session log in SQL

Khapare Joshi khapare77 at gmail.com
Tue Apr 7 17:16:44 CEST 2015


I have tried today with simualtaneous-Use with gidnumber, here are what I
did.

Added in /etc/raddb/ldap.attrmap
checkItem       gidNumber                       gidnumber

I also had to add in
/etc/raddb/dictionary
ATTRIBUTE       gidnumber               3003    integer

commented these two lines in users file
#DEFAULT Simultaneous-Use := 2
#          Fall-Through = 1

in /etc/raddb/sites-enables/default right ldap section, I added these

#DEFAULT Simultaneous-Use := 2
#          Fall-Through = 1

Reject if users is not in LDAP
  ldap
    if (notfound){
             reject
                 }

# check gid for simultaneous use

if ("%{gidnumber}" < 200){
    update request {
     Simultaneous-Use := 1
        }
        else{
        update request {
        Simultaneous-Use := 2
                  }
                }
        }

the regex checking returns true for user testsim who has gid less than 200
but testsim still able to login 2nd and 3rd login.

can anyone see what I am missing ?

here is the debug output

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=221,
length=143
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0x02aa50ca6938abf111e98eb999837890
    EAP-Message = 0x02020012016e656d616e64694068692e6973
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 0: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 2 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for testsim
[ldap]     expand: %{Stripped-User-Name} -> testsim
[ldap]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testsim)
[ldap]     expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldapserver:389, authentication 0
  [ldap] bind as cn=ldapusername,ou=user,dc=example,dc=com/Wum8dili to
ldapserver:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=example,dc=com, with filter (uid=testsim)
[ldap] looking for check items in directory...
  [ldap] gidnumber -> gidnumber == 151
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++? if ("%{gidnumber}" < 200)
    expand: %{gidnumber} ->
? Evaluating ("%{gidnumber}" < 200) -> TRUE
++? if ("%{gidnumber}" < 200) -> TRUE
++if ("%{gidnumber}" < 200) {
+++update request {
+++} # update request = noop
+++ ... skipping else for request 0: No preceding "if"
++} # if ("%{gidnumber}" < 200) = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 221 to 10.128.5.1 port 1645
    EAP-Message = 0x010300061920
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xa2b83fc5a2bb2612134a7040a4f7c7f0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=222,
length=250
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0xfd419fe8a45bd6e0774f49ec6275fb5b
    EAP-Message =
0x0203006b198000000061160301005c0100005803015523f1cc76277ea93a499680dff35585086bd083bf539087c3d3ca6d0053824b000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100

    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    State = 0xa2b83fc5a2bb2612134a7040a4f7c7f0
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 1: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 3 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 97
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005c], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 222 to 10.128.5.1 port 1645
    EAP-Message =
0x0104040019c0000008a216030100310200002d03015523f1c91bc5f2eea2a5dbdd0698cb42a8a48c9fccdcc1e9d91e5e8c7c541b57000035000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175

    EAP-Message =
0x74686f72697479301e170d3134313130353231353435345a170d3135303130343231353435345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d257278bcb3d80351c6c39a144f9ee55accaf13aa2bdc5e78c1191b6126542cdb0b8edf81f72bc80e905d30fe95d9f54200778bff7e808

    EAP-Message =
0xd3008941f8b7da00b5d9cf77bed1c1d2accd8f2aac95f6c4c549a0e64d0fffb372ee90b5e1752c7450c1fc302fcd9122cbb63e3d2f8400a5a2071690238d5133b80e96eaac6fa15e185dd390c51255309adac0be363f5e626ae745f05eeed35f3997c05377c2291ea6df65a6d6cc56ab9880776317cc9894557344f92eb982673e07ed5c027687eb46d2167c0cd7756404587c37319482497afd9bffe114ef64a2b0640add64df47d92e37f32d94720451964ce39276ae8fb94fdf2f3fba10b51ab2e84fb2804986a30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100359a

    EAP-Message =
0xd6555994880868e54137c4d487acaeccded09ea5d265a1b2faa142dc0e8214b112cea1077f91d8e77a0516ad66524e964fc108774fa3538f4d8de1cbd41a08d4f356ccebb3a1fabcfd2b40d3ab12ff487995b42176e9201c165c4e00ac79be6379578bfa1109299015652b9c9160abff3ab2b87027590f6f46bd817cac00b168a06203959212727cec0bcb8555ff7c47e05bf459bee769989ba4c15619ab4256ed025b5c93e2f4316ad86167b1186e71aa407ad5e3e283ab0d3637b189f0ab5a0c9cbf73446230f511cc2b60da090f6c46842b61437c8e841f44b32d01b6d4e676cb23c7b5c9bfd20e6df238342e7de3596789f62dd5b3fd77f76654b2

    EAP-Message = 0x3f0004ab308204a73082038f
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xa2b83fc5a3bc2612134a7040a4f7c7f0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=223,
length=149
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0xcdf001eb09d55ebe49a413ac8258de09
    EAP-Message = 0x020400061900
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    State = 0xa2b83fc5a3bc2612134a7040a4f7c7f0
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 2: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 223 to 10.128.5.1 port 1645
    EAP-Message =
0x010503fc1940a003020102020900ebf6479ecc13e59d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134313130353231353435345a170d3135303130343231353435345a308193310b3009060355040613024652310f300d0603550408130652616469757331

    EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b88d97967839058840e9074fde6afe5d23f7b77bb5d4c6c062c222f085626de7db03eed8672e37d56e7c7bbfbd1e68481bc526f5a0a0c88fb66eca809822cdd8cf6af8ca055f8a68f5ef4564d02f3bf64cf993ac3c3d295892f6307e88c7be325f8e295ec12610e3

    EAP-Message =
0xf442768063f2c53a36a82ce16bca9bbdf35bdba6b20073d159543d7e179817db0a67737df59b88add8091a8bb44c3278e74c08f81d1a24c45a1707d09c76cd190460958b62197f8a1bf548f5f9aeb57f7ad52761f4716ab4c0dfb2afd6c80fd90fc437e6c0db15bc2b6cdfcde709b7b1c6e9759e1e7fd546d0d271e0f8b1ff825aac83857fa1ea7e4b8f5faa691751067923655c88964fcb0203010001a381fb3081f8301d0603551d0e0416041465a61d270505d0f4781e56c2ebf2d1ddc92a82063081c80603551d230481c03081bd801465a61d270505d0f4781e56c2ebf2d1ddc92a8206a18199a48196308193310b300906035504061302465231

    EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ebf6479ecc13e59d300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004c80773db9ef6312a280163ccfb62080bed265fd1d611fa2a065c5943f1db7ca42e4191f219277ad506c7c3d30f35a190cc5bd1ccbb67022488c049d79f4e8202e11678b49ee69dd76bee6

    EAP-Message = 0x0419550efe88be07
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xa2b83fc5a0bd2612134a7040a4f7c7f0
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=224,
length=149
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0xbacc4317b1136b351cc1cc6039e0d89d
    EAP-Message = 0x020500061900
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    State = 0xa2b83fc5a0bd2612134a7040a4f7c7f0
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 3: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 224 to 10.128.5.1 port 1645
    EAP-Message =
0x010600bc190041272a2350e3d6c24837dc0dbeb6e38b25a4ef6a30dd86b675003ab0caf1e67a8fd59bf978b5a7a7cfd80884010333063b092a16ba58e339ddaffe55a835f75524219202ab6440731dafebb7c70dc3c4a49fe5302bf993adefb6e23a00619553a65807db09b4c3ca67d12fa32d6dc1f307ab4b39ac8a7b3bb4dc7a20d43d08feef956d5f96c50612ad5b7e90e305b2d42d29305e7a4c8ee180574730b0baa1fff7ddaa8ea5cf2d7abda4972f1f16030100040e000000

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xa2b83fc5a1be2612134a7040a4f7c7f0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=225,
length=481
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0x1b6a04acc1ac9f7562cc21cdd235b803
    EAP-Message =
0x020601501980000001461603010106100001020100952dc780436e3543fa58f8d6dda32342595018adde4558631e13b2364c04dc5d9ad70a7d6f913570452a35324131e4598e24d6c5a9055bab78a70ea7a05d71dbe0fde7ae5bf96e11fb931f87173edbdf05b274924cea338cf6485546b3c5e22619ac8c9b6250f2837c0aef6751df11aadd2f1c1fb6af38a3f0674eab82e3a3bb0a0be74feed8298c1260b9828869e5038814a9e0aed1b7478660f4d886482fd0e638ff66772b7b7b47d4797706e7c7eaea05bd4a1e35972e12826358116e9399e352d8e1d5404d1b9311946275b2e5a1a0e016ca338194c4bf926741aa98d211841ded4878e6e456

    EAP-Message =
0xd2c542547236d0816e9c2087ef8ff3d200948c9c0d9072cc1403010001011603010030e8f84acc73fa965b426e046f4ce672449970041f141f5a8a863abde5ee84ff7b74608693bc6dd24f992f88995d3359a8

    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    State = 0xa2b83fc5a1be2612134a7040a4f7c7f0
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 4: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 225 to 10.128.5.1 port 1645
    EAP-Message =
0x01070041190014030100010116030100308b7010b2ebd53202917c6c335fd911d59440f1ff7f0e4b0111af3f6ea07f618a346ee62af231d63642ddaf85fb80366c

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xa2b83fc5a6bf2612134a7040a4f7c7f0
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=226,
length=149
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0xd5e9682a9907090b414098c537246c61
    EAP-Message = 0x020700061900
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    State = 0xa2b83fc5a6bf2612134a7040a4f7c7f0
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 5: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 226 to 10.128.5.1 port 1645
    EAP-Message =
0x0108002b1900170301002048607d38300123d55551449d7188425122d57218a0f0625d7ae1ab21816151ef

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xa2b83fc5a7b02612134a7040a4f7c7f0
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=227,
length=202
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0x6d9a70ff8d3c93157f29870a4b997e71
    EAP-Message =
0x0208003b190017030100301daac43e2727962799048843bab2749321d10f3e23964b80fec66c95e835965505f86b4c2e99f396b384d04ef3793804

    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    State = 0xa2b83fc5a7b02612134a7040a4f7c7f0
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 6: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 8 length 59
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testsim at example.com
[peap] Got inner identity 'testsim at example.com'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
    EAP-Message = 0x02080012016e656d616e64694068692e6973
server  {
[peap] Setting User-Name to testsim at example.com
Sending tunneled request
    EAP-Message = 0x02080012016e656d616e64694068692e6973
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 6: Preceding "if" was taken
++} # else else = noop
++[chap] = noop
++[mschap] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for testsim
[ldap]     expand: %{Stripped-User-Name} -> testsim
[ldap]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testsim)
[ldap]     expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=example,dc=com, with filter (uid=testsim)
[ldap] looking for check items in directory...
  [ldap] gidnumber -> gidnumber == 151
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
    EAP-Message =
0x010900271a01090022100ee31f36566c997c191098769afa79246e656d616e64694068692e6973

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x4dae11ad4da70b1e038f24cf8612d4dc
[peap] Got tunneled reply RADIUS code 11
    EAP-Message =
0x010900271a01090022100ee31f36566c997c191098769afa79246e656d616e64694068692e6973

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x4dae11ad4da70b1e038f24cf8612d4dc
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 227 to 10.128.5.1 port 1645
    EAP-Message =
0x0109004b1900170301004021a9ac287e38573ff649fa0fc5592eefbfcf61a411d757f1a5be38136975a2d725a5b953fcd4b3c9c8e61a7d4176235314a8f7d9c68402b6a8646c5428d8f8dc

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xa2b83fc5a4b12612134a7040a4f7c7f0
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=228,
length=250
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0xd30b4ca2d8985460f35e371c5525ebf8
    EAP-Message =
0x0209006b1900170301006057219e51b1c64730179efd42c63c537a6bcb10b316ab72fd3a06c1097a05197962444babc5c393f3ff253b393ae185a64aaaf6f0b1b2bb5b8284664dc6b15c94b2a733cd82a84d8693cd9307ca900fea86362c300c8535fa5c15a49ea1bf1109

    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    State = 0xa2b83fc5a4b12612134a7040a4f7c7f0
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 7: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 9 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
    EAP-Message =
0x020900481a02090043311447d092a75d7e42efccd07a8d1ba65c00000000000000006db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b006e656d616e64694068692e6973

server  {
[peap] Setting User-Name to testsim at example.com
Sending tunneled request
    EAP-Message =
0x020900481a02090043311447d092a75d7e42efccd07a8d1ba65c00000000000000006db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b006e656d616e64694068692e6973

    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "testsim at example.com"
    State = 0x4dae11ad4da70b1e038f24cf8612d4dc
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 7: Preceding "if" was taken
++} # else else = noop
++[chap] = noop
++[mschap] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 9 length 72
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for testsim
[ldap]     expand: %{Stripped-User-Name} -> testsim
[ldap]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testsim)
[ldap]     expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=example,dc=com, with filter (uid=testsim)
[ldap] looking for check items in directory...
  [ldap] gidnumber -> gidnumber == 151
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: testsim at example.com
[mschap] Client is using MS-CHAPv2 for testsim at example.com, we need
NT-Password
[mschap]     expand: %{Stripped-User-Name} -> testsim
[mschap]     expand:
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
--username=testsim
[mschap] Creating challenge hash with username: testsim at example.com
[mschap]     expand: %{mschap:Challenge} -> fd1acc5e260d5490
[mschap]     expand: --challenge=%{%{mschap:Challenge}:-00} ->
--challenge=fd1acc5e260d5490
[mschap]     expand: %{mschap:NT-Response} ->
6db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b
[mschap]     expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
--nt-response=6db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b
Exec output: NT_KEY: 04066C8C6B0E8CFCABBB0AB6760971F7
Exec plaintext: NT_KEY: 04066C8C6B0E8CFCABBB0AB6760971F7
[mschap] Exec: program returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
    EAP-Message =
0x010a00331a0309002e533d41324338374637394630463542313436334446373932463543423134323631463038344238313446

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x4dae11ad4ca40b1e038f24cf8612d4dc
[peap] Got tunneled reply RADIUS code 11
    EAP-Message =
0x010a00331a0309002e533d41324338374637394630463542313436334446373932463543423134323631463038344238313446

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x4dae11ad4ca40b1e038f24cf8612d4dc
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 228 to 10.128.5.1 port 1645
    EAP-Message =
0x010a005b19001703010050c419eda1954c1ed1e82d748c94d1a63753c1ac8edfc3b66232ca1887f954a98a630e93e27a38eb5daad0b6e3cea181f8595504a8d23574b3427bd9f2b23763e92477b382be6ae942f9ecf49915c14076

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xa2b83fc5a5b22612134a7040a4f7c7f0
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=229,
length=186
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0x51ae9679910cecd0d58916829fb30ba0
    EAP-Message =
0x020a002b19001703010020d06b0b26fb835b35cec729cc1f8251ce14ccb043b4b12d08d9407fa39c033675

    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    State = 0xa2b83fc5a5b22612134a7040a4f7c7f0
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 8: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
    EAP-Message = 0x020a00061a03
server  {
[peap] Setting User-Name to testsim at example.com
Sending tunneled request
    EAP-Message = 0x020a00061a03
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "testsim at example.com"
    State = 0x4dae11ad4ca40b1e038f24cf8612d4dc
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 8: Preceding "if" was taken
++} # else else = noop
++[chap] = noop
++[mschap] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for testsim
[ldap]     expand: %{Stripped-User-Name} -> testsim
[ldap]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testsim)
[ldap]     expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=example,dc=com, with filter (uid=testsim)
[ldap] looking for check items in directory...
  [ldap] gidnumber -> gidnumber == 151
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [testsim at example.com] (from client nas1.example.com port 7524 cli
0021.5c5b.8ef3 via TLS tunnel)
  WARNING: Empty post-auth section.  Using default return values.
# Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
    MS-MPPE-Encryption-Policy = 0x00000002
    MS-MPPE-Encryption-Types = 0x00000004
    MS-MPPE-Send-Key = 0x95cb302970f87e49cfdda581f5f2003e
    MS-MPPE-Recv-Key = 0xd386b1496936c2393ec7852e420b419d
    EAP-Message = 0x030a0004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "testsim"
[peap] Got tunneled reply RADIUS code 2
    MS-MPPE-Encryption-Policy = 0x00000002
    MS-MPPE-Encryption-Types = 0x00000004
    MS-MPPE-Send-Key = 0x95cb302970f87e49cfdda581f5f2003e
    MS-MPPE-Recv-Key = 0xd386b1496936c2393ec7852e420b419d
    EAP-Message = 0x030a0004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "testsim"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 229 to 10.128.5.1 port 1645
    EAP-Message =
0x010b002b19001703010020363e2a4cd330a0c844f2214030ef8221a42c61ed1c69b43ccbdd225b62bf6a63

    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xa2b83fc5aab32612134a7040a4f7c7f0
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=230,
length=186
    User-Name = "testsim at example.com"
    Framed-MTU = 1400
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    Service-Type = Login-User
    Message-Authenticator = 0xa7197dffc2a77251f453e7369cee4c78
    EAP-Message =
0x020b002b1900170301002016250e0ba43693e71a364e24e63acf17627766966ff911935cdf1b35606c5e71

    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    State = 0xa2b83fc5aab32612134a7040a4f7c7f0
    NAS-IP-Address = 10.128.5.1
    NAS-Identifier = "nas1"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i))
?? Evaluating (User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~
/^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE
++else else {
+++update request {
    expand: %{1} -> testsim
    expand: %{2} -> example.com
+++} # update request = noop
+++? if (Realm == "example.com")
? Evaluating (Realm == "example.com") -> TRUE
+++? if (Realm == "example.com") -> TRUE
+++if (Realm == "example.com") {
++++update control {
++++} # update control = noop
+++} # if (Realm == "example.com") = noop
+++ ... skipping else for request 9: Preceding "if" was taken
++} # else else = noop
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[auth_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407
[auth_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[auth_log] = ok
++[mschap] = noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
    User-Name = "testsim"
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [testsim at example.com] (from client nas1.example.com port 7524 cli
0021.5c5b.8ef3)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+group post-auth {
[reply_log]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[reply_log]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/reply-detail-20150407
[reply_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/reply-detail-20150407
[reply_log]     expand: %t -> Tue Apr  7 15:03:37 2015
++[reply_log] = ok
+} # group post-auth = ok
Sending Access-Accept of id 230 to 10.128.5.1 port 1645
    User-Name = "testsim"
    MS-MPPE-Recv-Key =
0x32be352f485e290265607f4ffff0e8d5ee25ea070d5344a615826c46e69a32df
    MS-MPPE-Send-Key =
0x47d8439137a5e8b35b3e50583b7cd72b78a6a7568c491cc6d3ab2016bb3d3222
    EAP-Message = 0x030b0004
    Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.128.5.1 port 1646, id=244,
length=113
    Acct-Session-Id = "00001D42"
    Called-Station-Id = "001d.a282.dda0"
    Calling-Station-Id = "0021.5c5b.8ef3"
    User-Name = "testsim"
    Acct-Authentic = RADIUS
    Acct-Status-Type = Start
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 7524
    Service-Type = Framed-User
    NAS-IP-Address = 10.128.5.1
    Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+group preacct {
++[preprocess] = ok
[acct_unique] WARNING: Attribute NAS-Identifier was not found in request,
unique ID MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 7524,,NAS-IP-Address =
10.128.5.1,Acct-Session-Id = "00001D42",User-Name = "testsim"'
[acct_unique] Acct-Unique-Session-ID = "74d9ace36de7e57c".
++[acct_unique] = ok
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file /etc/raddb/sites-enabled/default
+group accounting {
[detail]     expand: %{Packet-Src-IP-Address} -> 10.128.5.1
[detail]     expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
-> /var/log/radius/radacct/10.128.5.1/detail-20150407
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.128.5.1/detail-20150407
[detail]     expand: %t -> Tue Apr  7 15:03:37 2015
++[detail] = ok
[sql]     expand: %{Stripped-User-Name} ->
[sql]     ... expanding second conditional
[sql]     expand: %{User-Name} -> testsim
[sql]     expand: %{%{User-Name}:-DEFAULT} -> testsim
[sql]     expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
testsim
[sql] sql_set_user escaped user --> 'testsim'
[sql]     expand: %{Acct-Delay-Time} -> 0
[sql]     expand:            INSERT INTO radacct
(acctsessionid,    acctuniqueid,     username,
realm,            nasipaddress,     nasportid,
nasporttype,      acctstarttime,    acctstoptime,
acctsessiontime,  acctauthentic,    connectinfo_start,
connectinfo_stop, acctinputoctets,  acctoutputoctets,
calledstationid,  callingstationid, acctterminatecause,
servicetype,      framedprotocol,   framedipaddress,
acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)
VALUES             ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}',
'%{Connect-Info}',              '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 31
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
[attr_filter.accounting_response]     expand: %{User-Name} -> testsim
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
+} # group accounting = updated
Sending Accounting-Res

On Wed, Mar 18, 2015 at 1:06 PM, Khapare Joshi <khapare77 at gmail.com> wrote:

> Thanks Alan,
>
> It looks Simualtaneous-use seem to be working in my test environment.
>
> I set DEFAULT Simultaneous-Use := 2 in users file and perform the test
> with the configuration. This works  what it should be :
>
> ++[eap] = ok
> +} # group authenticate = ok
> # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel
> +group session {
> [sql]     expand: %{Stripped-User-Name} -> khapare
> [sql]     expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
> khapare
> [sql] sql_set_user escaped user --> 'khapare'
> [sql]     expand: SELECT COUNT(*)                              FROM
> radacct                              WHERE username =
> '%{SQL-User-Name}'                              AND acctstoptime IS NULL ->
> SELECT COUNT(*)                              FROM
> radacct                              WHERE username =
> 'khapare'                              AND acctstoptime IS NULL
> rlm_sql (sql): Reserving sql socket id: 3
> rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
> rlm_sql_mysql: Starting connect to MySQL server for #3
> rlm_sql (sql): Connected new DB handle, #3
> rlm_sql (sql): Released sql socket id: 3
> ++[sql] = ok
> +} # group session = ok
> Multiple logins (max 2) : [khapare at realm.com] (from client nas1.realm.com
> port 7348 cli 2002.afd1.523e via TLS tunnel)
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> +group REJECT {
> [attr_filter.access_reject]     expand: %{User-Name} -> khapare at realm.com
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
>     Reply-Message := "\r\nYou are already logged in 2 times  - access
> denied\r\n\n"
> [peap] Got tunneled reply RADIUS code 3
>     Reply-Message := "\r\nYou are already logged in 2 times  - access
> denied\r\n\n"
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
>
> This is good. Now I want to search users in ldap for their group
> membership and set the simulataneous-use
>
> if users is a student simualtaneous-use :=2
>                if uses is a staff Simualtaneous-Use :=5
>                    rest others = 7
>
>
>
>
>
>
>
>
> On Thu, Mar 5, 2015 at 12:56 PM, Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Mar 5, 2015, at 4:16 AM, Khapare Joshi <khapare77 at gmail.com> wrote:
>> > My NAS was bad - it was not sending accounting data. Now NAS is sending
>> > data and  radacct been populated.
>>
>>   That’s usually the problem.
>>
>> > Could it be when radius is exectuing the session section it is looking
>> > for khapare at realm.com but in the database username is only the
>> > username i.e khapare ?
>>
>>   Yes.  If you run the server in debugging mode, you’ll see what it’s
>> doing.
>>
>> > 1. Once I set INSERT INTO radgroupcheck (GroupName, Attribute, op,
>> > Value) values("dialup", "Simultaneous-Use", ":=", "1"); do I still
>> > have to define in /etc/raddb/users file as :
>>
>>   No.  The server doesn’t care where an attribute comes from.
>>
>> > 2. or I am doing stupid here ?
>>
>>   No.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>


More information about the Freeradius-Users mailing list