freeradius doesn't see user in group (Active Directory) but user belong to this group
stefan nowak
pionartest at gmail.com
Sat Jul 4 09:17:56 CEST 2015
Hi All,
since few days I've stocked with configuration freeradius. All works good
except one thing. I can't get info from Active Directory to freeradius in
which group user belong (this one I need to set vlan depend on group).
My version freeradius is 3.0.4
as you can see below user "newuser" participate in group "computers",
here`s output from ldapsearch:
dn: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: newuser
givenName: newuser
distinguishedName: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
instanceType: 4
whenCreated: 20150702132126.0Z
whenChanged: 20150703105127.0Z
displayName: newuser
uSNCreated: 82039
memberOf: CN=computers,CN=Users,DC=test,DC=ad,DC=com
uSNChanged: 90187
name: newuser
objectGUID:: XX+6g4wMJEGdDfEOZF5Rgw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130803168865078125
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAR3zVX0Ki+LP5AMXOVQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: newuser
sAMAccountType: 805306368
userPrincipalName: newuser at test.ad.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=ad,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130803172388710937
from log output I see that user "newuser" get access-accept but freeradius
didn`t find him in group "computers" here is output:
Received Access-Request Id 182 from 192.168.0.2:1812 to 192.168.0.10:1812
length 129
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200000c016e657775736572
Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
(0) Received Access-Request packet from host 192.168.0.2 port 1812, id=182,
length=129
(0) NAS-IP-Address = 192.168.0.2
(0) NAS-Port = 50024
(0) NAS-Port-Type = Ethernet
(0) User-Name = 'newuser'
(0) Called-Station-Id = '00-16-9D-D3-40-D8'
(0) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(0) Service-Type = Framed-User
(0) Framed-MTU = 1500
(0) EAP-Message = 0x0200000c016e657775736572
(0) Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : Peer sent code Response (2) ID 0 length 12
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent method Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300e913e66
(0) [eap] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=182,
length=0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x0e9027300e913e6603c734ef610afcab
Sending Access-Challenge Id 182 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300e913e6603c734ef610afcab
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 183 from 192.168.0.2:1812 to 192.168.0.10:1812
length 276
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300e913e6603c734ef610afcab
EAP-Message =
0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
(1) Received Access-Request packet from host 192.168.0.2 port 1812, id=183,
length=276
(1) NAS-IP-Address = 192.168.0.2
(1) NAS-Port = 50024
(1) NAS-Port-Type = Ethernet
(1) User-Name = 'newuser'
(1) Called-Station-Id = '00-16-9D-D3-40-D8'
(1) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(1) Service-Type = Framed-User
(1) Framed-MTU = 1500
(1) State = 0x0e9027300e913e6603c734ef610afcab
(1) EAP-Message =
0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
(1) Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /@\\./)
(1) if (&User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) eap : Peer sent code Response (2) ID 1 length 141
(1) eap : Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x0e9027300e913e66
(1) eap : Finished EAP session with state 0x0e9027300e913e66
(1) eap : Previous EAP request found for state 0x0e9027300e913e66,
released from the list
(1) eap : Peer sent method PEAP (25)
(1) eap : EAP PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : processing EAP-TLS
TLS Length 131
(1) eap_peap : Length Included
(1) eap_peap : eaptls_verify returned 11
(1) eap_peap : (other): before/accept initialization
(1) eap_peap : TLS_accept: before/accept initialization
(1) eap_peap : <<< TLS 1.0 Handshake [length 007e], ClientHello
SSL: Client requested cached session
fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d94
(1) eap_peap : TLS_accept: SSLv3 read client hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello
(1) eap_peap : TLS_accept: SSLv3 write server hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
(1) eap_peap : TLS_accept: SSLv3 write certificate A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap : TLS_accept: SSLv3 write server done A
(1) eap_peap : TLS_accept: SSLv3 flush data
(1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap : eaptls_process returned 13
(1) eap_peap : FR_TLS_HANDLED
(1) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300f923e66
(1) [eap] = handled
(1) } # authenticate = handled
(1) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=183,
length=0
(1) EAP-Message =
0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2c
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x0e9027300f923e6603c734ef610afcab
Sending Access-Challenge Id 183 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300f923e6603c734ef610afcab
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 184 from 192.168.0.2:1812 to 192.168.0.10:1812
length 141
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300f923e6603c734ef610afcab
EAP-Message = 0x020200061900
Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
(2) Received Access-Request packet from host 192.168.0.2 port 1812, id=184,
length=141
(2) NAS-IP-Address = 192.168.0.2
(2) NAS-Port = 50024
(2) NAS-Port-Type = Ethernet
(2) User-Name = 'newuser'
(2) Called-Station-Id = '00-16-9D-D3-40-D8'
(2) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(2) Service-Type = Framed-User
(2) Framed-MTU = 1500
(2) State = 0x0e9027300f923e6603c734ef610afcab
(2) EAP-Message = 0x020200061900
(2) Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (!&User-Name)
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /)
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ )
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ )
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\\.$/)
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /@\\./)
(2) if (&User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : Checking for suffix after "@"
(2) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) eap : Peer sent code Response (2) ID 2 length 6
(2) eap : Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x0e9027300f923e66
(2) eap : Finished EAP session with state 0x0e9027300f923e66
(2) eap : Previous EAP request found for state 0x0e9027300f923e66,
released from the list
(2) eap : Peer sent method PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
(2) eap_peap : Received TLS ACK
(2) eap_peap : Received TLS ACK
(2) eap_peap : ACK handshake fragment handler
(2) eap_peap : eaptls_verify returned 1
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300c933e66
(2) [eap] = handled
(2) } # authenticate = handled
(2) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=184,
length=0
(2) EAP-Message =
0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x0e9027300c933e6603c734ef610afcab
Sending Access-Challenge Id 184 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f00308
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300c933e6603c734ef610afcab
(2) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 185 from 192.168.0.2:1812 to 192.168.0.10:1812
length 141
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300c933e6603c734ef610afcab
EAP-Message = 0x020300061900
Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
(3) Received Access-Request packet from host 192.168.0.2 port 1812, id=185,
length=141
(3) NAS-IP-Address = 192.168.0.2
(3) NAS-Port = 50024
(3) NAS-Port-Type = Ethernet
(3) User-Name = 'newuser'
(3) Called-Station-Id = '00-16-9D-D3-40-D8'
(3) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(3) Service-Type = Framed-User
(3) Framed-MTU = 1500
(3) State = 0x0e9027300c933e6603c734ef610afcab
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (!&User-Name)
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /)
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ )
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\\.\\./ )
(3) if (&User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\\.$/)
(3) if (&User-Name =~ /\\.$/) -> FALSE
(3) if (&User-Name =~ /@\\./)
(3) if (&User-Name =~ /@\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : Checking for suffix after "@"
(3) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) eap : Peer sent code Response (2) ID 3 length 6
(3) eap : Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x0e9027300c933e66
(3) eap : Finished EAP session with state 0x0e9027300c933e66
(3) eap : Previous EAP request found for state 0x0e9027300c933e66,
released from the list
(3) eap : Peer sent method PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300d943e66
(3) [eap] = handled
(3) } # authenticate = handled
(3) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=185,
length=0
(3) EAP-Message =
0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x0e9027300d943e6603c734ef610afcab
Sending Access-Challenge Id 185 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300d943e6603c734ef610afcab
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 186 from 192.168.0.2:1812 to 192.168.0.10:1812
length 473
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300d943e6603c734ef610afcab
EAP-Message =
0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
(4) Received Access-Request packet from host 192.168.0.2 port 1812, id=186,
length=473
(4) NAS-IP-Address = 192.168.0.2
(4) NAS-Port = 50024
(4) NAS-Port-Type = Ethernet
(4) User-Name = 'newuser'
(4) Called-Station-Id = '00-16-9D-D3-40-D8'
(4) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(4) Service-Type = Framed-User
(4) Framed-MTU = 1500
(4) State = 0x0e9027300d943e6603c734ef610afcab
(4) EAP-Message =
0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
(4) Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (!&User-Name)
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /)
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ )
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\\.\\./ )
(4) if (&User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\\.$/)
(4) if (&User-Name =~ /\\.$/) -> FALSE
(4) if (&User-Name =~ /@\\./)
(4) if (&User-Name =~ /@\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : Checking for suffix after "@"
(4) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) eap : Peer sent code Response (2) ID 4 length 336
(4) eap : Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x0e9027300d943e66
(4) eap : Finished EAP session with state 0x0e9027300d943e66
(4) eap : Previous EAP request found for state 0x0e9027300d943e66,
released from the list
(4) eap : Peer sent method PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
TLS Length 326
(4) eap_peap : Length Included
(4) eap_peap : eaptls_verify returned 11
(4) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(4) eap_peap : TLS_accept: SSLv3 read client key exchange A
(4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 read finished A
(4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 write finished A
(4) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session
48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 to cache
(4) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300a953e66
(4) [eap] = handled
(4) } # authenticate = handled
(4) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=186,
length=0
(4) EAP-Message =
0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x0e9027300a953e6603c734ef610afcab
Sending Access-Challenge Id 186 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300a953e6603c734ef610afcab
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 187 from 192.168.0.2:1812 to 192.168.0.10:1812
length 141
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300a953e6603c734ef610afcab
EAP-Message = 0x020500061900
Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
(5) Received Access-Request packet from host 192.168.0.2 port 1812, id=187,
length=141
(5) NAS-IP-Address = 192.168.0.2
(5) NAS-Port = 50024
(5) NAS-Port-Type = Ethernet
(5) User-Name = 'newuser'
(5) Called-Station-Id = '00-16-9D-D3-40-D8'
(5) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(5) Service-Type = Framed-User
(5) Framed-MTU = 1500
(5) State = 0x0e9027300a953e6603c734ef610afcab
(5) EAP-Message = 0x020500061900
(5) Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (!&User-Name)
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /)
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ )
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\\.\\./ )
(5) if (&User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\\.$/)
(5) if (&User-Name =~ /\\.$/) -> FALSE
(5) if (&User-Name =~ /@\\./)
(5) if (&User-Name =~ /@\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : Checking for suffix after "@"
(5) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) eap : Peer sent code Response (2) ID 5 length 6
(5) eap : Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x0e9027300a953e66
(5) eap : Finished EAP session with state 0x0e9027300a953e66
(5) eap : Previous EAP request found for state 0x0e9027300a953e66,
released from the list
(5) eap : Peer sent method PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
(5) eap_peap : Received TLS ACK
(5) eap_peap : Received TLS ACK
(5) eap_peap : ACK handshake is finished
(5) eap_peap : eaptls_verify returned 3
(5) eap_peap : eaptls_process returned 3
(5) eap_peap : FR_TLS_SUCCESS
(5) eap_peap : Session established. Decoding tunneled attributes
(5) eap_peap : Peap state TUNNEL ESTABLISHED
(5) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300b963e66
(5) [eap] = handled
(5) } # authenticate = handled
(5) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=187,
length=0
(5) EAP-Message =
0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x0e9027300b963e6603c734ef610afcab
Sending Access-Challenge Id 187 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300b963e6603c734ef610afcab
(5) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 188 from 192.168.0.2:1812 to 192.168.0.10:1812
length 178
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300b963e6603c734ef610afcab
EAP-Message =
0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
(6) Received Access-Request packet from host 192.168.0.2 port 1812, id=188,
length=178
(6) NAS-IP-Address = 192.168.0.2
(6) NAS-Port = 50024
(6) NAS-Port-Type = Ethernet
(6) User-Name = 'newuser'
(6) Called-Station-Id = '00-16-9D-D3-40-D8'
(6) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(6) Service-Type = Framed-User
(6) Framed-MTU = 1500
(6) State = 0x0e9027300b963e6603c734ef610afcab
(6) EAP-Message =
0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
(6) Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (!&User-Name)
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /)
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ )
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ )
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\\.$/)
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /@\\./)
(6) if (&User-Name =~ /@\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) eap : Peer sent code Response (2) ID 6 length 43
(6) eap : Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0x0e9027300b963e66
(6) eap : Finished EAP session with state 0x0e9027300b963e66
(6) eap : Previous EAP request found for state 0x0e9027300b963e66,
released from the list
(6) eap : Peer sent method PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : eaptls_verify returned 7
(6) eap_peap : Done initial handshake
(6) eap_peap : eaptls_process returned 7
(6) eap_peap : FR_TLS_OK
(6) eap_peap : Session established. Decoding tunneled attributes
(6) eap_peap : Peap state WAITING FOR INNER IDENTITY
(6) eap_peap : Identity - newuser
(6) eap_peap : Got inner identity 'newuser'
(6) eap_peap : Setting default EAP type for tunneled EAP session
(6) eap_peap : Got tunneled request
EAP-Message = 0x0206000c016e657775736572
server default {
(6) eap_peap : Setting User-Name to newuser
Sending tunneled request
EAP-Message = 0x0206000c016e657775736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
server inner-tunnel {
(6) server inner-tunnel {
(6) Request:
EAP-Message = 0x0206000c016e657775736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) Proxy-To-Realm := 'LOCAL'
(6) } # update control = noop
(6) eap : Peer sent code Response (2) ID 6 length 12
(6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap : Peer sent method Identity (1)
(6) eap : Calling eap_mschapv2 to process EAP data
(6) eap_mschapv2 : Issuing Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0x51469e48514184c8
(6) [eap] = handled
(6) } # authenticate = handled
(6) Reply:
EAP-Message =
0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48514184c89c06397edfb2b9f6
(6) } # server inner-tunnel
} # server inner-tunnel
(6) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48514184c89c06397edfb2b9f6
(6) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48514184c89c06397edfb2b9f6
(6) eap_peap : Got tunneled Access-Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0x0e90273008973e66
(6) [eap] = handled
(6) } # authenticate = handled
(6) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=188,
length=0
(6) EAP-Message =
0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x0e90273008973e6603c734ef610afcab
Sending Access-Challenge Id 188 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e90273008973e6603c734ef610afcab
(6) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 189 from 192.168.0.2:1812 to 192.168.0.10:1812
length 242
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e90273008973e6603c734ef610afcab
EAP-Message =
0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
(7) Received Access-Request packet from host 192.168.0.2 port 1812, id=189,
length=242
(7) NAS-IP-Address = 192.168.0.2
(7) NAS-Port = 50024
(7) NAS-Port-Type = Ethernet
(7) User-Name = 'newuser'
(7) Called-Station-Id = '00-16-9D-D3-40-D8'
(7) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(7) Service-Type = Framed-User
(7) Framed-MTU = 1500
(7) State = 0x0e90273008973e6603c734ef610afcab
(7) EAP-Message =
0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
(7) Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (!&User-Name)
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /@\\./)
(7) if (&User-Name =~ /@\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) eap : Peer sent code Response (2) ID 7 length 107
(7) eap : Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0x51469e48514184c8
(7) eap : Finished EAP session with state 0x0e90273008973e66
(7) eap : Previous EAP request found for state 0x0e90273008973e66,
released from the list
(7) eap : Peer sent method PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes
(7) eap_peap : Peap state phase2
(7) eap_peap : EAP type MSCHAPv2 (26)
(7) eap_peap : Got tunneled request
EAP-Message =
0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
server default {
(7) eap_peap : Setting User-Name to newuser
Sending tunneled request
EAP-Message =
0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
State = 0x51469e48514184c89c06397edfb2b9f6
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
server inner-tunnel {
(7) server inner-tunnel {
(7) Request:
EAP-Message =
0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
State = 0x51469e48514184c89c06397edfb2b9f6
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = noop
(7) eap : Peer sent code Response (2) ID 7 length 66
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(7) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap : --> (uid=newuser)
(7) ldap : EXPAND dc=test,dc=ad,dc=com
(7) ldap : --> dc=test,dc=ad,dc=com
(7) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(7) ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (4)
(7) [ldap] = notfound
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Expiring EAP session with state 0x51469e48514184c8
(7) eap : Finished EAP session with state 0x51469e48514184c8
(7) eap : Previous EAP request found for state 0x51469e48514184c8,
released from the list
(7) eap : Peer sent method MSCHAPv2 (26)
(7) eap : EAP MSCHAPv2 (26)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2 : Auth-Type MS-CHAP {
(7) mschap : Creating challenge hash with username: newuser
(7) mschap : Client is using MS-CHAPv2
Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(7) mschap : EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(7) mschap : --> --username=newuser
(7) mschap : Creating challenge hash with username: newuser
(7) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7) mschap : --> --challenge=141c75ef267aec37
(7) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7) mschap : -->
--nt-response=8e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e
Program returned code (0) and output 'NT_KEY:
917FDA71960ECCF4DF81D38405F86F42'
(7) mschap : Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(7) eap : New EAP session, adding 'State' attribute to reply
0x51469e48504e84c8
(7) [eap] = handled
(7) } # authenticate = handled
(7) Reply:
EAP-Message =
0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48504e84c89c06397edfb2b9f6
(7) } # server inner-tunnel
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48504e84c89c06397edfb2b9f6
(7) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48504e84c89c06397edfb2b9f6
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0x0e90273009983e66
(7) [eap] = handled
(7) } # authenticate = handled
(7) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=189,
length=0
(7) EAP-Message =
0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x0e90273009983e6603c734ef610afcab
Sending Access-Challenge Id 189 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e90273009983e6603c734ef610afcab
(7) Finished request
Waking up in 4.5 seconds.
Received Access-Request Id 190 from 192.168.0.2:1812 to 192.168.0.10:1812
length 178
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e90273009983e6603c734ef610afcab
EAP-Message =
0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
(8) Received Access-Request packet from host 192.168.0.2 port 1812, id=190,
length=178
(8) NAS-IP-Address = 192.168.0.2
(8) NAS-Port = 50024
(8) NAS-Port-Type = Ethernet
(8) User-Name = 'newuser'
(8) Called-Station-Id = '00-16-9D-D3-40-D8'
(8) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(8) Service-Type = Framed-User
(8) Framed-MTU = 1500
(8) State = 0x0e90273009983e6603c734ef610afcab
(8) EAP-Message =
0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
(8) Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (!&User-Name)
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /)
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ )
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ )
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\\.$/)
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /@\\./)
(8) if (&User-Name =~ /@\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) eap : Peer sent code Response (2) ID 8 length 43
(8) eap : Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0x51469e48504e84c8
(8) eap : Finished EAP session with state 0x0e90273009983e66
(8) eap : Previous EAP request found for state 0x0e90273009983e66,
released from the list
(8) eap : Peer sent method PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message = 0x020800061a03
server default {
(8) eap_peap : Setting User-Name to newuser
Sending tunneled request
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
State = 0x51469e48504e84c89c06397edfb2b9f6
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
server inner-tunnel {
(8) server inner-tunnel {
(8) Request:
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
State = 0x51469e48504e84c89c06397edfb2b9f6
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : Peer sent code Response (2) ID 8 length 6
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
rlm_ldap (ldap): Reserved connection (3)
(8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap : --> (uid=newuser)
(8) ldap : EXPAND dc=test,dc=ad,dc=com
(8) ldap : --> dc=test,dc=ad,dc=com
(8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(8) ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(8) ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (3)
rlm_ldap (ldap): 0 of 3 connections in use. Need more spares
rlm_ldap (ldap): Opening additional connection (5)
rlm_ldap (ldap): Connecting to 192.168.0.20:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8) [ldap] = notfound
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Expiring EAP session with state 0x51469e48504e84c8
(8) eap : Finished EAP session with state 0x51469e48504e84c8
(8) eap : Previous EAP request found for state 0x51469e48504e84c8,
released from the list
(8) eap : Peer sent method MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap : Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) ldap : EXPAND .
(8) ldap : --> .
(8) ldap : EXPAND Authenticated at %S
(8) ldap : --> Authenticated at 2015-07-03 14:28:13
rlm_ldap (ldap): Reserved connection (5)
(8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap : --> (uid=newuser)
(8) ldap : EXPAND dc=test,dc=ad,dc=com
(8) ldap : --> dc=test,dc=ad,dc=com
(8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(8) ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(8) ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (5)
(8) [ldap] = notfound
(8) } # post-auth = notfound
(8) Reply:
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'newuser'
(8) } # server inner-tunnel
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 2
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'newuser'
(8) eap_peap : Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'newuser'
(8) eap_peap : Tunneled authentication was successful
(8) eap_peap : SUCCESS
(8) eap_peap : Saving tunneled attributes for later
(8) eap : New EAP session, adding 'State' attribute to reply
0x0e90273006993e66
(8) [eap] = handled
(8) } # authenticate = handled
(8) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=190,
length=0
(8) EAP-Message =
0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x0e90273006993e6603c734ef610afcab
Sending Access-Challenge Id 190 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e90273006993e6603c734ef610afcab
(8) Finished request
Waking up in 3.8 seconds.
Received Access-Request Id 191 from 192.168.0.2:1812 to 192.168.0.10:1812
length 178
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e90273006993e6603c734ef610afcab
EAP-Message =
0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
(9) Received Access-Request packet from host 192.168.0.2 port 1812, id=191,
length=178
(9) NAS-IP-Address = 192.168.0.2
(9) NAS-Port = 50024
(9) NAS-Port-Type = Ethernet
(9) User-Name = 'newuser'
(9) Called-Station-Id = '00-16-9D-D3-40-D8'
(9) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(9) Service-Type = Framed-User
(9) Framed-MTU = 1500
(9) State = 0x0e90273006993e6603c734ef610afcab
(9) EAP-Message =
0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
(9) Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) if (!&User-Name)
(9) if (!&User-Name) -> FALSE
(9) if (&User-Name =~ / /)
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ )
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ )
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\\.$/)
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /@\\./)
(9) if (&User-Name =~ /@\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(9) suffix : No such realm "NULL"
(9) [suffix] = noop
(9) eap : Peer sent code Response (2) ID 9 length 43
(9) eap : Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0x0e90273006993e66
(9) eap : Finished EAP session with state 0x0e90273006993e66
(9) eap : Previous EAP request found for state 0x0e90273006993e66,
released from the list
(9) eap : Peer sent method PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes
(9) eap_peap : Peap state send tlv success
(9) eap_peap : Received EAP-TLV response
(9) eap_peap : Success
(9) eap_peap : Using saved attributes from the original Access-Accept
User-Name = 'newuser'
(9) eap_peap : Saving session
48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 vps
0x7f6012aedf20 in the cache
(9) eap : Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9) post-auth {
(9) ldap : EXPAND .
(9) ldap : --> .
(9) ldap : EXPAND Authenticated at %S
(9) ldap : --> Authenticated at 2015-07-03 14:28:14
rlm_ldap (ldap): Reserved connection (2)
(9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap : --> (uid=newuser)
(9) ldap : EXPAND dc=test,dc=ad,dc=com
(9) ldap : --> dc=test,dc=ad,dc=com
(9) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(9) ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(9) ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (2)
(9) [ldap] = notfound
(9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com")
(9) Searching for user in group "cn=computers,cn=Users,dc=test,dc=ad,dc=com"
rlm_ldap (ldap): Reserved connection (1)
(9) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(9) --> (uid=newuser)
(9) EXPAND dc=test,dc=ad,dc=com
(9) --> dc=test,dc=ad,dc=com
(9) Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(9) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(9) Search returned no results
rlm_ldap (ldap): Deleting connection (1)
(9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") ->
FALSE
(9) [exec] = noop
(9) remove_reply_message_if_eap remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message)
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else else {
(9) [noop] = noop
(9) } # else else = noop
(9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Sending Access-Accept packet to host 192.168.0.2 port 1812, id=191,
length=0
(9) User-Name = 'newuser'
(9) MS-MPPE-Recv-Key =
0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
(9) MS-MPPE-Send-Key =
0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
(9) EAP-MSK =
0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda271f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
(9) EAP-EMSK =
0x1b54d22a41027762199d0673d2024afb9b75034f4486286e1ce600f42266b87c01bf8b7801e44f136c405e7098f74a39062c8d0fd8199ad362af3aa3fd939603
(9) EAP-Session-Id =
0x19559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f355967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b313
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Accept Id 191 from 192.168.0.10:1812 to 192.168.0.2:1812
User-Name = 'newuser'
MS-MPPE-Recv-Key =
0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
MS-MPPE-Send-Key =
0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request
in ldap config file, part related user and groups looks like below:
user {
base_dn = "dc=test,dc=ad,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
base_dn ="dc=test,dc=ad,dc=com"
filter = "(objectClass=posixGroup)"
name_attribute = cn
membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = "memberOf"
}
Why freeradius can't match group "computers" to user "newuser"?
I would be very glad on any help
More information about the Freeradius-Users
mailing list