Not able to receive inner identity in Access-Accept (Problem revisited)
Lai Fu Keung
tfklai at hku.hk
Thu Jan 15 05:48:30 CET 2015
Hi,
I am trying in configure my FR v3.0.4 to pass inner identity to outer in eap-peap setup. I read some of the old mails with similar issues, like the following:
http://lists.freeradius.org/pipermail/freeradius-users/2014-August/073458.html
I made the following setting as suggested in the mail:
1. Update outer reply in file inner-tunnel, post auth:
update outer.reply {
User-Name = "%{request:User-Name}"
}
2. Set "use_tunneled_reply=yes" in file eap
With the above setting, I still couldn't get it working. I compared my debug with that of above article. I see the difference at this line:
eap_peap : Using saved attributes from the original Access-Accept
Stripped-User-Name = 'bob'
The above article uses "User-Name". Is this the difference?
I use "Stripped-User-Name" for actual authentication against ldap, but want "User-Name" (with domain) for logging and accounting. I am not sure when they are used in different phases.
At near the end of the debug, I even see:
Stripped-User-Name = 'bigman'
which is obviously wrong, as 'bigman' is the name I made up for "Anonymous Identity".
Can anyone give me a clue what I have done wrong? Thanks in advance. Debug log follows.
Fu-Keung
Received Access-Request Id 23 from 10.10.1.1:3406 to 10.80.1.1:1812 length 234
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x0201000b016269676d616e
Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
(1) Received Access-Request packet from host 10.10.1.1 port 3406, id=23, length=234
(1) User-Name = 'bigman'
(1) Framed-MTU = 1450
(1) EAP-Message = 0x0201000b016269676d616e
(1) Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06
(1) Chargeable-User-Identity = 0x00
(1) NAS-IP-Address = 10.10.1.1
(1) NAS-Identifier = 'WiFi-Controller-7'
(1) NAS-Port = 33558758
(1) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) Calling-Station-Id = '00-18-60-68-03-EC'
(1) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(1) Acct-Session-Id = '115001511383b5ab70'
(1) Framed-IP-Address = 202.189.123.194
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(1) authorize {
(1) filter_username filter_username {
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /@\\./)
(1) if (&User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(1) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(1) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(1) auth_log : EXPAND %t
(1) auth_log : --> Thu Jan 15 11:38:41 2015
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(1) suffix : Found realm "NULL"
(1) suffix : Adding Stripped-User-Name = "bigman"
(1) suffix : Adding Realm = "NULL"
(1) suffix : Authentication realm is LOCAL
(1) [suffix] = ok
(1) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(1) EXPAND %{Realm}
(1) --> NULL
(1) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(1) eap : Peer sent code Response (2) ID 1 length 11
(1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(1) authenticate {
(1) eap : Peer sent method Identity (1)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : Flushing SSL sessions (of #0)
(1) eap_peap : Initiate
(1) eap_peap : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c45dc8f5
(1) [eap] = handled
(1) } # authenticate = handled
(1) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=23, length=0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xc45fd1a2c45dc8f54b145a25fcad284d
Sending Access-Challenge Id 23 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c45dc8f54b145a25fcad284d
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 24 from 10.10.1.1:3406 to 10.80.1.1:1812 length 481
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976
ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c
c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060
00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500
120013000100020003000f00100011
Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c45dc8f54b145a25fcad284d
(2) Received Access-Request packet from host 10.10.1.1 port 3406, id=24, length=481
(2) User-Name = 'bigman'
(2) Framed-MTU = 1450
(2) EAP-Message =
0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976
ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c
c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060
00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500
120013000100020003000f00100011
(2) Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7
(2) Chargeable-User-Identity = 0x00
(2) NAS-IP-Address = 10.10.1.1
(2) NAS-Identifier = 'WiFi-Controller-7'
(2) NAS-Port = 33558758
(2) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Framed-Protocol = PPP
(2) Calling-Station-Id = '00-18-60-68-03-EC'
(2) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(2) Acct-Session-Id = '115001511383b5ab70'
(2) Framed-IP-Address = 202.189.123.194
(2) State = 0xc45fd1a2c45dc8f54b145a25fcad284d
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(2) authorize {
(2) filter_username filter_username {
(2) if (&User-Name =~ / /)
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ )
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ )
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\\.$/)
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /@\\./)
(2) if (&User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(2) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(2) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(2) auth_log : EXPAND %t
(2) auth_log : --> Thu Jan 15 11:38:41 2015
(2) [auth_log] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) suffix : Checking for suffix after "@"
(2) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(2) suffix : Found realm "NULL"
(2) suffix : Adding Stripped-User-Name = "bigman"
(2) suffix : Adding Realm = "NULL"
(2) suffix : Authentication realm is LOCAL
(2) [suffix] = ok
(2) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(2) EXPAND %{Realm}
(2) --> NULL
(2) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(2) eap : Peer sent code Response (2) ID 2 length 240
(2) eap : Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(2) authenticate {
(2) eap : Expiring EAP session with state 0xc45fd1a2c45dc8f5
(2) eap : Finished EAP session with state 0xc45fd1a2c45dc8f5
(2) eap : Previous EAP request found for state 0xc45fd1a2c45dc8f5, released from the list
(2) eap : Peer sent method PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
TLS Length 230
(2) eap_peap : Length Included
(2) eap_peap : eaptls_verify returned 11
(2) eap_peap : (other): before/accept initialization
(2) eap_peap : TLS_accept: before/accept initialization
(2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello
SSL: Client requested cached session 976ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e74
(2) eap_peap : TLS_accept: SSLv3 read client hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_peap : TLS_accept: SSLv3 write server hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0cb2], Certificate
(2) eap_peap : TLS_accept: SSLv3 write certificate A
(2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap : TLS_accept: SSLv3 write key exchange A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap : TLS_accept: SSLv3 write server done A
(2) eap_peap : TLS_accept: SSLv3 flush data
(2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c55cc8f5
(2) [eap] = handled
(2) } # authenticate = handled
(2) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=24, length=0
(2) EAP-Message =
0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1
732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c
ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311
63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30
190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333
95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b
130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707
320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920
5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d01010105000382
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xc45fd1a2c55cc8f54b145a25fcad284d
Sending Access-Challenge Id 24 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1
732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c
ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311
63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30
190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333
95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b
130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707
320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920
5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d0101010500038
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c55cc8f54b145a25fcad284d
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 25 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x020300061900
Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c55cc8f54b145a25fcad284d
(3) Received Access-Request packet from host 10.10.1.1 port 3406, id=25, length=247
(3) User-Name = 'bigman'
(3) Framed-MTU = 1450
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e
(3) Chargeable-User-Identity = 0x00
(3) NAS-IP-Address = 10.10.1.1
(3) NAS-Identifier = 'WiFi-Controller-7'
(3) NAS-Port = 33558758
(3) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Framed-Protocol = PPP
(3) Calling-Station-Id = '00-18-60-68-03-EC'
(3) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(3) Acct-Session-Id = '115001511383b5ab70'
(3) Framed-IP-Address = 202.189.123.194
(3) State = 0xc45fd1a2c55cc8f54b145a25fcad284d
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(3) authorize {
(3) filter_username filter_username {
(3) if (&User-Name =~ / /)
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ )
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\\.\\./ )
(3) if (&User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\\.$/)
(3) if (&User-Name =~ /\\.$/) -> FALSE
(3) if (&User-Name =~ /@\\./)
(3) if (&User-Name =~ /@\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(3) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(3) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(3) auth_log : EXPAND %t
(3) auth_log : --> Thu Jan 15 11:38:41 2015
(3) [auth_log] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) suffix : Checking for suffix after "@"
(3) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(3) suffix : Found realm "NULL"
(3) suffix : Adding Stripped-User-Name = "bigman"
(3) suffix : Adding Realm = "NULL"
(3) suffix : Authentication realm is LOCAL
(3) [suffix] = ok
(3) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(3) EXPAND %{Realm}
(3) --> NULL
(3) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(3) eap : Peer sent code Response (2) ID 3 length 6
(3) eap : Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(3) authenticate {
(3) eap : Expiring EAP session with state 0xc45fd1a2c55cc8f5
(3) eap : Finished EAP session with state 0xc45fd1a2c55cc8f5
(3) eap : Previous EAP request found for state 0xc45fd1a2c55cc8f5, released from the list
(3) eap : Peer sent method PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c65bc8f5
(3) [eap] = handled
(3) } # authenticate = handled
(3) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=25, length=0
(3) EAP-Message =
0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676
56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f
677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703
a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d
46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3
88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd
ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663
c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0
0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092a
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xc45fd1a2c65bc8f54b145a25fcad284d
Sending Access-Challenge Id 25 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676
56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f
677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703
a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d
46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3
88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd
ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663
c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0
0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c65bc8f54b145a25fcad284d
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 26 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x020400061900
Message-Authenticator = 0x07909351500113863860a840942c0c81
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c65bc8f54b145a25fcad284d
(4) Received Access-Request packet from host 10.10.1.1 port 3406, id=26, length=247
(4) User-Name = 'bigman'
(4) Framed-MTU = 1450
(4) EAP-Message = 0x020400061900
(4) Message-Authenticator = 0x07909351500113863860a840942c0c81
(4) Chargeable-User-Identity = 0x00
(4) NAS-IP-Address = 10.10.1.1
(4) NAS-Identifier = 'WiFi-Controller-7'
(4) NAS-Port = 33558758
(4) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Framed-Protocol = PPP
(4) Calling-Station-Id = '00-18-60-68-03-EC'
(4) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(4) Acct-Session-Id = '115001511383b5ab70'
(4) Framed-IP-Address = 202.189.123.194
(4) State = 0xc45fd1a2c65bc8f54b145a25fcad284d
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(4) authorize {
(4) filter_username filter_username {
(4) if (&User-Name =~ / /)
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ )
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\\.\\./ )
(4) if (&User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\\.$/)
(4) if (&User-Name =~ /\\.$/) -> FALSE
(4) if (&User-Name =~ /@\\./)
(4) if (&User-Name =~ /@\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(4) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(4) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(4) auth_log : EXPAND %t
(4) auth_log : --> Thu Jan 15 11:38:41 2015
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix : Checking for suffix after "@"
(4) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(4) suffix : Found realm "NULL"
(4) suffix : Adding Stripped-User-Name = "bigman"
(4) suffix : Adding Realm = "NULL"
(4) suffix : Authentication realm is LOCAL
(4) [suffix] = ok
(4) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(4) EXPAND %{Realm}
(4) --> NULL
(4) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(4) eap : Peer sent code Response (2) ID 4 length 6
(4) eap : Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(4) authenticate {
(4) eap : Expiring EAP session with state 0xc45fd1a2c65bc8f5
(4) eap : Finished EAP session with state 0xc45fd1a2c65bc8f5
(4) eap : Previous EAP request found for state 0xc45fd1a2c65bc8f5, released from the list
(4) eap : Peer sent method PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c75ac8f5
(4) [eap] = handled
(4) } # authenticate = handled
(4) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=26, length=0
(4) EAP-Message =
0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac
e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006
0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746
76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472
7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495
f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61
ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312
b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069
c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8e
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xc45fd1a2c75ac8f54b145a25fcad284d
Sending Access-Challenge Id 26 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac
e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006
0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746
76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472
7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495
f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61
ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312
b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069
c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c75ac8f54b145a25fcad284d
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 27 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x020500061900
Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c75ac8f54b145a25fcad284d
(5) Received Access-Request packet from host 10.10.1.1 port 3406, id=27, length=247
(5) User-Name = 'bigman'
(5) Framed-MTU = 1450
(5) EAP-Message = 0x020500061900
(5) Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38
(5) Chargeable-User-Identity = 0x00
(5) NAS-IP-Address = 10.10.1.1
(5) NAS-Identifier = 'WiFi-Controller-7'
(5) NAS-Port = 33558758
(5) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Framed-Protocol = PPP
(5) Calling-Station-Id = '00-18-60-68-03-EC'
(5) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(5) Acct-Session-Id = '115001511383b5ab70'
(5) Framed-IP-Address = 202.189.123.194
(5) State = 0xc45fd1a2c75ac8f54b145a25fcad284d
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(5) authorize {
(5) filter_username filter_username {
(5) if (&User-Name =~ / /)
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ )
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\\.\\./ )
(5) if (&User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\\.$/)
(5) if (&User-Name =~ /\\.$/) -> FALSE
(5) if (&User-Name =~ /@\\./)
(5) if (&User-Name =~ /@\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(5) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(5) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(5) auth_log : EXPAND %t
(5) auth_log : --> Thu Jan 15 11:38:41 2015
(5) [auth_log] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix : Checking for suffix after "@"
(5) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(5) suffix : Found realm "NULL"
(5) suffix : Adding Stripped-User-Name = "bigman"
(5) suffix : Adding Realm = "NULL"
(5) suffix : Authentication realm is LOCAL
(5) [suffix] = ok
(5) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(5) EXPAND %{Realm}
(5) --> NULL
(5) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(5) eap : Peer sent code Response (2) ID 5 length 6
(5) eap : Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(5) authenticate {
(5) eap : Expiring EAP session with state 0xc45fd1a2c75ac8f5
(5) eap : Finished EAP session with state 0xc45fd1a2c75ac8f5
(5) eap : Previous EAP request found for state 0xc45fd1a2c75ac8f5, released from the list
(5) eap : Peer sent method PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
(5) eap_peap : Received TLS ACK
(5) eap_peap : Received TLS ACK
(5) eap_peap : ACK handshake fragment handler
(5) eap_peap : eaptls_verify returned 1
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c059c8f5
(5) [eap] = handled
(5) } # authenticate = handled
(5) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=27, length=0
(5) EAP-Message =
0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1
17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500
038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13
70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5
eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a
ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911
35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d
a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed
0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751ac
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xc45fd1a2c059c8f54b145a25fcad284d
Sending Access-Challenge Id 27 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1
17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500
038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13
70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5
eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a
ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911
35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d
a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed
0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c059c8f54b145a25fcad284d
(5) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 28 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb
6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04
886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471
Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c059c8f54b145a25fcad284d
(6) Received Access-Request packet from host 10.10.1.1 port 3406, id=28, length=385
(6) User-Name = 'bigman'
(6) Framed-MTU = 1450
(6) EAP-Message =
0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb
6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04
886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471
(6) Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4
(6) Chargeable-User-Identity = 0x00
(6) NAS-IP-Address = 10.10.1.1
(6) NAS-Identifier = 'WiFi-Controller-7'
(6) NAS-Port = 33558758
(6) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Framed-Protocol = PPP
(6) Calling-Station-Id = '00-18-60-68-03-EC'
(6) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(6) Acct-Session-Id = '115001511383b5ab70'
(6) Framed-IP-Address = 202.189.123.194
(6) State = 0xc45fd1a2c059c8f54b145a25fcad284d
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(6) authorize {
(6) filter_username filter_username {
(6) if (&User-Name =~ / /)
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ )
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ )
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\\.$/)
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /@\\./)
(6) if (&User-Name =~ /@\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(6) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(6) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(6) auth_log : EXPAND %t
(6) auth_log : --> Thu Jan 15 11:38:42 2015
(6) [auth_log] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(6) suffix : Found realm "NULL"
(6) suffix : Adding Stripped-User-Name = "bigman"
(6) suffix : Adding Realm = "NULL"
(6) suffix : Authentication realm is LOCAL
(6) [suffix] = ok
(6) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(6) EXPAND %{Realm}
(6) --> NULL
(6) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(6) eap : Peer sent code Response (2) ID 6 length 144
(6) eap : Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(6) authenticate {
(6) eap : Expiring EAP session with state 0xc45fd1a2c059c8f5
(6) eap : Finished EAP session with state 0xc45fd1a2c059c8f5
(6) eap : Previous EAP request found for state 0xc45fd1a2c059c8f5, released from the list
(6) eap : Peer sent method PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
TLS Length 134
(6) eap_peap : Length Included
(6) eap_peap : eaptls_verify returned 11
(6) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(6) eap_peap : TLS_accept: SSLv3 read client key exchange A
(6) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(6) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap : TLS_accept: SSLv3 read finished A
(6) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(6) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(6) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap : TLS_accept: SSLv3 write finished A
(6) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 to cache
(6) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(6) eap_peap : eaptls_process returned 13
(6) eap_peap : FR_TLS_HANDLED
(6) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c158c8f5
(6) [eap] = handled
(6) } # authenticate = handled
(6) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=28, length=0
(6) EAP-Message =
0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96
da21b4bfc6fc733123a
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xc45fd1a2c158c8f54b145a25fcad284d
Sending Access-Challenge Id 28 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96
da21b4bfc6fc733123a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c158c8f54b145a25fcad284d
(6) Finished request
Received Access-Request Id 29 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x020700061900
Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c158c8f54b145a25fcad284d
(7) Received Access-Request packet from host 10.10.1.1 port 3406, id=29, length=247
(7) User-Name = 'bigman'
(7) Framed-MTU = 1450
(7) EAP-Message = 0x020700061900
(7) Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde
(7) Chargeable-User-Identity = 0x00
(7) NAS-IP-Address = 10.10.1.1
(7) NAS-Identifier = 'WiFi-Controller-7'
(7) NAS-Port = 33558758
(7) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Framed-Protocol = PPP
(7) Calling-Station-Id = '00-18-60-68-03-EC'
(7) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(7) Acct-Session-Id = '115001511383b5ab70'
(7) Framed-IP-Address = 202.189.123.194
(7) State = 0xc45fd1a2c158c8f54b145a25fcad284d
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(7) authorize {
(7) filter_username filter_username {
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /@\\./)
(7) if (&User-Name =~ /@\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(7) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(7) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(7) auth_log : EXPAND %t
(7) auth_log : --> Thu Jan 15 11:38:42 2015
(7) [auth_log] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(7) suffix : Found realm "NULL"
(7) suffix : Adding Stripped-User-Name = "bigman"
(7) suffix : Adding Realm = "NULL"
(7) suffix : Authentication realm is LOCAL
(7) [suffix] = ok
(7) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(7) EXPAND %{Realm}
(7) --> NULL
(7) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(7) eap : Peer sent code Response (2) ID 7 length 6
(7) eap : Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(7) authenticate {
(7) eap : Expiring EAP session with state 0xc45fd1a2c158c8f5
(7) eap : Finished EAP session with state 0xc45fd1a2c158c8f5
(7) eap : Previous EAP request found for state 0xc45fd1a2c158c8f5, released from the list
(7) eap : Peer sent method PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : Received TLS ACK
(7) eap_peap : Received TLS ACK
(7) eap_peap : ACK handshake is finished
(7) eap_peap : eaptls_verify returned 3
(7) eap_peap : eaptls_process returned 3
(7) eap_peap : FR_TLS_SUCCESS
(7) eap_peap : Session established. Decoding tunneled attributes
(7) eap_peap : Peap state TUNNEL ESTABLISHED
(7) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c257c8f5
(7) [eap] = handled
(7) } # authenticate = handled
(7) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=29, length=0
(7) EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xc45fd1a2c257c8f54b145a25fcad284d
Sending Access-Challenge Id 29 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c257c8f54b145a25fcad284d
(7) Finished request
Received Access-Request Id 30 from 10.10.1.1:3406 to 10.80.1.1:1812 length 337
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11
6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452
Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c257c8f54b145a25fcad284d
(8) Received Access-Request packet from host 10.10.1.1 port 3406, id=30, length=337
(8) User-Name = 'bigman'
(8) Framed-MTU = 1450
(8) EAP-Message =
0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11
6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452
(8) Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b
(8) Chargeable-User-Identity = 0x00
(8) NAS-IP-Address = 10.10.1.1
(8) NAS-Identifier = 'WiFi-Controller-7'
(8) NAS-Port = 33558758
(8) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Framed-Protocol = PPP
(8) Calling-Station-Id = '00-18-60-68-03-EC'
(8) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(8) Acct-Session-Id = '115001511383b5ab70'
(8) Framed-IP-Address = 202.189.123.194
(8) State = 0xc45fd1a2c257c8f54b145a25fcad284d
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(8) authorize {
(8) filter_username filter_username {
(8) if (&User-Name =~ / /)
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ )
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ )
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\\.$/)
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /@\\./)
(8) if (&User-Name =~ /@\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(8) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(8) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(8) auth_log : EXPAND %t
(8) auth_log : --> Thu Jan 15 11:38:42 2015
(8) [auth_log] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(8) suffix : Found realm "NULL"
(8) suffix : Adding Stripped-User-Name = "bigman"
(8) suffix : Adding Realm = "NULL"
(8) suffix : Authentication realm is LOCAL
(8) [suffix] = ok
(8) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(8) EXPAND %{Realm}
(8) --> NULL
(8) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(8) eap : Peer sent code Response (2) ID 8 length 96
(8) eap : Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(8) authenticate {
(8) eap : Expiring EAP session with state 0xc45fd1a2c257c8f5
(8) eap : Finished EAP session with state 0xc45fd1a2c257c8f5
(8) eap : Previous EAP request found for state 0xc45fd1a2c257c8f5, released from the list
(8) eap : Peer sent method PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes
(8) eap_peap : Peap state WAITING FOR INNER IDENTITY
(8) eap_peap : Identity - bob at abc.com
(8) eap_peap : Got inner identity 'bob at abc.com'
(8) eap_peap : Setting default EAP type for tunneled EAP session
(8) eap_peap : Got tunneled request
EAP-Message = 0x020800120174666b6c616940686b752e686b
server Local-WiFi {
(8) eap_peap : Setting User-Name to bob at abc.com
Sending tunneled request
EAP-Message = 0x020800120174666b6c616940686b752e686b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob at abc.com'
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
server inner-tunnel {
(8) server inner-tunnel {
(8) Request:
EAP-Message = 0x020800120174666b6c616940686b752e686b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob at abc.com'
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : Looking up realm "abc.com" for User-Name = "bob at abc.com"
(8) suffix : Found realm "abc.com"
(8) suffix : Adding Stripped-User-Name = "bob"
(8) suffix : Adding Realm = "abc.com"
(8) suffix : Authentication realm is LOCAL
(8) [suffix] = ok
(8) update control {
(8) &Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : Peer sent code Response (2) ID 8 length 18
(8) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Peer sent method Identity (1)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : Issuing Challenge
(8) eap : New EAP session, adding 'State' attribute to reply 0xde946618de9d7cad
(8) [eap] = handled
(8) } # authenticate = handled
(8) Reply:
EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618de9d7cad0c64434fd93f0777
(8) } # server inner-tunnel
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 11
EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618de9d7cad0c64434fd93f0777
(8) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618de9d7cad0c64434fd93f0777
(8) eap_peap : Got tunneled Access-Challenge
(8) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c356c8f5
(8) [eap] = handled
(8) } # authenticate = handled
(8) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=30, length=0
(8) EAP-Message =
0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c
ec006126ddbd781a3811c45a43cc665fa6e6b88
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xc45fd1a2c356c8f54b145a25fcad284d
Sending Access-Challenge Id 30 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c
ec006126ddbd781a3811c45a43cc665fa6e6b88
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c356c8f54b145a25fcad284d
(8) Finished request
Received Access-Request Id 31 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506
f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017
3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4
Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c356c8f54b145a25fcad284d
(9) Received Access-Request packet from host 10.10.1.1 port 3406, id=31, length=385
(9) User-Name = 'bigman'
(9) Framed-MTU = 1450
(9) EAP-Message =
0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506
f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017
3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4
(9) Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba
(9) Chargeable-User-Identity = 0x00
(9) NAS-IP-Address = 10.10.1.1
(9) NAS-Identifier = 'WiFi-Controller-7'
(9) NAS-Port = 33558758
(9) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Framed-Protocol = PPP
(9) Calling-Station-Id = '00-18-60-68-03-EC'
(9) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(9) Acct-Session-Id = '115001511383b5ab70'
(9) Framed-IP-Address = 202.189.123.194
(9) State = 0xc45fd1a2c356c8f54b145a25fcad284d
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(9) authorize {
(9) filter_username filter_username {
(9) if (&User-Name =~ / /)
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ )
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ )
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\\.$/)
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /@\\./)
(9) if (&User-Name =~ /@\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(9) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(9) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(9) auth_log : EXPAND %t
(9) auth_log : --> Thu Jan 15 11:38:42 2015
(9) [auth_log] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(9) suffix : Found realm "NULL"
(9) suffix : Adding Stripped-User-Name = "bigman"
(9) suffix : Adding Realm = "NULL"
(9) suffix : Authentication realm is LOCAL
(9) [suffix] = ok
(9) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(9) EXPAND %{Realm}
(9) --> NULL
(9) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(9) eap : Peer sent code Response (2) ID 9 length 144
(9) eap : Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(9) authenticate {
(9) eap : Expiring EAP session with state 0xde946618de9d7cad
(9) eap : Finished EAP session with state 0xc45fd1a2c356c8f5
(9) eap : Previous EAP request found for state 0xc45fd1a2c356c8f5, released from the list
(9) eap : Peer sent method PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes
(9) eap_peap : Peap state phase2
(9) eap_peap : EAP type MSCHAPv2 (26)
(9) eap_peap : Got tunneled request
EAP-Message =
0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016
36d8f0074666b6c616940686b752e686b
server Local-WiFi {
(9) eap_peap : Setting User-Name to bob at abc.com
Sending tunneled request
EAP-Message =
0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016
36d8f0074666b6c616940686b752e686b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob at abc.com'
State = 0xde946618de9d7cad0c64434fd93f0777
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
server inner-tunnel {
(9) server inner-tunnel {
(9) Request:
EAP-Message =
0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016
36d8f0074666b6c616940686b752e686b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob at abc.com'
State = 0xde946618de9d7cad0c64434fd93f0777
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : Looking up realm "abc.com" for User-Name = "bob at abc.com"
(9) suffix : Found realm "abc.com"
(9) suffix : Adding Stripped-User-Name = "bob"
(9) suffix : Adding Realm = "abc.com"
(9) suffix : Authentication realm is LOCAL
(9) [suffix] = ok
(9) update control {
(9) &Proxy-To-Realm := 'LOCAL'
(9) } # update control = noop
(9) eap : Peer sent code Response (2) ID 9 length 72
(9) eap : No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) if (&EAP-Message)
(9) if (&EAP-Message) -> TRUE
(9) if (&EAP-Message) {
(9) load-balance ldap_Portal_redundant {
(9) redundant-load-balance group ldap_Portal_redundant {
rlm_ldap (ldap_PortalPwd_2): Reserved connection (4)
(9) ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(!
(postOfficeBox=nowifi))))
(9) ldap_PortalPwd_2 : --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi))))
(9) ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk
(9) ldap_PortalPwd_2 : --> ou=802.1x,o=hku,c=hk
(9) ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(!
(givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub'
(9) ldap_PortalPwd_2 : Waiting for search result...
(9) ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk"
(9) ldap_PortalPwd_2 : Processing user attributes
(9) ldap_PortalPwd_2 : &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg'
(9) ldap_PortalPwd_2 : &control:NT-Password :=
0x4433343845383035444432323934453241424435424438433732303143334345
rlm_ldap (ldap_PortalPwd_2): Released connection (4)
(9) [ldap_PortalPwd_2] = ok
(9) } # redundant-load-balance ldap_Portal_redundant = ok
(9) if (notfound)
(9) if (notfound) -> FALSE
(9) } # if (&EAP-Message) = ok
(9) ... skipping else for request 9: Preceding "if" was taken
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(9) WARNING: pap : Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap : Expiring EAP session with state 0xde946618de9d7cad
(9) eap : Finished EAP session with state 0xde946618de9d7cad
(9) eap : Previous EAP request found for state 0xde946618de9d7cad, released from the list
(9) eap : Peer sent method MSCHAPv2 (26)
(9) eap : EAP MSCHAPv2 (26)
(9) eap : Calling eap_mschapv2 to process EAP data
(9) eap_mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) eap_mschapv2 : Auth-Type MS-CHAP {
(9) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password
(9) mschap : Found NT-Password
(9) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password
(9) mschap : Creating challenge hash with username: bob at abc.com
(9) mschap : Client is using MS-CHAPv2
(9) mschap : Adding MS-CHAPv2 MPPE keys
(9) [mschap] = ok
(9) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(9) eap : New EAP session, adding 'State' attribute to reply 0xde946618df9e7cad
(9) [eap] = handled
(9) } # authenticate = handled
(9) Reply:
EAP-Message =
0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618df9e7cad0c64434fd93f0777
(9) } # server inner-tunnel
} # server inner-tunnel
(9) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618df9e7cad0c64434fd93f0777
(9) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618df9e7cad0c64434fd93f0777
(9) eap_peap : Got tunneled Access-Challenge
(9) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cc55c8f5
(9) [eap] = handled
(9) } # authenticate = handled
(9) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=31, length=0
(9) EAP-Message =
0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961
0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xc45fd1a2cc55c8f54b145a25fcad284d
Sending Access-Challenge Id 31 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961
0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2cc55c8f54b145a25fcad284d
(9) Finished request
Received Access-Request Id 32 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a
27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1
Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2cc55c8f54b145a25fcad284d
(10) Received Access-Request packet from host 10.10.1.1 port 3406, id=32, length=321
(10) User-Name = 'bigman'
(10) Framed-MTU = 1450
(10) EAP-Message =
0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a
27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1
(10) Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35
(10) Chargeable-User-Identity = 0x00
(10) NAS-IP-Address = 10.10.1.1
(10) NAS-Identifier = 'WiFi-Controller-7'
(10) NAS-Port = 33558758
(10) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Framed-Protocol = PPP
(10) Calling-Station-Id = '00-18-60-68-03-EC'
(10) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(10) Acct-Session-Id = '115001511383b5ab70'
(10) Framed-IP-Address = 202.189.123.194
(10) State = 0xc45fd1a2cc55c8f54b145a25fcad284d
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(10) authorize {
(10) filter_username filter_username {
(10) if (&User-Name =~ / /)
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@.*@/ )
(10) if (&User-Name =~ /@.*@/ ) -> FALSE
(10) if (&User-Name =~ /\\.\\./ )
(10) if (&User-Name =~ /\\.\\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\\.$/)
(10) if (&User-Name =~ /\\.$/) -> FALSE
(10) if (&User-Name =~ /@\\./)
(10) if (&User-Name =~ /@\\./) -> FALSE
(10) } # filter_username filter_username = notfound
(10) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(10) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(10) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(10) auth_log : EXPAND %t
(10) auth_log : --> Thu Jan 15 11:38:42 2015
(10) [auth_log] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix : Checking for suffix after "@"
(10) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(10) suffix : Found realm "NULL"
(10) suffix : Adding Stripped-User-Name = "bigman"
(10) suffix : Adding Realm = "NULL"
(10) suffix : Authentication realm is LOCAL
(10) [suffix] = ok
(10) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(10) EXPAND %{Realm}
(10) --> NULL
(10) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(10) eap : Peer sent code Response (2) ID 10 length 80
(10) eap : Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(10) authenticate {
(10) eap : Expiring EAP session with state 0xde946618df9e7cad
(10) eap : Finished EAP session with state 0xc45fd1a2cc55c8f5
(10) eap : Previous EAP request found for state 0xc45fd1a2cc55c8f5, released from the list
(10) eap : Peer sent method PEAP (25)
(10) eap : EAP PEAP (25)
(10) eap : Calling eap_peap to process EAP data
(10) eap_peap : processing EAP-TLS
(10) eap_peap : eaptls_verify returned 7
(10) eap_peap : Done initial handshake
(10) eap_peap : eaptls_process returned 7
(10) eap_peap : FR_TLS_OK
(10) eap_peap : Session established. Decoding tunneled attributes
(10) eap_peap : Peap state phase2
(10) eap_peap : EAP type MSCHAPv2 (26)
(10) eap_peap : Got tunneled request
EAP-Message = 0x020a00061a03
server Local-WiFi {
(10) eap_peap : Setting User-Name to bob at abc.com
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob at abc.com'
State = 0xde946618df9e7cad0c64434fd93f0777
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
server inner-tunnel {
(10) server inner-tunnel {
(10) Request:
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob at abc.com'
State = 0xde946618df9e7cad0c64434fd93f0777
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(10) authorize {
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix : Checking for suffix after "@"
(10) suffix : Looking up realm "abc.com" for User-Name = "bob at abc.com"
(10) suffix : Found realm "abc.com"
(10) suffix : Adding Stripped-User-Name = "bob"
(10) suffix : Adding Realm = "abc.com"
(10) suffix : Authentication realm is LOCAL
(10) [suffix] = ok
(10) update control {
(10) &Proxy-To-Realm := 'LOCAL'
(10) } # update control = noop
(10) eap : Peer sent code Response (2) ID 10 length 6
(10) eap : No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) if (&EAP-Message)
(10) if (&EAP-Message) -> TRUE
(10) if (&EAP-Message) {
(10) load-balance ldap_Portal_redundant {
(10) redundant-load-balance group ldap_Portal_redundant {
rlm_ldap (ldap_PortalPwd_2): Reserved connection (4)
(10) ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(!
(postOfficeBox=nowifi))))
(10) ldap_PortalPwd_2 : --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi))))
(10) ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk
(10) ldap_PortalPwd_2 : --> ou=802.1x,o=hku,c=hk
(10) ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(!
(givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub'
(10) ldap_PortalPwd_2 : Waiting for search result...
(10) ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk"
(10) ldap_PortalPwd_2 : Processing user attributes
(10) ldap_PortalPwd_2 : &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg'
(10) ldap_PortalPwd_2 : &control:NT-Password :=
0x4433343845383035444432323934453241424435424438433732303143334345
rlm_ldap (ldap_PortalPwd_2): Released connection (4)
(10) [ldap_PortalPwd_2] = ok
(10) } # redundant-load-balance ldap_Portal_redundant = ok
(10) if (notfound)
(10) if (notfound) -> FALSE
(10) } # if (&EAP-Message) = ok
(10) ... skipping else for request 10: Preceding "if" was taken
(10) [expiration] = noop
(10) [logintime] = noop
(10) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(10) WARNING: pap : Auth-Type already set. Not setting to PAP
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap : Expiring EAP session with state 0xde946618df9e7cad
(10) eap : Finished EAP session with state 0xde946618df9e7cad
(10) eap : Previous EAP request found for state 0xde946618df9e7cad, released from the list
(10) eap : Peer sent method MSCHAPv2 (26)
(10) eap : EAP MSCHAPv2 (26)
(10) eap : Calling eap_mschapv2 to process EAP data
(10) eap : Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) Login OK: [bob at abc.com] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC via TLS tunnel)
(10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(10) post-auth {
(10) update outer.reply {
(10) EXPAND %{request:User-Name}
(10) --> bob at abc.com
(10) User-Name = "bob at abc.com"
(10) } # update outer.reply = noop
(10) } # post-auth = noop
(10) Reply:
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7
MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'bob'
(10) } # server inner-tunnel
} # server inner-tunnel
(10) eap_peap : Got tunneled reply code 2
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7
MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'bob'
(10) eap_peap : Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7
MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'bob'
(10) eap_peap : Tunneled authentication was successful
(10) eap_peap : SUCCESS
(10) eap_peap : Saving tunneled attributes for later
(10) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cd54c8f5
(10) [eap] = handled
(10) } # authenticate = handled
(10) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=32, length=0
(10) User-Name = 'bob at abc.com'
(10) EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xc45fd1a2cd54c8f54b145a25fcad284d
Sending Access-Challenge Id 32 from 10.80.1.1:1812 to 10.10.1.1:3406
User-Name = 'bob at abc.com'
EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2cd54c8f54b145a25fcad284d
(10) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 33 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778
261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf
Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2cd54c8f54b145a25fcad284d
(11) Received Access-Request packet from host 10.10.1.1 port 3406, id=33, length=321
(11) User-Name = 'bigman'
(11) Framed-MTU = 1450
(11) EAP-Message =
0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778
261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf
(11) Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9
(11) Chargeable-User-Identity = 0x00
(11) NAS-IP-Address = 10.10.1.1
(11) NAS-Identifier = 'WiFi-Controller-7'
(11) NAS-Port = 33558758
(11) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) Framed-Protocol = PPP
(11) Calling-Station-Id = '00-18-60-68-03-EC'
(11) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(11) Acct-Session-Id = '115001511383b5ab70'
(11) Framed-IP-Address = 202.189.123.194
(11) State = 0xc45fd1a2cd54c8f54b145a25fcad284d
(11) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(11) authorize {
(11) filter_username filter_username {
(11) if (&User-Name =~ / /)
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@.*@/ )
(11) if (&User-Name =~ /@.*@/ ) -> FALSE
(11) if (&User-Name =~ /\\.\\./ )
(11) if (&User-Name =~ /\\.\\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\\.$/)
(11) if (&User-Name =~ /\\.$/) -> FALSE
(11) if (&User-Name =~ /@\\./)
(11) if (&User-Name =~ /@\\./) -> FALSE
(11) } # filter_username filter_username = notfound
(11) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(11) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(11) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(11) auth_log : EXPAND %t
(11) auth_log : --> Thu Jan 15 11:38:42 2015
(11) [auth_log] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) suffix : Checking for suffix after "@"
(11) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(11) suffix : Found realm "NULL"
(11) suffix : Adding Stripped-User-Name = "bigman"
(11) suffix : Adding Realm = "NULL"
(11) suffix : Authentication realm is LOCAL
(11) [suffix] = ok
(11) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(11) EXPAND %{Realm}
(11) --> NULL
(11) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(11) eap : Peer sent code Response (2) ID 11 length 80
(11) eap : Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = EAP
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(11) authenticate {
(11) eap : Expiring EAP session with state 0xc45fd1a2cd54c8f5
(11) eap : Finished EAP session with state 0xc45fd1a2cd54c8f5
(11) eap : Previous EAP request found for state 0xc45fd1a2cd54c8f5, released from the list
(11) eap : Peer sent method PEAP (25)
(11) eap : EAP PEAP (25)
(11) eap : Calling eap_peap to process EAP data
(11) eap_peap : processing EAP-TLS
(11) eap_peap : eaptls_verify returned 7
(11) eap_peap : Done initial handshake
(11) eap_peap : eaptls_process returned 7
(11) eap_peap : FR_TLS_OK
(11) eap_peap : Session established. Decoding tunneled attributes
(11) eap_peap : Peap state send tlv success
(11) eap_peap : Received EAP-TLV response
(11) eap_peap : Success
(11) eap_peap : Using saved attributes from the original Access-Accept
Stripped-User-Name = 'bob'
(11) eap_peap : Saving session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 vps 0xdb9b50 in
the cache
(11) eap : Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) Login OK: [bigman] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC)
(11) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(11) post-auth {
(11) [exec] = noop
(11) remove_reply_message_if_eap remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message)
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else else {
(11) [noop] = noop
(11) } # else else = noop
(11) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(11) } # post-auth = noop
(11) Sending Access-Accept packet to host 10.10.1.1 port 3406, id=33, length=0
(11) Stripped-User-Name = 'bob'
(11) MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf
(11) MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19
(11) EAP-MSK =
0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbfdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a1
7134fe0b843a3bb19
(11) EAP-EMSK =
0x7a6b367b28793e34682cef71b58ec94c2f9dc00044d0e0a83b3b574158756196e40940146e5bbcba4d03755a09bc9ceafe3305b3da7bfe9
bffd812066bea9cbb
(11) EAP-Session-Id =
0x1954b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16754b73641e3caf729409a814c4e2c0f4c4522113a1cbfd
2509d86377e80e55ca3
(11) EAP-Message = 0x030b0004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) Stripped-User-Name = 'bigman'
Sending Access-Accept Id 33 from 10.80.1.1:1812 to 10.10.1.1:3406
MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf
MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
(11) Finished request
Waking up in 0.2 seconds.
More information about the Freeradius-Users
mailing list