19:39:07 2014
(1) [auth_log] = ok
(1) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(1) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(1) eap : EAP packet type response id 107 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) if (!control:Auth-Type)
(1) if (!control:Auth-Type) -> FALSE
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x5e0eb0995e65b4d0
(1) eap : Finished EAP session with state 0x5e0eb0995e65b4d0
(1) eap : Previous EAP request found for state 0x5e0eb0995e65b4d0, released from the list
(1) eap : Peer sent NAK (3)
(1) eap : Found mutually acceptable type PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : Flushing SSL sessions (of #0)
(1) eap_peap : Initiate
(1) eap_peap : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995f62a9d0
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge Id 33 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995f62a9d079be2e2bed2a9ad7
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 34 from 10.254.3.37:1028 to 10.59.5.21:1812 length 304
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026c009819800000008e16030100890100008503015418cb224c770a89f15523465c78b28bfcc51dced6f18ca0e8d41b350081bb7200004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0x5e0eb0995f62a9d079be2e2bed2a9ad7
Message-Authenticator = 0x9d042cf64a65bf6aa380c7ff22288054
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (User-Name =~ / /)
(2) if (User-Name =~ / /) -> FALSE
(2) if (User-Name =~ /@.*@/ )
(2) if (User-Name =~ /@.*@/ ) -> FALSE
(2) if (User-Name =~ /\\.\\./ )
(2) if (User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(2) if (User-Name =~ /\\.$/)
(2) if (User-Name =~ /\\.$/) -> FALSE
(2) if (User-Name =~ /@\\./)
(2) if (User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [files] = noop
(2) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(2) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(2) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(2) auth_log : EXPAND %t
(2) auth_log : --> Tue Sep 16 19:39:07 2014
(2) [auth_log] = ok
(2) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(2) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(2) eap : EAP packet type response id 108 length 152
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x5e0eb0995f62a9d0
(2) eap : Finished EAP session with state 0x5e0eb0995f62a9d0
(2) eap : Previous EAP request found for state 0x5e0eb0995f62a9d0, released from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
TLS Length 142
(2) eap_peap : Length Included
(2) eap_peap : eaptls_verify returned 11
(2) eap_peap : (other): before/accept initialization
(2) eap_peap : TLS_accept: before/accept initialization
(2) eap_peap : <<< TLS 1.0 Handshake [length 0089], ClientHello
(2) eap_peap : TLS_accept: SSLv3 read client hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_peap : TLS_accept: SSLv3 write server hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 07ca], Certificate
(2) eap_peap : TLS_accept: SSLv3 write certificate A
(2) eap_peap : >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange
(2) eap_peap : TLS_accept: SSLv3 write key exchange A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap : TLS_accept: SSLv3 write server done A
(2) eap_peap : TLS_accept: SSLv3 flush data
(2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995c63a9d0
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge Id 34 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016d03ec19c000000a8616030100590200005503010d71f8bdca932f06e56b1725944868283f4d1f8f7b434a12b3dc0ed127a246a62023feab224052f9fe4eab7f184821ed75bef8bf597694768eb27f73579bc82fffc01400000dff01000100000b00040300010216030107ca0b0007c60007c30007c0308207bc308205a4a003020102020200b1300d06092a864886f70d01010505003081ba310b30090603550406130275733111300f060355040813086d6963686967616e3110300e060355040713076f736874656d6f312b3029060355040a13226b616c616d617a6f6f2076616c6c657920636f6d6d756e69747920636f6c6c65676531133011060355040b130a706b692073797374656d312830260603550403131f6b76636320726f6f7420636572746966696361746520617574686f72697479311a301806092a864886f70d010901160b6361406b7663632e656475301e170d3134303730393135353633345a170d3138303730393135353633345a3081b4310b30090603550406130275733111300f06035504080c086d6963686967616e3112301006035504070c096b616c616d617a6f6f312b3029060355040a0c226b616c616d617a6f6f2076616c6c657920636f6d6d756e69747920636f6c6c65676531143012060355040b0c0b776562207365727665727331183016060355040
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995c63a9d079be2e2bed2a9ad7
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 35 from 10.254.3.37:1028 to 10.59.5.21:1812 length 158
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026d00061900
State = 0x5e0eb0995c63a9d079be2e2bed2a9ad7
Message-Authenticator = 0x9dcfcc025d316261e50b4889136d4894
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (User-Name =~ / /)
(3) if (User-Name =~ / /) -> FALSE
(3) if (User-Name =~ /@.*@/ )
(3) if (User-Name =~ /@.*@/ ) -> FALSE
(3) if (User-Name =~ /\\.\\./ )
(3) if (User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(3) if (User-Name =~ /\\.$/)
(3) if (User-Name =~ /\\.$/) -> FALSE
(3) if (User-Name =~ /@\\./)
(3) if (User-Name =~ /@\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [files] = noop
(3) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(3) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(3) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(3) auth_log : EXPAND %t
(3) auth_log : --> Tue Sep 16 19:39:07 2014
(3) [auth_log] = ok
(3) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(3) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(3) eap : EAP packet type response id 109 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x5e0eb0995c63a9d0
(3) eap : Finished EAP session with state 0x5e0eb0995c63a9d0
(3) eap : Previous EAP request found for state 0x5e0eb0995c63a9d0, released from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995d60a9d0
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge Id 35 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016e03e819407c57996f61039db7efa3827b7a0ccbb970cadd083c98481c0aa8c28037234efa4a2237300273d20e76d575f877336d794f16b8c4214262ef59636c2a8dd4ff1144e51e0e7af42fef2d42c23cd515055424cf2c2770e1942d69a4c84a8d3f95b50203010001a38201ce308201ca30090603551d1304023000303f06096086480186f842010d04321630636572746966696361746520697373756564206279206b76636320636572746966696361746520617574686f72697479301d0603551d0e04160414343b598a120809addecb071861ff227a52294d03301f0603551d230418301680142267e3ac3f7a8c1e4300c3e06a315c885c2fb99d302406096086480186f84201020417161568747470733a2f2f706b692e6b7663632e6564752f303806096086480186f8420104042b162968747470733a2f2f706b692e6b7663632e6564752f6b7663635f726f6f745f63612d63726c2e70656d303a0603551d1f04333031302fa02da02b862968747470733a2f2f706b692e6b7663632e6564752f6b7663635f726f6f745f63612d63726c2e70656d303206096086480186f84201030425162368747470733a2f2f706b692e6b7663632e6564752f7265766f636174696f6e2e706870302f06096086480186f84201070422162068747470733a2f2f706b692e6b7663632e6564752f726
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995d60a9d079be2e2bed2a9ad7
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 36 from 10.254.3.37:1028 to 10.59.5.21:1812 length 158
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026e00061900
State = 0x5e0eb0995d60a9d079be2e2bed2a9ad7
Message-Authenticator = 0x236cfa89983c8d082b52881ecf9a4d95
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (User-Name =~ / /)
(4) if (User-Name =~ / /) -> FALSE
(4) if (User-Name =~ /@.*@/ )
(4) if (User-Name =~ /@.*@/ ) -> FALSE
(4) if (User-Name =~ /\\.\\./ )
(4) if (User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(4) if (User-Name =~ /\\.$/)
(4) if (User-Name =~ /\\.$/) -> FALSE
(4) if (User-Name =~ /@\\./)
(4) if (User-Name =~ /@\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [files] = noop
(4) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(4) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(4) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(4) auth_log : EXPAND %t
(4) auth_log : --> Tue Sep 16 19:39:07 2014
(4) [auth_log] = ok
(4) if (User-Name =~ /^(.*)@(DOMAIN.DOMAIN)/)
(4) if (User-Name =~ /^(.*)@(DOMAIN.DOMAIN)/) -> FALSE
(4) eap : EAP packet type response id 110 length 6
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x5e0eb0995d60a9d0
(4) eap : Finished EAP session with state 0x5e0eb0995d60a9d0
(4) eap : Previous EAP request found for state 0x5e0eb0995d60a9d0, released from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995a61a9d0
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge Id 36 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016f02c81900f44933e43bf5256b7a31a3b96e3cd846fd51fd4843b8526824e994c026e1628cd09fae8dabf0bddbc8165e03331cf72dfdc02569b061fd009250cbd4544331c1183d69ba9c3ee6b3b8dec6f464254303d63094249eedd1147fa75acd892f51a11d26dcc3a28df8c2c0160301024b0c00024703001741040443b202c0e0e99b151a2484b29723daaaa174da9c145faba1e9b0fafd0cec619d7ac130ff08a11989c6caef13b6220b215b560c8a51a972b5505fa0f369754c0200a4ef4f6d70fba654e8bada9fe4a2c4ca54db40542f0eae17e9b8ee902fe54fed881b669ca23bab384c136fec2942dc9e3b31fb80a8d6cd95ff32af19b797c254a2c788fc4764202e23b42dcff21c0f8144a6c26e70aa2255ba0e5983a209b5c60a80c06d12dd97147d046e8d74654e7bf40929dbbe2819557c0dce7a023652efa8455a07d10657bab0f4f0fea1ae4791ac31bb77531b64c4704f8a7cdf1ef84dbfbb8b660ae88db56fc76b95ab91201b96ec228ec4bf190e0d3ba68cbbc97ee7921d43a020f568dd6992d237ac4ae8ab6dbb22a5a61de2b8eae79ca3642138b2eb48e523504d2ae97d49d8bb325c0c3afe62af8576dcae5daf0522ba1d28b783e62bbb5468f4d122d10f6cab5efeb7aa8cff2701b3f6f6cab62f89e383d6a5a1f64c080aeb43939163013b6441dd0a56f3532e7effd5d5c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995a61a9d079be2e2bed2a9ad7
(4) Finished request
Waking up in 0.2 seconds.
Waking up in 9.6 seconds.
Received Access-Request Id 37 from 10.254.3.37:1028 to 10.59.5.21:1812 length 296
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026f009019800000008616030100461000004241047d21ce852263a052e926d170585854248283a234a2a5a328943a7786ce4ec3ae7231f99a24f179fce01aecaa77e63efd61998f0e8ad375d9a0e200f6ca638e891403010001011603010030b1cff6d1032d1bb21ada7f35be9dacc42aea54b26268369c4f7e17e72ac6fd34a734f68cf6a952a2aa7b3ba01b1b2ef1
State = 0x5e0eb0995a61a9d079be2e2bed2a9ad7
Message-Authenticator = 0xbf6bfc5efb934328f711def3fafdb0f1
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (User-Name =~ / /)
(5) if (User-Name =~ / /) -> FALSE
(5) if (User-Name =~ /@.*@/ )
(5) if (User-Name =~ /@.*@/ ) -> FALSE
(5) if (User-Name =~ /\\.\\./ )
(5) if (User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(5) if (User-Name =~ /\\.$/)
(5) if (User-Name =~ /\\.$/) -> FALSE
(5) if (User-Name =~ /@\\./)
(5) if (User-Name =~ /@\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [files] = noop
(5) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(5) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(5) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(5) auth_log : EXPAND %t
(5) auth_log : --> Tue Sep 16 19:39:09 2014
(5) [auth_log] = ok
(5) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(5) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(5) eap : EAP packet type response id 111 length 144
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x5e0eb0995a61a9d0
(5) eap : Finished EAP session with state 0x5e0eb0995a61a9d0
(5) eap : Previous EAP request found for state 0x5e0eb0995a61a9d0, released from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
TLS Length 134
(5) eap_peap : Length Included
(5) eap_peap : eaptls_verify returned 11
(5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap : TLS_accept: SSLv3 read client key exchange A
(5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 read finished A
(5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 write finished A
(5) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session 23feab224052f9fe4eab7f184821ed75bef8bf597694768eb27f73579bc82fff to cache
(5) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995b7ea9d0
(5) [eap] = handled
(5) } # authenticate = handled
Sending Access-Challenge Id 37 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x0170004119001403010001011603010030e6c295d7aae9143dc4297a8fee4d213501f4b699b6fcb997cfd2f7c5453cb023f6eae59338a9624478913ed5d26dda62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995b7ea9d079be2e2bed2a9ad7
(5) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 38 from 10.254.3.37:1028 to 10.59.5.21:1812 length 158
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x027000061900
State = 0x5e0eb0995b7ea9d079be2e2bed2a9ad7
Message-Authenticator = 0x0cba722e0b4b6224268067057e91ef69
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (User-Name =~ / /)
(6) if (User-Name =~ / /) -> FALSE
(6) if (User-Name =~ /@.*@/ )
(6) if (User-Name =~ /@.*@/ ) -> FALSE
(6) if (User-Name =~ /\\.\\./ )
(6) if (User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(6) if (User-Name =~ /\\.$/)
(6) if (User-Name =~ /\\.$/) -> FALSE
(6) if (User-Name =~ /@\\./)
(6) if (User-Name =~ /@\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [files] = noop
(6) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(6) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(6) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(6) auth_log : EXPAND %t
(6) auth_log : --> Tue Sep 16 19:39:09 2014
(6) [auth_log] = ok
(6) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(6) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(6) eap : EAP packet type response id 112 length 6
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0x5e0eb0995b7ea9d0
(6) eap : Finished EAP session with state 0x5e0eb0995b7ea9d0
(6) eap : Previous EAP request found for state 0x5e0eb0995b7ea9d0, released from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : Received TLS ACK
(6) eap_peap : Received TLS ACK
(6) eap_peap : ACK handshake is finished
(6) eap_peap : eaptls_verify returned 3
(6) eap_peap : eaptls_process returned 3
(6) eap_peap : FR_TLS_SUCCESS
(6) eap_peap : Session established. Decoding tunneled attributes.
(6) eap_peap : Peap state TUNNEL ESTABLISHED
(6) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb099587fa9d0
(6) [eap] = handled
(6) } # authenticate = handled
Sending Access-Challenge Id 38 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x0171002b190017030100203b52ad3e0f64411b224983c5f7047537861b2af70639dd1d85e0d5b595a02982
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb099587fa9d079be2e2bed2a9ad7
(6) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 39 from 10.254.3.37:1028 to 10.59.5.21:1812 length 195
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x0271002b19001703010020353ecb90456b8267345a26cbb7d58f1717923f57c38f29608104e11dd510cc5a
State = 0x5e0eb099587fa9d079be2e2bed2a9ad7
Message-Authenticator = 0x2cac79b449304e16da7e9e1aa646ad57
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (User-Name =~ / /)
(7) if (User-Name =~ / /) -> FALSE
(7) if (User-Name =~ /@.*@/ )
(7) if (User-Name =~ /@.*@/ ) -> FALSE
(7) if (User-Name =~ /\\.\\./ )
(7) if (User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(7) if (User-Name =~ /\\.$/)
(7) if (User-Name =~ /\\.$/) -> FALSE
(7) if (User-Name =~ /@\\./)
(7) if (User-Name =~ /@\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [files] = noop
(7) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(7) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(7) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(7) auth_log : EXPAND %t
(7) auth_log : --> Tue Sep 16 19:39:09 2014
(7) [auth_log] = ok
(7) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(7) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(7) eap : EAP packet type response id 113 length 43
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0x5e0eb099587fa9d0
(7) eap : Finished EAP session with state 0x5e0eb099587fa9d0
(7) eap : Previous EAP request found for state 0x5e0eb099587fa9d0, released from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes.
(7) eap_peap : Peap state WAITING FOR INNER IDENTITY
(7) eap_peap : Identity - ipad_user
(7) eap_peap : Got inner identity 'ipad_user'
(7) eap_peap : Setting default EAP type for tunneled EAP session.
(7) eap_peap : Got tunneled request
EAP-Message = 0x0271000e01697061645f75736572
server default {
(7) eap_peap : Setting User-Name to ipad_user
Sending tunneled request
EAP-Message = 0x0271000e01697061645f75736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'ipad_user'
server inner-tunnel {
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authorize {
(7) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(7) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(7) [mschap] = noop
(7) eap : EAP packet type response id 113 length 14
(7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Peer sent Identity (1)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : Issuing Challenge
(7) eap : New EAP session, adding 'State' attribute to reply 0x67ddd59567afcfb0
(7) [eap] = handled
(7) } # authenticate = handled
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
EAP-Message = 0x017200231a0172001e102964090c7d234f63135d08194cc12b15697061645f75736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x67ddd59567afcfb0c214b1382438f3c2
(7) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message = 0x017200231a0172001e102964090c7d234f63135d08194cc12b15697061645f75736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x67ddd59567afcfb0c214b1382438f3c2
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb099597ca9d0
(7) [eap] = handled
(7) } # authenticate = handled
Sending Access-Challenge Id 39 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x0172004b19001703010040a1b7086a5f526d2cbb50fe6c7d2b6fdb3df1d70a0aabb6f4a191e5fbc9c341d74e80a274c96319d41157f2ce1a0dcb3f3ccbcae8d10749427a8be4fb2565336c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb099597ca9d079be2e2bed2a9ad7
(7) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 40 from 10.254.3.37:1028 to 10.59.5.21:1812 length 259
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x0272006b190017030100603ed4b1cf115ebce357ca550122c6c5acb3d6ebd7402bcba329dd9f00d0a2266a47db9100b198c35daca1a27a56a95c5feab8babf07ed42c3bb6e50e12eea7a80212dee9e2c984e9a6fed4987c00e9a43a8db47bd94579a27f105c44d2f28c4f5
State = 0x5e0eb099597ca9d079be2e2bed2a9ad7
Message-Authenticator = 0xce4d2dd6f41fb04deb6eae00af9678c9
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (User-Name =~ / /)
(8) if (User-Name =~ / /) -> FALSE
(8) if (User-Name =~ /@.*@/ )
(8) if (User-Name =~ /@.*@/ ) -> FALSE
(8) if (User-Name =~ /\\.\\./ )
(8) if (User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(8) if (User-Name =~ /\\.$/)
(8) if (User-Name =~ /\\.$/) -> FALSE
(8) if (User-Name =~ /@\\./)
(8) if (User-Name =~ /@\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [files] = noop
(8) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(8) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(8) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(8) auth_log : EXPAND %t
(8) auth_log : --> Tue Sep 16 19:39:09 2014
(8) [auth_log] = ok
(8) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(8) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(8) eap : EAP packet type response id 114 length 107
(8) eap : Continuing tunnel setup.
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0x67ddd59567afcfb0
(8) eap : Finished EAP session with state 0x5e0eb099597ca9d0
(8) eap : Previous EAP request found for state 0x5e0eb099597ca9d0, released from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes.
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message = 0x027200441a0272003f31e29bfcddf7f5d71806444be15a3d342c0000000000000000640d21afc605c90a830d479536bba660d9c839fcd5fe4bf800697061645f75736572
server default {
(8) eap_peap : Setting User-Name to ipad_user
Sending tunneled request
EAP-Message = 0x027200441a0272003f31e29bfcddf7f5d71806444be15a3d342c0000000000000000640d21afc605c90a830d479536bba660d9c839fcd5fe4bf800697061645f75736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'ipad_user'
State = 0x67ddd59567afcfb0c214b1382438f3c2
server inner-tunnel {
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authorize {
(8) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(8) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(8) [mschap] = noop
(8) eap : EAP packet type response id 114 length 68
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Expiring EAP session with state 0x67ddd59567afcfb0
(8) eap : Finished EAP session with state 0x67ddd59567afcfb0
(8) eap : Previous EAP request found for state 0x67ddd59567afcfb0, released from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2 : Auth-Type MS-CHAP {
(8) mschap : Creating challenge hash with username: ipad_user
(8) mschap : Client is using MS-CHAPv2
(8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-OUR.DOMAIN} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}
(8) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}}
(8) mschap : --> --username=ipad_user
(8) ERROR: mschap : No NT-Domain was found in the User-Name
(8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-OUR.DOMAIN}
(8) mschap : --> --domain=OUR.DOMAIN
(8) mschap : Creating challenge hash with username: ipad_user
(8) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(8) mschap : --> --challenge=8653c43c6bec2402
(8) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(8) mschap : --> --nt-response=640d21afc605c90a830d479536bba660d9c839fcd5fe4bf8
(8) ERROR: mschap : Program returned code (1) and output 'Invalid workstation (0xc0000070)'
(8) mschap : External script failed.
(8) ERROR: mschap : External script says: Invalid workstation (0xc0000070)
(8) ERROR: mschap : MS-CHAP2-Response is incorrect
(8) [mschap] = reject
(8) } # Auth-Type MS-CHAP = reject
(8) eap : Freeing handler
(8) [eap] = reject
(8) } # authenticate = reject
(8) Failed to authenticate the user.
(8) Login incorrect (mschap: No NT-Domain was found in the User-Name): [ipad_user] (from client internal_networks port 0 via TLS tunnel)
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) Post-Auth-Type REJECT {
(8) reply_log : EXPAND /var/log/freeradius/radacct/reply-detail-%Y%m%d
(8) reply_log : --> /var/log/freeradius/radacct/reply-detail-20140916
(8) reply_log : /var/log/freeradius/radacct/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/reply-detail-20140916
(8) reply_log : EXPAND %t
(8) reply_log : --> Tue Sep 16 19:39:09 2014
(8) [reply_log] = ok
(8) } # Post-Auth-Type REJECT = ok
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 3
MS-CHAP-Error = 'rE=691 R=1'
EAP-Message = 0x04720004
Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap : Got tunneled reply RADIUS code 3
MS-CHAP-Error = 'rE=691 R=1'
EAP-Message = 0x04720004
Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap : Tunneled authentication was rejected.
(8) eap_peap : FAILURE
(8) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb099567da9d0
(8) [eap] = handled
(8) } # authenticate = handled
Sending Access-Challenge Id 40 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x0173002b190017030100202cc42e6a6e3fa0ec523ef9408e28c3ef0babecd65cdfd4f765fd884bcee820c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb099567da9d079be2e2bed2a9ad7
(8) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 41 from 10.254.3.37:1028 to 10.59.5.21:1812 length 195
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x0273002b190017030100203e8fe9b011ca991f91750e50d130dc85937fbeada19e58755f3ccee809a0f33a
State = 0x5e0eb099567da9d079be2e2bed2a9ad7
Message-Authenticator = 0xa061cf2c4d87c481a05b961f24a0dcee
(9) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) if (User-Name =~ / /)
(9) if (User-Name =~ / /) -> FALSE
(9) if (User-Name =~ /@.*@/ )
(9) if (User-Name =~ /@.*@/ ) -> FALSE
(9) if (User-Name =~ /\\.\\./ )
(9) if (User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(9) if (User-Name =~ /\\.$/)
(9) if (User-Name =~ /\\.$/) -> FALSE
(9) if (User-Name =~ /@\\./)
(9) if (User-Name =~ /@\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) [files] = noop
(9) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(9) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(9) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(9) auth_log : EXPAND %t
(9) auth_log : --> Tue Sep 16 19:39:09 2014
(9) [auth_log] = ok
(9) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/)
(9) if (User-Name =~ /^(.*)@(OUR.DOMAIN)/) -> FALSE
(9) eap : EAP packet type response id 115 length 43
(9) eap : Continuing tunnel setup.
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0x5e0eb099567da9d0
(9) eap : Finished EAP session with state 0x5e0eb099567da9d0
(9) eap : Previous EAP request found for state 0x5e0eb099567da9d0, released from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes.
(9) eap_peap : Peap state send tlv failure
(9) eap_peap : Received EAP-TLV response.
(9) eap_peap : The users session was previously rejected: returning reject (again.)
(9) eap_peap : *** This means you need to read the PREVIOUS messages in the debug output
(9) eap_peap : *** to find out the reason why the user was rejected.
(9) eap_peap : *** Look for "reject" or "fail". Those earlier messages will tell you.
(9) eap_peap : *** what went wrong, and how to fix the problem.
SSL: Removing session 23feab224052f9fe4eab7f184821ed75bef8bf597694768eb27f73579bc82fff from the cache
(9) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed
(9) eap : Failed in EAP select
(9) [eap] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user.
(9) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [ipad_user] (from client internal_networks port 0 cli 64-E6-82-B6-2E-ED)
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) detail : EXPAND /var/log/freeradius/radacct/detail-%Y%m%d
(9) detail : --> /var/log/freeradius/radacct/detail-20140916
(9) detail : /var/log/freeradius/radacct/detail-%Y%m%d expands to /var/log/freeradius/radacct/detail-20140916
(9) detail : EXPAND %t
(9) detail : --> Tue Sep 16 19:39:09 2014
(9) [detail] = ok
(9) reply_log : EXPAND /var/log/freeradius/radacct/reply-detail-%Y%m%d
(9) reply_log : --> /var/log/freeradius/radacct/reply-detail-20140916
(9) reply_log : /var/log/freeradius/radacct/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/reply-detail-20140916
(9) reply_log : EXPAND %t
(9) reply_log : --> Tue Sep 16 19:39:09 2014
(9) [reply_log] = ok
(9) attr_filter.access_reject : EXPAND %{User-Name}
(9) attr_filter.access_reject : --> ipad_user
(9) attr_filter.access_reject : Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(9) [eap] = noop
(9) } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1 seconds
Waking up in 0.2 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
Sending Access-Reject Id 41 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x04730004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 7.4 seconds.
More information about the Freeradius-Users
mailing list