Not able to receive inner identity in Access-Accept (Problem revisited)

Lai Fu Keung tfklai at hku.hk
Thu Jan 15 05:48:30 CET 2015


Hi,

I am trying in configure my FR v3.0.4 to pass inner identity to outer in eap-peap setup. I read some of the old mails with similar issues, like the following:

http://lists.freeradius.org/pipermail/freeradius-users/2014-August/073458.html

I made the following setting as suggested in the mail:

1. Update outer reply in file inner-tunnel, post auth:
 update outer.reply {
          User-Name = "%{request:User-Name}"
        }
2. Set "use_tunneled_reply=yes" in file eap

With the above setting, I still couldn't get it working. I compared my debug with that of above article. I see the difference at this line:

eap_peap : Using saved attributes from the original Access-Accept
        Stripped-User-Name = 'bob'

The above article uses "User-Name". Is this the difference?

I use "Stripped-User-Name" for actual authentication against ldap, but want "User-Name" (with domain) for logging and accounting. I am not sure when they are used in different phases.
At near the end of the debug, I even see:

Stripped-User-Name = 'bigman'

which is obviously wrong, as 'bigman' is the name I made up for "Anonymous Identity".

Can anyone give me a clue what I have done wrong? Thanks in advance. Debug log follows.

Fu-Keung



Received Access-Request Id 23 from 10.10.1.1:3406 to 10.80.1.1:1812 length 234
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message = 0x0201000b016269676d616e
        Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
(1) Received Access-Request packet from host 10.10.1.1 port 3406, id=23, length=234
(1)     User-Name = 'bigman'
(1)     Framed-MTU = 1450
(1)     EAP-Message = 0x0201000b016269676d616e
(1)     Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06
(1)     Chargeable-User-Identity = 0x00
(1)     NAS-IP-Address = 10.10.1.1
(1)     NAS-Identifier = 'WiFi-Controller-7'
(1)     NAS-Port = 33558758
(1)     NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(1)     NAS-Port-Type = Wireless-802.11
(1)     Service-Type = Framed-User
(1)     Framed-Protocol = PPP
(1)     Calling-Station-Id = '00-18-60-68-03-EC'
(1)     Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(1)     Acct-Session-Id = '115001511383b5ab70'
(1)     Framed-IP-Address = 202.189.123.194
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(1)   authorize {
(1)   filter_username filter_username {
(1)     if (&User-Name =~ / /)
(1)     if (&User-Name =~ / /)  -> FALSE
(1)     if (&User-Name =~ /@.*@/ )
(1)     if (&User-Name =~ /@.*@/ )  -> FALSE
(1)     if (&User-Name =~ /\\.\\./ )
(1)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(1)     if (&User-Name =~ /\\.$/)
(1)     if (&User-Name =~ /\\.$/)   -> FALSE
(1)     if (&User-Name =~ /@\\./)
(1)     if (&User-Name =~ /@\\./)   -> FALSE
(1)   } # filter_username filter_username = notfound
(1)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(1)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(1)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(1)  auth_log : EXPAND %t
(1)  auth_log :    --> Thu Jan 15 11:38:41 2015
(1)   [auth_log] = ok
(1)   [chap] = noop
(1)   [mschap] = noop
(1)  suffix : Checking for suffix after "@"
(1)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(1)  suffix : Found realm "NULL"
(1)  suffix : Adding Stripped-User-Name = "bigman"
(1)  suffix : Adding Realm = "NULL"
(1)  suffix : Authentication realm is LOCAL
(1)   [suffix] = ok
(1)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(1) EXPAND %{Realm}
(1)    --> NULL
(1)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(1)  eap : Peer sent code Response (2) ID 1 length 11
(1)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(1)   [eap] = ok
(1)  } #  authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(1)   authenticate {
(1)  eap : Peer sent method Identity (1)
(1)  eap : Calling eap_peap to process EAP data
(1)  eap_peap : Flushing SSL sessions (of #0)
(1)  eap_peap : Initiate
(1)  eap_peap : Start returned 1
(1)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c45dc8f5
(1)   [eap] = handled
(1)  } #  authenticate = handled
(1) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=23, length=0
(1)     EAP-Message = 0x010200061920
(1)     Message-Authenticator = 0x00000000000000000000000000000000
(1)     State = 0xc45fd1a2c45dc8f54b145a25fcad284d
Sending Access-Challenge Id 23 from 10.80.1.1:1812 to 10.10.1.1:3406
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2c45dc8f54b145a25fcad284d
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 24 from 10.10.1.1:3406 to 10.80.1.1:1812 length 481
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message =

0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976

ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c

c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060

00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500

120013000100020003000f00100011
        Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2c45dc8f54b145a25fcad284d
(2) Received Access-Request packet from host 10.10.1.1 port 3406, id=24, length=481
(2)     User-Name = 'bigman'
(2)     Framed-MTU = 1450
(2)     EAP-Message =

0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976

ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c

c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060

00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500

120013000100020003000f00100011
(2)     Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7
(2)     Chargeable-User-Identity = 0x00
(2)     NAS-IP-Address = 10.10.1.1
(2)     NAS-Identifier = 'WiFi-Controller-7'
(2)     NAS-Port = 33558758
(2)     NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(2)     NAS-Port-Type = Wireless-802.11
(2)     Service-Type = Framed-User
(2)     Framed-Protocol = PPP
(2)     Calling-Station-Id = '00-18-60-68-03-EC'
(2)     Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(2)     Acct-Session-Id = '115001511383b5ab70'
(2)     Framed-IP-Address = 202.189.123.194
(2)     State = 0xc45fd1a2c45dc8f54b145a25fcad284d
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(2)   authorize {
(2)   filter_username filter_username {
(2)     if (&User-Name =~ / /)
(2)     if (&User-Name =~ / /)  -> FALSE
(2)     if (&User-Name =~ /@.*@/ )
(2)     if (&User-Name =~ /@.*@/ )  -> FALSE
(2)     if (&User-Name =~ /\\.\\./ )
(2)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(2)     if (&User-Name =~ /\\.$/)
(2)     if (&User-Name =~ /\\.$/)   -> FALSE
(2)     if (&User-Name =~ /@\\./)
(2)     if (&User-Name =~ /@\\./)   -> FALSE
(2)   } # filter_username filter_username = notfound
(2)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(2)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(2)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(2)  auth_log : EXPAND %t
(2)  auth_log :    --> Thu Jan 15 11:38:41 2015
(2)   [auth_log] = ok
(2)   [chap] = noop
(2)   [mschap] = noop
(2)  suffix : Checking for suffix after "@"
(2)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(2)  suffix : Found realm "NULL"
(2)  suffix : Adding Stripped-User-Name = "bigman"
(2)  suffix : Adding Realm = "NULL"
(2)  suffix : Authentication realm is LOCAL
(2)   [suffix] = ok
(2)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(2) EXPAND %{Realm}
(2)    --> NULL
(2)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(2)  eap : Peer sent code Response (2) ID 2 length 240
(2)  eap : Continuing tunnel setup
(2)   [eap] = ok
(2)  } #  authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(2)   authenticate {
(2)  eap : Expiring EAP session with state 0xc45fd1a2c45dc8f5
(2)  eap : Finished EAP session with state 0xc45fd1a2c45dc8f5
(2)  eap : Previous EAP request found for state 0xc45fd1a2c45dc8f5, released from the list
(2)  eap : Peer sent method PEAP (25)
(2)  eap : EAP PEAP (25)
(2)  eap : Calling eap_peap to process EAP data
(2)  eap_peap : processing EAP-TLS
  TLS Length 230
(2)  eap_peap : Length Included
(2)  eap_peap : eaptls_verify returned 11
(2)  eap_peap : (other): before/accept initialization
(2)  eap_peap : TLS_accept: before/accept initialization
(2)  eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello
  SSL: Client requested cached session 976ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e74
(2)  eap_peap : TLS_accept: SSLv3 read client hello A
(2)  eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2)  eap_peap : TLS_accept: SSLv3 write server hello A
(2)  eap_peap : >>> TLS 1.0 Handshake [length 0cb2], Certificate
(2)  eap_peap : TLS_accept: SSLv3 write certificate A
(2)  eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2)  eap_peap : TLS_accept: SSLv3 write key exchange A
(2)  eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2)  eap_peap : TLS_accept: SSLv3 write server done A
(2)  eap_peap : TLS_accept: SSLv3 flush data
(2)  eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2)  eap_peap : eaptls_process returned 13
(2)  eap_peap : FR_TLS_HANDLED
(2)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c55cc8f5
(2)   [eap] = handled
(2)  } #  authenticate = handled
(2) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=24, length=0
(2)     EAP-Message =

0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1

732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c

ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311

63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30

190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333

95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b

130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707

320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920

5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d01010105000382
(2)     Message-Authenticator = 0x00000000000000000000000000000000
(2)     State = 0xc45fd1a2c55cc8f54b145a25fcad284d
Sending Access-Challenge Id 24 from 10.80.1.1:1812 to 10.10.1.1:3406
        EAP-Message =

0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1

732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c

ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311

63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30

190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333

95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b

130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707

320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920

5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d0101010500038
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2c55cc8f54b145a25fcad284d
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 25 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message = 0x020300061900
        Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2c55cc8f54b145a25fcad284d
(3) Received Access-Request packet from host 10.10.1.1 port 3406, id=25, length=247
(3)     User-Name = 'bigman'
(3)     Framed-MTU = 1450
(3)     EAP-Message = 0x020300061900
(3)     Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e
(3)     Chargeable-User-Identity = 0x00
(3)     NAS-IP-Address = 10.10.1.1
(3)     NAS-Identifier = 'WiFi-Controller-7'
(3)     NAS-Port = 33558758
(3)     NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(3)     NAS-Port-Type = Wireless-802.11
(3)     Service-Type = Framed-User
(3)     Framed-Protocol = PPP
(3)     Calling-Station-Id = '00-18-60-68-03-EC'
(3)     Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(3)     Acct-Session-Id = '115001511383b5ab70'
(3)     Framed-IP-Address = 202.189.123.194
(3)     State = 0xc45fd1a2c55cc8f54b145a25fcad284d
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(3)   authorize {
(3)   filter_username filter_username {
(3)     if (&User-Name =~ / /)
(3)     if (&User-Name =~ / /)  -> FALSE
(3)     if (&User-Name =~ /@.*@/ )
(3)     if (&User-Name =~ /@.*@/ )  -> FALSE
(3)     if (&User-Name =~ /\\.\\./ )
(3)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(3)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(3)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(3)     if (&User-Name =~ /\\.$/)
(3)     if (&User-Name =~ /\\.$/)   -> FALSE
(3)     if (&User-Name =~ /@\\./)
(3)     if (&User-Name =~ /@\\./)   -> FALSE
(3)   } # filter_username filter_username = notfound
(3)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(3)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(3)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(3)  auth_log : EXPAND %t
(3)  auth_log :    --> Thu Jan 15 11:38:41 2015
(3)   [auth_log] = ok
(3)   [chap] = noop
(3)   [mschap] = noop
(3)  suffix : Checking for suffix after "@"
(3)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(3)  suffix : Found realm "NULL"
(3)  suffix : Adding Stripped-User-Name = "bigman"
(3)  suffix : Adding Realm = "NULL"
(3)  suffix : Authentication realm is LOCAL
(3)   [suffix] = ok
(3)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(3) EXPAND %{Realm}
(3)    --> NULL
(3)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(3)  eap : Peer sent code Response (2) ID 3 length 6
(3)  eap : Continuing tunnel setup
(3)   [eap] = ok
(3)  } #  authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(3)   authenticate {
(3)  eap : Expiring EAP session with state 0xc45fd1a2c55cc8f5
(3)  eap : Finished EAP session with state 0xc45fd1a2c55cc8f5
(3)  eap : Previous EAP request found for state 0xc45fd1a2c55cc8f5, released from the list
(3)  eap : Peer sent method PEAP (25)
(3)  eap : EAP PEAP (25)
(3)  eap : Calling eap_peap to process EAP data
(3)  eap_peap : processing EAP-TLS
(3)  eap_peap : Received TLS ACK
(3)  eap_peap : Received TLS ACK
(3)  eap_peap : ACK handshake fragment handler
(3)  eap_peap : eaptls_verify returned 1
(3)  eap_peap : eaptls_process returned 13
(3)  eap_peap : FR_TLS_HANDLED
(3)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c65bc8f5
(3)   [eap] = handled
(3)  } #  authenticate = handled
(3) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=25, length=0
(3)     EAP-Message =

0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676

56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f

677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703

a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d

46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3

88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd

ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663

c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0

0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092a
(3)     Message-Authenticator = 0x00000000000000000000000000000000
(3)     State = 0xc45fd1a2c65bc8f54b145a25fcad284d
Sending Access-Challenge Id 25 from 10.80.1.1:1812 to 10.10.1.1:3406
        EAP-Message =

0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676

56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f

677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703

a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d

46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3

88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd

ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663

c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0

0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2c65bc8f54b145a25fcad284d
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 26 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message = 0x020400061900
        Message-Authenticator = 0x07909351500113863860a840942c0c81
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2c65bc8f54b145a25fcad284d
(4) Received Access-Request packet from host 10.10.1.1 port 3406, id=26, length=247
(4)     User-Name = 'bigman'
(4)     Framed-MTU = 1450
(4)     EAP-Message = 0x020400061900
(4)     Message-Authenticator = 0x07909351500113863860a840942c0c81
(4)     Chargeable-User-Identity = 0x00
(4)     NAS-IP-Address = 10.10.1.1
(4)     NAS-Identifier = 'WiFi-Controller-7'
(4)     NAS-Port = 33558758
(4)     NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(4)     NAS-Port-Type = Wireless-802.11
(4)     Service-Type = Framed-User
(4)     Framed-Protocol = PPP
(4)     Calling-Station-Id = '00-18-60-68-03-EC'
(4)     Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(4)     Acct-Session-Id = '115001511383b5ab70'
(4)     Framed-IP-Address = 202.189.123.194
(4)     State = 0xc45fd1a2c65bc8f54b145a25fcad284d
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(4)   authorize {
(4)   filter_username filter_username {
(4)     if (&User-Name =~ / /)
(4)     if (&User-Name =~ / /)  -> FALSE
(4)     if (&User-Name =~ /@.*@/ )
(4)     if (&User-Name =~ /@.*@/ )  -> FALSE
(4)     if (&User-Name =~ /\\.\\./ )
(4)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(4)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(4)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(4)     if (&User-Name =~ /\\.$/)
(4)     if (&User-Name =~ /\\.$/)   -> FALSE
(4)     if (&User-Name =~ /@\\./)
(4)     if (&User-Name =~ /@\\./)   -> FALSE
(4)   } # filter_username filter_username = notfound
(4)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(4)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(4)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(4)  auth_log : EXPAND %t
(4)  auth_log :    --> Thu Jan 15 11:38:41 2015
(4)   [auth_log] = ok
(4)   [chap] = noop
(4)   [mschap] = noop
(4)  suffix : Checking for suffix after "@"
(4)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(4)  suffix : Found realm "NULL"
(4)  suffix : Adding Stripped-User-Name = "bigman"
(4)  suffix : Adding Realm = "NULL"
(4)  suffix : Authentication realm is LOCAL
(4)   [suffix] = ok
(4)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(4) EXPAND %{Realm}
(4)    --> NULL
(4)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(4)  eap : Peer sent code Response (2) ID 4 length 6
(4)  eap : Continuing tunnel setup
(4)   [eap] = ok
(4)  } #  authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(4)   authenticate {
(4)  eap : Expiring EAP session with state 0xc45fd1a2c65bc8f5
(4)  eap : Finished EAP session with state 0xc45fd1a2c65bc8f5
(4)  eap : Previous EAP request found for state 0xc45fd1a2c65bc8f5, released from the list
(4)  eap : Peer sent method PEAP (25)
(4)  eap : EAP PEAP (25)
(4)  eap : Calling eap_peap to process EAP data
(4)  eap_peap : processing EAP-TLS
(4)  eap_peap : Received TLS ACK
(4)  eap_peap : Received TLS ACK
(4)  eap_peap : ACK handshake fragment handler
(4)  eap_peap : eaptls_verify returned 1
(4)  eap_peap : eaptls_process returned 13
(4)  eap_peap : FR_TLS_HANDLED
(4)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c75ac8f5
(4)   [eap] = handled
(4)  } #  authenticate = handled
(4) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=26, length=0
(4)     EAP-Message =

0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac

e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006

0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746

76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472

7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495

f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61

ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312

b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069

c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8e
(4)     Message-Authenticator = 0x00000000000000000000000000000000
(4)     State = 0xc45fd1a2c75ac8f54b145a25fcad284d
Sending Access-Challenge Id 26 from 10.80.1.1:1812 to 10.10.1.1:3406
        EAP-Message =

0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac

e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006

0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746

76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472

7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495

f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61

ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312

b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069

c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2c75ac8f54b145a25fcad284d
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 27 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message = 0x020500061900
        Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2c75ac8f54b145a25fcad284d
(5) Received Access-Request packet from host 10.10.1.1 port 3406, id=27, length=247
(5)     User-Name = 'bigman'
(5)     Framed-MTU = 1450
(5)     EAP-Message = 0x020500061900
(5)     Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38
(5)     Chargeable-User-Identity = 0x00
(5)     NAS-IP-Address = 10.10.1.1
(5)     NAS-Identifier = 'WiFi-Controller-7'
(5)     NAS-Port = 33558758
(5)     NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(5)     NAS-Port-Type = Wireless-802.11
(5)     Service-Type = Framed-User
(5)     Framed-Protocol = PPP
(5)     Calling-Station-Id = '00-18-60-68-03-EC'
(5)     Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(5)     Acct-Session-Id = '115001511383b5ab70'
(5)     Framed-IP-Address = 202.189.123.194
(5)     State = 0xc45fd1a2c75ac8f54b145a25fcad284d
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(5)   authorize {
(5)   filter_username filter_username {
(5)     if (&User-Name =~ / /)
(5)     if (&User-Name =~ / /)  -> FALSE
(5)     if (&User-Name =~ /@.*@/ )
(5)     if (&User-Name =~ /@.*@/ )  -> FALSE
(5)     if (&User-Name =~ /\\.\\./ )
(5)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(5)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(5)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(5)     if (&User-Name =~ /\\.$/)
(5)     if (&User-Name =~ /\\.$/)   -> FALSE
(5)     if (&User-Name =~ /@\\./)
(5)     if (&User-Name =~ /@\\./)   -> FALSE
(5)   } # filter_username filter_username = notfound
(5)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(5)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(5)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(5)  auth_log : EXPAND %t
(5)  auth_log :    --> Thu Jan 15 11:38:41 2015
(5)   [auth_log] = ok
(5)   [chap] = noop
(5)   [mschap] = noop
(5)  suffix : Checking for suffix after "@"
(5)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(5)  suffix : Found realm "NULL"
(5)  suffix : Adding Stripped-User-Name = "bigman"
(5)  suffix : Adding Realm = "NULL"
(5)  suffix : Authentication realm is LOCAL
(5)   [suffix] = ok
(5)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(5) EXPAND %{Realm}
(5)    --> NULL
(5)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(5)  eap : Peer sent code Response (2) ID 5 length 6
(5)  eap : Continuing tunnel setup
(5)   [eap] = ok
(5)  } #  authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(5)   authenticate {
(5)  eap : Expiring EAP session with state 0xc45fd1a2c75ac8f5
(5)  eap : Finished EAP session with state 0xc45fd1a2c75ac8f5
(5)  eap : Previous EAP request found for state 0xc45fd1a2c75ac8f5, released from the list
(5)  eap : Peer sent method PEAP (25)
(5)  eap : EAP PEAP (25)
(5)  eap : Calling eap_peap to process EAP data
(5)  eap_peap : processing EAP-TLS
(5)  eap_peap : Received TLS ACK
(5)  eap_peap : Received TLS ACK
(5)  eap_peap : ACK handshake fragment handler
(5)  eap_peap : eaptls_verify returned 1
(5)  eap_peap : eaptls_process returned 13
(5)  eap_peap : FR_TLS_HANDLED
(5)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c059c8f5
(5)   [eap] = handled
(5)  } #  authenticate = handled
(5) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=27, length=0
(5)     EAP-Message =

0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1

17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500

038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13

70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5

eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a

ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911

35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d

a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed

0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751ac
(5)     Message-Authenticator = 0x00000000000000000000000000000000
(5)     State = 0xc45fd1a2c059c8f54b145a25fcad284d
Sending Access-Challenge Id 27 from 10.80.1.1:1812 to 10.10.1.1:3406
        EAP-Message =

0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1

17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500

038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13

70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5

eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a

ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911

35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d

a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed

0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2c059c8f54b145a25fcad284d
(5) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 28 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message =

0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb

6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04

886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471
        Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2c059c8f54b145a25fcad284d
(6) Received Access-Request packet from host 10.10.1.1 port 3406, id=28, length=385
(6)     User-Name = 'bigman'
(6)     Framed-MTU = 1450
(6)     EAP-Message =

0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb

6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04

886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471
(6)     Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4
(6)     Chargeable-User-Identity = 0x00
(6)     NAS-IP-Address = 10.10.1.1
(6)     NAS-Identifier = 'WiFi-Controller-7'
(6)     NAS-Port = 33558758
(6)     NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(6)     NAS-Port-Type = Wireless-802.11
(6)     Service-Type = Framed-User
(6)     Framed-Protocol = PPP
(6)     Calling-Station-Id = '00-18-60-68-03-EC'
(6)     Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(6)     Acct-Session-Id = '115001511383b5ab70'
(6)     Framed-IP-Address = 202.189.123.194
(6)     State = 0xc45fd1a2c059c8f54b145a25fcad284d
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(6)   authorize {
(6)   filter_username filter_username {
(6)     if (&User-Name =~ / /)
(6)     if (&User-Name =~ / /)  -> FALSE
(6)     if (&User-Name =~ /@.*@/ )
(6)     if (&User-Name =~ /@.*@/ )  -> FALSE
(6)     if (&User-Name =~ /\\.\\./ )
(6)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(6)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(6)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(6)     if (&User-Name =~ /\\.$/)
(6)     if (&User-Name =~ /\\.$/)   -> FALSE
(6)     if (&User-Name =~ /@\\./)
(6)     if (&User-Name =~ /@\\./)   -> FALSE
(6)   } # filter_username filter_username = notfound
(6)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(6)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(6)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(6)  auth_log : EXPAND %t
(6)  auth_log :    --> Thu Jan 15 11:38:42 2015
(6)   [auth_log] = ok
(6)   [chap] = noop
(6)   [mschap] = noop
(6)  suffix : Checking for suffix after "@"
(6)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(6)  suffix : Found realm "NULL"
(6)  suffix : Adding Stripped-User-Name = "bigman"
(6)  suffix : Adding Realm = "NULL"
(6)  suffix : Authentication realm is LOCAL
(6)   [suffix] = ok
(6)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(6) EXPAND %{Realm}
(6)    --> NULL
(6)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(6)  eap : Peer sent code Response (2) ID 6 length 144
(6)  eap : Continuing tunnel setup
(6)   [eap] = ok
(6)  } #  authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(6)   authenticate {
(6)  eap : Expiring EAP session with state 0xc45fd1a2c059c8f5
(6)  eap : Finished EAP session with state 0xc45fd1a2c059c8f5
(6)  eap : Previous EAP request found for state 0xc45fd1a2c059c8f5, released from the list
(6)  eap : Peer sent method PEAP (25)
(6)  eap : EAP PEAP (25)
(6)  eap : Calling eap_peap to process EAP data
(6)  eap_peap : processing EAP-TLS
  TLS Length 134
(6)  eap_peap : Length Included
(6)  eap_peap : eaptls_verify returned 11
(6)  eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(6)  eap_peap : TLS_accept: SSLv3 read client key exchange A
(6)  eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(6)  eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(6)  eap_peap : TLS_accept: SSLv3 read finished A
(6)  eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(6)  eap_peap : TLS_accept: SSLv3 write change cipher spec A
(6)  eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(6)  eap_peap : TLS_accept: SSLv3 write finished A
(6)  eap_peap : TLS_accept: SSLv3 flush data
  SSL: adding session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 to cache
(6)  eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(6)  eap_peap : eaptls_process returned 13
(6)  eap_peap : FR_TLS_HANDLED
(6)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c158c8f5
(6)   [eap] = handled
(6)  } #  authenticate = handled
(6) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=28, length=0
(6)     EAP-Message =

0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96

da21b4bfc6fc733123a
(6)     Message-Authenticator = 0x00000000000000000000000000000000
(6)     State = 0xc45fd1a2c158c8f54b145a25fcad284d
Sending Access-Challenge Id 28 from 10.80.1.1:1812 to 10.10.1.1:3406
        EAP-Message =

0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96

da21b4bfc6fc733123a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2c158c8f54b145a25fcad284d
(6) Finished request
Received Access-Request Id 29 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message = 0x020700061900
        Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2c158c8f54b145a25fcad284d
(7) Received Access-Request packet from host 10.10.1.1 port 3406, id=29, length=247
(7)     User-Name = 'bigman'
(7)     Framed-MTU = 1450
(7)     EAP-Message = 0x020700061900
(7)     Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde
(7)     Chargeable-User-Identity = 0x00
(7)     NAS-IP-Address = 10.10.1.1
(7)     NAS-Identifier = 'WiFi-Controller-7'
(7)     NAS-Port = 33558758
(7)     NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(7)     NAS-Port-Type = Wireless-802.11
(7)     Service-Type = Framed-User
(7)     Framed-Protocol = PPP
(7)     Calling-Station-Id = '00-18-60-68-03-EC'
(7)     Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(7)     Acct-Session-Id = '115001511383b5ab70'
(7)     Framed-IP-Address = 202.189.123.194
(7)     State = 0xc45fd1a2c158c8f54b145a25fcad284d
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(7)   authorize {
(7)   filter_username filter_username {
(7)     if (&User-Name =~ / /)
(7)     if (&User-Name =~ / /)  -> FALSE
(7)     if (&User-Name =~ /@.*@/ )
(7)     if (&User-Name =~ /@.*@/ )  -> FALSE
(7)     if (&User-Name =~ /\\.\\./ )
(7)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(7)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(7)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(7)     if (&User-Name =~ /\\.$/)
(7)     if (&User-Name =~ /\\.$/)   -> FALSE
(7)     if (&User-Name =~ /@\\./)
(7)     if (&User-Name =~ /@\\./)   -> FALSE
(7)   } # filter_username filter_username = notfound
(7)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(7)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(7)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(7)  auth_log : EXPAND %t
(7)  auth_log :    --> Thu Jan 15 11:38:42 2015
(7)   [auth_log] = ok
(7)   [chap] = noop
(7)   [mschap] = noop
(7)  suffix : Checking for suffix after "@"
(7)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(7)  suffix : Found realm "NULL"
(7)  suffix : Adding Stripped-User-Name = "bigman"
(7)  suffix : Adding Realm = "NULL"
(7)  suffix : Authentication realm is LOCAL
(7)   [suffix] = ok
(7)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(7) EXPAND %{Realm}
(7)    --> NULL
(7)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(7)  eap : Peer sent code Response (2) ID 7 length 6
(7)  eap : Continuing tunnel setup
(7)   [eap] = ok
(7)  } #  authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(7)   authenticate {
(7)  eap : Expiring EAP session with state 0xc45fd1a2c158c8f5
(7)  eap : Finished EAP session with state 0xc45fd1a2c158c8f5
(7)  eap : Previous EAP request found for state 0xc45fd1a2c158c8f5, released from the list
(7)  eap : Peer sent method PEAP (25)
(7)  eap : EAP PEAP (25)
(7)  eap : Calling eap_peap to process EAP data
(7)  eap_peap : processing EAP-TLS
(7)  eap_peap : Received TLS ACK
(7)  eap_peap : Received TLS ACK
(7)  eap_peap : ACK handshake is finished
(7)  eap_peap : eaptls_verify returned 3
(7)  eap_peap : eaptls_process returned 3
(7)  eap_peap : FR_TLS_SUCCESS
(7)  eap_peap : Session established.  Decoding tunneled attributes
(7)  eap_peap : Peap state TUNNEL ESTABLISHED
(7)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c257c8f5
(7)   [eap] = handled
(7)  } #  authenticate = handled
(7) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=29, length=0
(7)     EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c
(7)     Message-Authenticator = 0x00000000000000000000000000000000
(7)     State = 0xc45fd1a2c257c8f54b145a25fcad284d
Sending Access-Challenge Id 29 from 10.80.1.1:1812 to 10.10.1.1:3406
        EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2c257c8f54b145a25fcad284d
(7) Finished request
Received Access-Request Id 30 from 10.10.1.1:3406 to 10.80.1.1:1812 length 337
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message =

0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11

6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452
        Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2c257c8f54b145a25fcad284d
(8) Received Access-Request packet from host 10.10.1.1 port 3406, id=30, length=337
(8)     User-Name = 'bigman'
(8)     Framed-MTU = 1450
(8)     EAP-Message =

0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11

6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452
(8)     Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b
(8)     Chargeable-User-Identity = 0x00
(8)     NAS-IP-Address = 10.10.1.1
(8)     NAS-Identifier = 'WiFi-Controller-7'
(8)     NAS-Port = 33558758
(8)     NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(8)     NAS-Port-Type = Wireless-802.11
(8)     Service-Type = Framed-User
(8)     Framed-Protocol = PPP
(8)     Calling-Station-Id = '00-18-60-68-03-EC'
(8)     Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(8)     Acct-Session-Id = '115001511383b5ab70'
(8)     Framed-IP-Address = 202.189.123.194
(8)     State = 0xc45fd1a2c257c8f54b145a25fcad284d
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(8)   authorize {
(8)   filter_username filter_username {
(8)     if (&User-Name =~ / /)
(8)     if (&User-Name =~ / /)  -> FALSE
(8)     if (&User-Name =~ /@.*@/ )
(8)     if (&User-Name =~ /@.*@/ )  -> FALSE
(8)     if (&User-Name =~ /\\.\\./ )
(8)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(8)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(8)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(8)     if (&User-Name =~ /\\.$/)
(8)     if (&User-Name =~ /\\.$/)   -> FALSE
(8)     if (&User-Name =~ /@\\./)
(8)     if (&User-Name =~ /@\\./)   -> FALSE
(8)   } # filter_username filter_username = notfound
(8)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(8)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(8)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(8)  auth_log : EXPAND %t
(8)  auth_log :    --> Thu Jan 15 11:38:42 2015
(8)   [auth_log] = ok
(8)   [chap] = noop
(8)   [mschap] = noop
(8)  suffix : Checking for suffix after "@"
(8)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(8)  suffix : Found realm "NULL"
(8)  suffix : Adding Stripped-User-Name = "bigman"
(8)  suffix : Adding Realm = "NULL"
(8)  suffix : Authentication realm is LOCAL
(8)   [suffix] = ok
(8)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(8) EXPAND %{Realm}
(8)    --> NULL
(8)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(8)  eap : Peer sent code Response (2) ID 8 length 96
(8)  eap : Continuing tunnel setup
(8)   [eap] = ok
(8)  } #  authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(8)   authenticate {
(8)  eap : Expiring EAP session with state 0xc45fd1a2c257c8f5
(8)  eap : Finished EAP session with state 0xc45fd1a2c257c8f5
(8)  eap : Previous EAP request found for state 0xc45fd1a2c257c8f5, released from the list
(8)  eap : Peer sent method PEAP (25)
(8)  eap : EAP PEAP (25)
(8)  eap : Calling eap_peap to process EAP data
(8)  eap_peap : processing EAP-TLS
(8)  eap_peap : eaptls_verify returned 7
(8)  eap_peap : Done initial handshake
(8)  eap_peap : eaptls_process returned 7
(8)  eap_peap : FR_TLS_OK
(8)  eap_peap : Session established.  Decoding tunneled attributes
(8)  eap_peap : Peap state WAITING FOR INNER IDENTITY
(8)  eap_peap : Identity - bob at abc.com
(8)  eap_peap : Got inner identity 'bob at abc.com'
(8)  eap_peap : Setting default EAP type for tunneled EAP session
(8)  eap_peap : Got tunneled request
        EAP-Message = 0x020800120174666b6c616940686b752e686b
server Local-WiFi {
(8)  eap_peap : Setting User-Name to bob at abc.com
Sending tunneled request
        EAP-Message = 0x020800120174666b6c616940686b752e686b
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'bob at abc.com'
        Framed-MTU = 1450
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
server inner-tunnel {
(8)  server inner-tunnel {
(8)    Request:
        EAP-Message = 0x020800120174666b6c616940686b752e686b
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'bob at abc.com'
        Framed-MTU = 1450
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
(8)  # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8)    authorize {
(8)    [chap] = noop
(8)    [mschap] = noop
(8)   suffix : Checking for suffix after "@"
(8)   suffix : Looking up realm "abc.com" for User-Name = "bob at abc.com"
(8)   suffix : Found realm "abc.com"
(8)   suffix : Adding Stripped-User-Name = "bob"
(8)   suffix : Adding Realm = "abc.com"
(8)   suffix : Authentication realm is LOCAL
(8)    [suffix] = ok
(8)    update control {
(8)     &Proxy-To-Realm := 'LOCAL'
(8)    } # update control = noop
(8)   eap : Peer sent code Response (2) ID 8 length 18
(8)   eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(8)    [eap] = ok
(8)   } #  authorize = ok
(8)  Found Auth-Type = EAP
(8)  # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8)    authenticate {
(8)   eap : Peer sent method Identity (1)
(8)   eap : Calling eap_mschapv2 to process EAP data
(8)   eap_mschapv2 : Issuing Challenge
(8)   eap : New EAP session, adding 'State' attribute to reply 0xde946618de9d7cad
(8)    [eap] = handled
(8)   } #  authenticate = handled
(8)    Reply:
        EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xde946618de9d7cad0c64434fd93f0777
(8)  } # server inner-tunnel
} # server inner-tunnel
(8)  eap_peap : Got tunneled reply code 11
        EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xde946618de9d7cad0c64434fd93f0777
(8)  eap_peap : Got tunneled reply RADIUS code 11
        EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xde946618de9d7cad0c64434fd93f0777
(8)  eap_peap : Got tunneled Access-Challenge
(8)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c356c8f5
(8)   [eap] = handled
(8)  } #  authenticate = handled
(8) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=30, length=0
(8)     EAP-Message =

0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c

ec006126ddbd781a3811c45a43cc665fa6e6b88
(8)     Message-Authenticator = 0x00000000000000000000000000000000
(8)     State = 0xc45fd1a2c356c8f54b145a25fcad284d
Sending Access-Challenge Id 30 from 10.80.1.1:1812 to 10.10.1.1:3406
        EAP-Message =

0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c

ec006126ddbd781a3811c45a43cc665fa6e6b88
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2c356c8f54b145a25fcad284d
(8) Finished request
Received Access-Request Id 31 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message =

0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506

f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017

3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4
        Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2c356c8f54b145a25fcad284d
(9) Received Access-Request packet from host 10.10.1.1 port 3406, id=31, length=385
(9)     User-Name = 'bigman'
(9)     Framed-MTU = 1450
(9)     EAP-Message =

0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506

f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017

3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4
(9)     Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba
(9)     Chargeable-User-Identity = 0x00
(9)     NAS-IP-Address = 10.10.1.1
(9)     NAS-Identifier = 'WiFi-Controller-7'
(9)     NAS-Port = 33558758
(9)     NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(9)     NAS-Port-Type = Wireless-802.11
(9)     Service-Type = Framed-User
(9)     Framed-Protocol = PPP
(9)     Calling-Station-Id = '00-18-60-68-03-EC'
(9)     Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(9)     Acct-Session-Id = '115001511383b5ab70'
(9)     Framed-IP-Address = 202.189.123.194
(9)     State = 0xc45fd1a2c356c8f54b145a25fcad284d
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(9)   authorize {
(9)   filter_username filter_username {
(9)     if (&User-Name =~ / /)
(9)     if (&User-Name =~ / /)  -> FALSE
(9)     if (&User-Name =~ /@.*@/ )
(9)     if (&User-Name =~ /@.*@/ )  -> FALSE
(9)     if (&User-Name =~ /\\.\\./ )
(9)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(9)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(9)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(9)     if (&User-Name =~ /\\.$/)
(9)     if (&User-Name =~ /\\.$/)   -> FALSE
(9)     if (&User-Name =~ /@\\./)
(9)     if (&User-Name =~ /@\\./)   -> FALSE
(9)   } # filter_username filter_username = notfound
(9)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(9)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(9)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(9)  auth_log : EXPAND %t
(9)  auth_log :    --> Thu Jan 15 11:38:42 2015
(9)   [auth_log] = ok
(9)   [chap] = noop
(9)   [mschap] = noop
(9)  suffix : Checking for suffix after "@"
(9)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(9)  suffix : Found realm "NULL"
(9)  suffix : Adding Stripped-User-Name = "bigman"
(9)  suffix : Adding Realm = "NULL"
(9)  suffix : Authentication realm is LOCAL
(9)   [suffix] = ok
(9)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(9) EXPAND %{Realm}
(9)    --> NULL
(9)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(9)  eap : Peer sent code Response (2) ID 9 length 144
(9)  eap : Continuing tunnel setup
(9)   [eap] = ok
(9)  } #  authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(9)   authenticate {
(9)  eap : Expiring EAP session with state 0xde946618de9d7cad
(9)  eap : Finished EAP session with state 0xc45fd1a2c356c8f5
(9)  eap : Previous EAP request found for state 0xc45fd1a2c356c8f5, released from the list
(9)  eap : Peer sent method PEAP (25)
(9)  eap : EAP PEAP (25)
(9)  eap : Calling eap_peap to process EAP data
(9)  eap_peap : processing EAP-TLS
(9)  eap_peap : eaptls_verify returned 7
(9)  eap_peap : Done initial handshake
(9)  eap_peap : eaptls_process returned 7
(9)  eap_peap : FR_TLS_OK
(9)  eap_peap : Session established.  Decoding tunneled attributes
(9)  eap_peap : Peap state phase2
(9)  eap_peap : EAP type MSCHAPv2 (26)
(9)  eap_peap : Got tunneled request
        EAP-Message =

0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016

36d8f0074666b6c616940686b752e686b
server Local-WiFi {
(9)  eap_peap : Setting User-Name to bob at abc.com
Sending tunneled request
        EAP-Message =

0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016

36d8f0074666b6c616940686b752e686b
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'bob at abc.com'
        State = 0xde946618de9d7cad0c64434fd93f0777
        Framed-MTU = 1450
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
server inner-tunnel {
(9)  server inner-tunnel {
(9)    Request:
        EAP-Message =

0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016

36d8f0074666b6c616940686b752e686b
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'bob at abc.com'
        State = 0xde946618de9d7cad0c64434fd93f0777
        Framed-MTU = 1450
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
(9)  # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9)    authorize {
(9)    [chap] = noop
(9)    [mschap] = noop
(9)   suffix : Checking for suffix after "@"
(9)   suffix : Looking up realm "abc.com" for User-Name = "bob at abc.com"
(9)   suffix : Found realm "abc.com"
(9)   suffix : Adding Stripped-User-Name = "bob"
(9)   suffix : Adding Realm = "abc.com"
(9)   suffix : Authentication realm is LOCAL
(9)    [suffix] = ok
(9)    update control {
(9)     &Proxy-To-Realm := 'LOCAL'
(9)    } # update control = noop
(9)   eap : Peer sent code Response (2) ID 9 length 72
(9)   eap : No EAP Start, assuming it's an on-going EAP conversation
(9)    [eap] = updated
(9)     if (&EAP-Message)
(9)     if (&EAP-Message)  -> TRUE
(9)    if (&EAP-Message)  {
(9)     load-balance ldap_Portal_redundant {
(9)     redundant-load-balance group ldap_Portal_redundant {
rlm_ldap (ldap_PortalPwd_2): Reserved connection (4)
(9)   ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(!

(postOfficeBox=nowifi))))
(9)   ldap_PortalPwd_2 :    --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi))))
(9)   ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk
(9)   ldap_PortalPwd_2 :    --> ou=802.1x,o=hku,c=hk
(9)   ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(!

(givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub'
(9)   ldap_PortalPwd_2 : Waiting for search result...
(9)   ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk"
(9)   ldap_PortalPwd_2 : Processing user attributes
(9)   ldap_PortalPwd_2 :        &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg'
(9)   ldap_PortalPwd_2 :        &control:NT-Password :=

0x4433343845383035444432323934453241424435424438433732303143334345
rlm_ldap (ldap_PortalPwd_2): Released connection (4)
(9)      [ldap_PortalPwd_2] = ok
(9)     } # redundant-load-balance ldap_Portal_redundant = ok
(9)      if (notfound)
(9)      if (notfound)  -> FALSE
(9)    } # if (&EAP-Message)  = ok
(9)     ... skipping else for request 9: Preceding "if" was taken
(9)    [expiration] = noop
(9)    [logintime] = noop
(9)   pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(9)   WARNING: pap : Auth-Type already set.  Not setting to PAP
(9)    [pap] = noop
(9)   } #  authorize = updated
(9)  Found Auth-Type = EAP
(9)  # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9)    authenticate {
(9)   eap : Expiring EAP session with state 0xde946618de9d7cad
(9)   eap : Finished EAP session with state 0xde946618de9d7cad
(9)   eap : Previous EAP request found for state 0xde946618de9d7cad, released from the list
(9)   eap : Peer sent method MSCHAPv2 (26)
(9)   eap : EAP MSCHAPv2 (26)
(9)   eap : Calling eap_mschapv2 to process EAP data
(9)   eap_mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9)   eap_mschapv2 :  Auth-Type MS-CHAP {
(9)    WARNING: mschap : No Cleartext-Password configured.  Cannot create LM-Password
(9)    mschap : Found NT-Password
(9)    WARNING: mschap : No Cleartext-Password configured.  Cannot create NT-Password
(9)    mschap : Creating challenge hash with username: bob at abc.com
(9)    mschap : Client is using MS-CHAPv2
(9)    mschap : Adding MS-CHAPv2 MPPE keys
(9)     [mschap] = ok
(9)    } # Auth-Type MS-CHAP = ok
MSCHAP Success
(9)   eap : New EAP session, adding 'State' attribute to reply 0xde946618df9e7cad
(9)    [eap] = handled
(9)   } #  authenticate = handled
(9)    Reply:
        EAP-Message =

0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xde946618df9e7cad0c64434fd93f0777
(9)  } # server inner-tunnel
} # server inner-tunnel
(9)  eap_peap : Got tunneled reply code 11
        EAP-Message =

0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xde946618df9e7cad0c64434fd93f0777
(9)  eap_peap : Got tunneled reply RADIUS code 11
        EAP-Message =

0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xde946618df9e7cad0c64434fd93f0777
(9)  eap_peap : Got tunneled Access-Challenge
(9)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cc55c8f5
(9)   [eap] = handled
(9)  } #  authenticate = handled
(9) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=31, length=0
(9)     EAP-Message =

0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961

0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64
(9)     Message-Authenticator = 0x00000000000000000000000000000000
(9)     State = 0xc45fd1a2cc55c8f54b145a25fcad284d
Sending Access-Challenge Id 31 from 10.80.1.1:1812 to 10.10.1.1:3406
        EAP-Message =

0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961

0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2cc55c8f54b145a25fcad284d
(9) Finished request
Received Access-Request Id 32 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message =

0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a

27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1
        Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2cc55c8f54b145a25fcad284d
(10) Received Access-Request packet from host 10.10.1.1 port 3406, id=32, length=321
(10)    User-Name = 'bigman'
(10)    Framed-MTU = 1450
(10)    EAP-Message =

0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a

27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1
(10)    Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35
(10)    Chargeable-User-Identity = 0x00
(10)    NAS-IP-Address = 10.10.1.1
(10)    NAS-Identifier = 'WiFi-Controller-7'
(10)    NAS-Port = 33558758
(10)    NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(10)    NAS-Port-Type = Wireless-802.11
(10)    Service-Type = Framed-User
(10)    Framed-Protocol = PPP
(10)    Calling-Station-Id = '00-18-60-68-03-EC'
(10)    Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(10)    Acct-Session-Id = '115001511383b5ab70'
(10)    Framed-IP-Address = 202.189.123.194
(10)    State = 0xc45fd1a2cc55c8f54b145a25fcad284d
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(10)   authorize {
(10)   filter_username filter_username {
(10)     if (&User-Name =~ / /)
(10)     if (&User-Name =~ / /)  -> FALSE
(10)     if (&User-Name =~ /@.*@/ )
(10)     if (&User-Name =~ /@.*@/ )  -> FALSE
(10)     if (&User-Name =~ /\\.\\./ )
(10)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(10)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(10)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(10)     if (&User-Name =~ /\\.$/)
(10)     if (&User-Name =~ /\\.$/)   -> FALSE
(10)     if (&User-Name =~ /@\\./)
(10)     if (&User-Name =~ /@\\./)   -> FALSE
(10)   } # filter_username filter_username = notfound
(10)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(10)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(10)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(10)  auth_log : EXPAND %t
(10)  auth_log :    --> Thu Jan 15 11:38:42 2015
(10)   [auth_log] = ok
(10)   [chap] = noop
(10)   [mschap] = noop
(10)  suffix : Checking for suffix after "@"
(10)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(10)  suffix : Found realm "NULL"
(10)  suffix : Adding Stripped-User-Name = "bigman"
(10)  suffix : Adding Realm = "NULL"
(10)  suffix : Authentication realm is LOCAL
(10)   [suffix] = ok
(10)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(10) EXPAND %{Realm}
(10)    --> NULL
(10)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(10)  eap : Peer sent code Response (2) ID 10 length 80
(10)  eap : Continuing tunnel setup
(10)   [eap] = ok
(10)  } #  authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(10)   authenticate {
(10)  eap : Expiring EAP session with state 0xde946618df9e7cad
(10)  eap : Finished EAP session with state 0xc45fd1a2cc55c8f5
(10)  eap : Previous EAP request found for state 0xc45fd1a2cc55c8f5, released from the list
(10)  eap : Peer sent method PEAP (25)
(10)  eap : EAP PEAP (25)
(10)  eap : Calling eap_peap to process EAP data
(10)  eap_peap : processing EAP-TLS
(10)  eap_peap : eaptls_verify returned 7
(10)  eap_peap : Done initial handshake
(10)  eap_peap : eaptls_process returned 7
(10)  eap_peap : FR_TLS_OK
(10)  eap_peap : Session established.  Decoding tunneled attributes
(10)  eap_peap : Peap state phase2
(10)  eap_peap : EAP type MSCHAPv2 (26)
(10)  eap_peap : Got tunneled request
        EAP-Message = 0x020a00061a03
server Local-WiFi {
(10)  eap_peap : Setting User-Name to bob at abc.com
Sending tunneled request
        EAP-Message = 0x020a00061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'bob at abc.com'
        State = 0xde946618df9e7cad0c64434fd93f0777
        Framed-MTU = 1450
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
server inner-tunnel {
(10)  server inner-tunnel {
(10)    Request:
        EAP-Message = 0x020a00061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'bob at abc.com'
        State = 0xde946618df9e7cad0c64434fd93f0777
        Framed-MTU = 1450
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
(10)  # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(10)    authorize {
(10)    [chap] = noop
(10)    [mschap] = noop
(10)   suffix : Checking for suffix after "@"
(10)   suffix : Looking up realm "abc.com" for User-Name = "bob at abc.com"
(10)   suffix : Found realm "abc.com"
(10)   suffix : Adding Stripped-User-Name = "bob"
(10)   suffix : Adding Realm = "abc.com"
(10)   suffix : Authentication realm is LOCAL
(10)    [suffix] = ok
(10)    update control {
(10)    &Proxy-To-Realm := 'LOCAL'
(10)    } # update control = noop
(10)   eap : Peer sent code Response (2) ID 10 length 6
(10)   eap : No EAP Start, assuming it's an on-going EAP conversation
(10)    [eap] = updated
(10)     if (&EAP-Message)
(10)     if (&EAP-Message)  -> TRUE
(10)    if (&EAP-Message)  {
(10)     load-balance ldap_Portal_redundant {
(10)     redundant-load-balance group ldap_Portal_redundant {
rlm_ldap (ldap_PortalPwd_2): Reserved connection (4)
(10)   ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(!

(postOfficeBox=nowifi))))
(10)   ldap_PortalPwd_2 :    --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi))))
(10)   ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk
(10)   ldap_PortalPwd_2 :    --> ou=802.1x,o=hku,c=hk
(10)   ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(!

(givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub'
(10)   ldap_PortalPwd_2 : Waiting for search result...
(10)   ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk"
(10)   ldap_PortalPwd_2 : Processing user attributes
(10)   ldap_PortalPwd_2 :       &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg'
(10)   ldap_PortalPwd_2 :       &control:NT-Password :=

0x4433343845383035444432323934453241424435424438433732303143334345
rlm_ldap (ldap_PortalPwd_2): Released connection (4)
(10)      [ldap_PortalPwd_2] = ok
(10)     } # redundant-load-balance ldap_Portal_redundant = ok
(10)      if (notfound)
(10)      if (notfound)  -> FALSE
(10)    } # if (&EAP-Message)  = ok
(10)     ... skipping else for request 10: Preceding "if" was taken
(10)    [expiration] = noop
(10)    [logintime] = noop
(10)   pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(10)   WARNING: pap : Auth-Type already set.  Not setting to PAP
(10)    [pap] = noop
(10)   } #  authorize = updated
(10)  Found Auth-Type = EAP
(10)  # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(10)    authenticate {
(10)   eap : Expiring EAP session with state 0xde946618df9e7cad
(10)   eap : Finished EAP session with state 0xde946618df9e7cad
(10)   eap : Previous EAP request found for state 0xde946618df9e7cad, released from the list
(10)   eap : Peer sent method MSCHAPv2 (26)
(10)   eap : EAP MSCHAPv2 (26)
(10)   eap : Calling eap_mschapv2 to process EAP data
(10)   eap : Freeing handler
(10)    [eap] = ok
(10)   } #  authenticate = ok
(10)  Login OK: [bob at abc.com] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC via TLS tunnel)
(10)  # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(10)    post-auth {
(10)    update outer.reply {
(10)  EXPAND %{request:User-Name}
(10)     --> bob at abc.com
(10)    User-Name = "bob at abc.com"
(10)    } # update outer.reply = noop
(10)   } #  post-auth = noop
(10)    Reply:
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4
        MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7
        MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        Stripped-User-Name = 'bob'
(10)  } # server inner-tunnel
} # server inner-tunnel
(10)  eap_peap : Got tunneled reply code 2
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4
        MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7
        MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        Stripped-User-Name = 'bob'
(10)  eap_peap : Got tunneled reply RADIUS code 2
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4
        MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7
        MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        Stripped-User-Name = 'bob'
(10)  eap_peap : Tunneled authentication was successful
(10)  eap_peap : SUCCESS
(10)  eap_peap : Saving tunneled attributes for later
(10)  eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cd54c8f5
(10)   [eap] = handled
(10)  } #  authenticate = handled
(10) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=32, length=0
(10)    User-Name = 'bob at abc.com'
(10)    EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1
(10)    Message-Authenticator = 0x00000000000000000000000000000000
(10)    State = 0xc45fd1a2cd54c8f54b145a25fcad284d
Sending Access-Challenge Id 32 from 10.80.1.1:1812 to 10.10.1.1:3406
        User-Name = 'bob at abc.com'
        EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc45fd1a2cd54c8f54b145a25fcad284d
(10) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 33 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321
        User-Name = 'bigman'
        Framed-MTU = 1450
        EAP-Message =

0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778

261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf
        Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9
        Chargeable-User-Identity = 0x00
        NAS-IP-Address = 10.10.1.1
        NAS-Identifier = 'WiFi-Controller-7'
        NAS-Port = 33558758
        NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = '00-18-60-68-03-EC'
        Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
        Acct-Session-Id = '115001511383b5ab70'
        Framed-IP-Address = 202.189.123.194
        State = 0xc45fd1a2cd54c8f54b145a25fcad284d
(11) Received Access-Request packet from host 10.10.1.1 port 3406, id=33, length=321
(11)    User-Name = 'bigman'
(11)    Framed-MTU = 1450
(11)    EAP-Message =

0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778

261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf
(11)    Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9
(11)    Chargeable-User-Identity = 0x00
(11)    NAS-IP-Address = 10.10.1.1
(11)    NAS-Identifier = 'WiFi-Controller-7'
(11)    NAS-Port = 33558758
(11)    NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(11)    NAS-Port-Type = Wireless-802.11
(11)    Service-Type = Framed-User
(11)    Framed-Protocol = PPP
(11)    Calling-Station-Id = '00-18-60-68-03-EC'
(11)    Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(11)    Acct-Session-Id = '115001511383b5ab70'
(11)    Framed-IP-Address = 202.189.123.194
(11)    State = 0xc45fd1a2cd54c8f54b145a25fcad284d
(11) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(11)   authorize {
(11)   filter_username filter_username {
(11)     if (&User-Name =~ / /)
(11)     if (&User-Name =~ / /)  -> FALSE
(11)     if (&User-Name =~ /@.*@/ )
(11)     if (&User-Name =~ /@.*@/ )  -> FALSE
(11)     if (&User-Name =~ /\\.\\./ )
(11)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(11)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(11)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(11)     if (&User-Name =~ /\\.$/)
(11)     if (&User-Name =~ /\\.$/)   -> FALSE
(11)     if (&User-Name =~ /@\\./)
(11)     if (&User-Name =~ /@\\./)   -> FALSE
(11)   } # filter_username filter_username = notfound
(11)  auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(11)  auth_log :    --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(11)  auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to

/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(11)  auth_log : EXPAND %t
(11)  auth_log :    --> Thu Jan 15 11:38:42 2015
(11)   [auth_log] = ok
(11)   [chap] = noop
(11)   [mschap] = noop
(11)  suffix : Checking for suffix after "@"
(11)  suffix : No '@' in User-Name = "bigman", looking up realm NULL
(11)  suffix : Found realm "NULL"
(11)  suffix : Adding Stripped-User-Name = "bigman"
(11)  suffix : Adding Realm = "NULL"
(11)  suffix : Authentication realm is LOCAL
(11)   [suffix] = ok
(11)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(11) EXPAND %{Realm}
(11)    --> NULL
(11)    if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')  -> FALSE
(11)  eap : Peer sent code Response (2) ID 11 length 80
(11)  eap : Continuing tunnel setup
(11)   [eap] = ok
(11)  } #  authorize = ok
(11) Found Auth-Type = EAP
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(11)   authenticate {
(11)  eap : Expiring EAP session with state 0xc45fd1a2cd54c8f5
(11)  eap : Finished EAP session with state 0xc45fd1a2cd54c8f5
(11)  eap : Previous EAP request found for state 0xc45fd1a2cd54c8f5, released from the list
(11)  eap : Peer sent method PEAP (25)
(11)  eap : EAP PEAP (25)
(11)  eap : Calling eap_peap to process EAP data
(11)  eap_peap : processing EAP-TLS
(11)  eap_peap : eaptls_verify returned 7
(11)  eap_peap : Done initial handshake
(11)  eap_peap : eaptls_process returned 7
(11)  eap_peap : FR_TLS_OK
(11)  eap_peap : Session established.  Decoding tunneled attributes
(11)  eap_peap : Peap state send tlv success
(11)  eap_peap : Received EAP-TLV response
(11)  eap_peap : Success
(11)  eap_peap : Using saved attributes from the original Access-Accept
        Stripped-User-Name = 'bob'
(11)  eap_peap : Saving session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 vps 0xdb9b50 in

the cache
(11)  eap : Freeing handler
(11)   [eap] = ok
(11)  } #  authenticate = ok
(11) Login OK: [bigman] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC)
(11) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(11)   post-auth {
(11)   [exec] = noop
(11)   remove_reply_message_if_eap remove_reply_message_if_eap {
(11)     if (&reply:EAP-Message && &reply:Reply-Message)
(11)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(11)    else else {
(11)     [noop] = noop
(11)    } # else else = noop
(11)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(11)  } #  post-auth = noop
(11) Sending Access-Accept packet to host 10.10.1.1 port 3406, id=33, length=0
(11)    Stripped-User-Name = 'bob'
(11)    MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf
(11)    MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19
(11)    EAP-MSK =

0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbfdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a1

7134fe0b843a3bb19
(11)    EAP-EMSK =

0x7a6b367b28793e34682cef71b58ec94c2f9dc00044d0e0a83b3b574158756196e40940146e5bbcba4d03755a09bc9ceafe3305b3da7bfe9

bffd812066bea9cbb
(11)    EAP-Session-Id =

0x1954b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16754b73641e3caf729409a814c4e2c0f4c4522113a1cbfd

2509d86377e80e55ca3
(11)    EAP-Message = 0x030b0004
(11)    Message-Authenticator = 0x00000000000000000000000000000000
(11)    Stripped-User-Name = 'bigman'
Sending Access-Accept Id 33 from 10.80.1.1:1812 to 10.10.1.1:3406
        MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf
        MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
(11) Finished request
Waking up in 0.2 seconds.



More information about the Freeradius-Users mailing list