freeradius doesn't see user in group (Active Directory) but user belong to this group

stefan nowak pionartest at gmail.com
Sat Jul 4 09:17:56 CEST 2015


Hi All,

since few days I've stocked with configuration freeradius. All works good
except one thing. I can't get info from Active Directory to freeradius in
which group user belong  (this one I need to set vlan depend on group).
My version freeradius is 3.0.4

as you can see below user "newuser" participate in group "computers",
here`s output from ldapsearch:

dn: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: newuser
givenName: newuser
distinguishedName: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
instanceType: 4
whenCreated: 20150702132126.0Z
whenChanged: 20150703105127.0Z
displayName: newuser
uSNCreated: 82039
memberOf: CN=computers,CN=Users,DC=test,DC=ad,DC=com
uSNChanged: 90187
name: newuser
objectGUID:: XX+6g4wMJEGdDfEOZF5Rgw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130803168865078125
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAR3zVX0Ki+LP5AMXOVQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: newuser
sAMAccountType: 805306368
userPrincipalName: newuser at test.ad.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=ad,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130803172388710937


from log output I see that user "newuser" get access-accept but freeradius
didn`t find him in group "computers" here is output:

Received Access-Request Id 182 from 192.168.0.2:1812 to 192.168.0.10:1812
length 129
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x0200000c016e657775736572
        Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
(0) Received Access-Request packet from host 192.168.0.2 port 1812, id=182,
length=129
(0)     NAS-IP-Address = 192.168.0.2
(0)     NAS-Port = 50024
(0)     NAS-Port-Type = Ethernet
(0)     User-Name = 'newuser'
(0)     Called-Station-Id = '00-16-9D-D3-40-D8'
(0)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(0)     Service-Type = Framed-User
(0)     Framed-MTU = 1500
(0)     EAP-Message = 0x0200000c016e657775736572
(0)     Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (!&User-Name)
(0)     if (!&User-Name)  -> FALSE
(0)     if (&User-Name =~ / /)
(0)     if (&User-Name =~ / /)  -> FALSE
(0)     if (&User-Name =~ /@.*@/ )
(0)     if (&User-Name =~ /@.*@/ )  -> FALSE
(0)     if (&User-Name =~ /\\.\\./ )
(0)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(0)     if (&User-Name =~ /\\.$/)
(0)     if (&User-Name =~ /\\.$/)   -> FALSE
(0)     if (&User-Name =~ /@\\./)
(0)     if (&User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0)  suffix : Checking for suffix after "@"
(0)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(0)  suffix : No such realm "NULL"
(0)   [suffix] = noop
(0)  eap : Peer sent code Response (2) ID 0 length 12
(0)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)   [eap] = ok
(0)  } #  authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0)  eap : Peer sent method Identity (1)
(0)  eap : Calling eap_peap to process EAP data
(0)  eap_peap : Flushing SSL sessions (of #0)
(0)  eap_peap : Initiate
(0)  eap_peap : Start returned 1
(0)  eap : New EAP session, adding 'State' attribute to reply
0x0e9027300e913e66
(0)   [eap] = handled
(0)  } #  authenticate = handled
(0) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=182,
length=0
(0)     EAP-Message = 0x010100061920
(0)     Message-Authenticator = 0x00000000000000000000000000000000
(0)     State = 0x0e9027300e913e6603c734ef610afcab
Sending Access-Challenge Id 182 from 192.168.0.10:1812 to 192.168.0.2:1812
        EAP-Message = 0x010100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0e9027300e913e6603c734ef610afcab
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 183 from 192.168.0.2:1812 to 192.168.0.10:1812
length 276
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0e9027300e913e6603c734ef610afcab
        EAP-Message =
0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
        Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
(1) Received Access-Request packet from host 192.168.0.2 port 1812, id=183,
length=276
(1)     NAS-IP-Address = 192.168.0.2
(1)     NAS-Port = 50024
(1)     NAS-Port-Type = Ethernet
(1)     User-Name = 'newuser'
(1)     Called-Station-Id = '00-16-9D-D3-40-D8'
(1)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(1)     Service-Type = Framed-User
(1)     Framed-MTU = 1500
(1)     State = 0x0e9027300e913e6603c734ef610afcab
(1)     EAP-Message =
0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
(1)     Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)   filter_username filter_username {
(1)     if (!&User-Name)
(1)     if (!&User-Name)  -> FALSE
(1)     if (&User-Name =~ / /)
(1)     if (&User-Name =~ / /)  -> FALSE
(1)     if (&User-Name =~ /@.*@/ )
(1)     if (&User-Name =~ /@.*@/ )  -> FALSE
(1)     if (&User-Name =~ /\\.\\./ )
(1)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(1)     if (&User-Name =~ /\\.$/)
(1)     if (&User-Name =~ /\\.$/)   -> FALSE
(1)     if (&User-Name =~ /@\\./)
(1)     if (&User-Name =~ /@\\./)   -> FALSE
(1)   } # filter_username filter_username = notfound
(1)   [preprocess] = ok
(1)   [chap] = noop
(1)   [mschap] = noop
(1)   [digest] = noop
(1)  suffix : Checking for suffix after "@"
(1)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(1)  suffix : No such realm "NULL"
(1)   [suffix] = noop
(1)  eap : Peer sent code Response (2) ID 1 length 141
(1)  eap : Continuing tunnel setup
(1)   [eap] = ok
(1)  } #  authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1)  eap : Expiring EAP session with state 0x0e9027300e913e66
(1)  eap : Finished EAP session with state 0x0e9027300e913e66
(1)  eap : Previous EAP request found for state 0x0e9027300e913e66,
released from the list
(1)  eap : Peer sent method PEAP (25)
(1)  eap : EAP PEAP (25)
(1)  eap : Calling eap_peap to process EAP data
(1)  eap_peap : processing EAP-TLS
  TLS Length 131
(1)  eap_peap : Length Included
(1)  eap_peap : eaptls_verify returned 11
(1)  eap_peap : (other): before/accept initialization
(1)  eap_peap : TLS_accept: before/accept initialization
(1)  eap_peap : <<< TLS 1.0 Handshake [length 007e], ClientHello
  SSL: Client requested cached session
fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d94
(1)  eap_peap : TLS_accept: SSLv3 read client hello A
(1)  eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello
(1)  eap_peap : TLS_accept: SSLv3 write server hello A
(1)  eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
(1)  eap_peap : TLS_accept: SSLv3 write certificate A
(1)  eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1)  eap_peap : TLS_accept: SSLv3 write server done A
(1)  eap_peap : TLS_accept: SSLv3 flush data
(1)  eap_peap : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(1)  eap_peap : eaptls_process returned 13
(1)  eap_peap : FR_TLS_HANDLED
(1)  eap : New EAP session, adding 'State' attribute to reply
0x0e9027300f923e66
(1)   [eap] = handled
(1)  } #  authenticate = handled
(1) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=183,
length=0
(1)     EAP-Message =
0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2c
(1)     Message-Authenticator = 0x00000000000000000000000000000000
(1)     State = 0x0e9027300f923e6603c734ef610afcab
Sending Access-Challenge Id 183 from 192.168.0.10:1812 to 192.168.0.2:1812
        EAP-Message =
0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0e9027300f923e6603c734ef610afcab
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 184 from 192.168.0.2:1812 to 192.168.0.10:1812
length 141
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0e9027300f923e6603c734ef610afcab
        EAP-Message = 0x020200061900
        Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
(2) Received Access-Request packet from host 192.168.0.2 port 1812, id=184,
length=141
(2)     NAS-IP-Address = 192.168.0.2
(2)     NAS-Port = 50024
(2)     NAS-Port-Type = Ethernet
(2)     User-Name = 'newuser'
(2)     Called-Station-Id = '00-16-9D-D3-40-D8'
(2)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(2)     Service-Type = Framed-User
(2)     Framed-MTU = 1500
(2)     State = 0x0e9027300f923e6603c734ef610afcab
(2)     EAP-Message = 0x020200061900
(2)     Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)   filter_username filter_username {
(2)     if (!&User-Name)
(2)     if (!&User-Name)  -> FALSE
(2)     if (&User-Name =~ / /)
(2)     if (&User-Name =~ / /)  -> FALSE
(2)     if (&User-Name =~ /@.*@/ )
(2)     if (&User-Name =~ /@.*@/ )  -> FALSE
(2)     if (&User-Name =~ /\\.\\./ )
(2)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(2)     if (&User-Name =~ /\\.$/)
(2)     if (&User-Name =~ /\\.$/)   -> FALSE
(2)     if (&User-Name =~ /@\\./)
(2)     if (&User-Name =~ /@\\./)   -> FALSE
(2)   } # filter_username filter_username = notfound
(2)   [preprocess] = ok
(2)   [chap] = noop
(2)   [mschap] = noop
(2)   [digest] = noop
(2)  suffix : Checking for suffix after "@"
(2)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(2)  suffix : No such realm "NULL"
(2)   [suffix] = noop
(2)  eap : Peer sent code Response (2) ID 2 length 6
(2)  eap : Continuing tunnel setup
(2)   [eap] = ok
(2)  } #  authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   authenticate {
(2)  eap : Expiring EAP session with state 0x0e9027300f923e66
(2)  eap : Finished EAP session with state 0x0e9027300f923e66
(2)  eap : Previous EAP request found for state 0x0e9027300f923e66,
released from the list
(2)  eap : Peer sent method PEAP (25)
(2)  eap : EAP PEAP (25)
(2)  eap : Calling eap_peap to process EAP data
(2)  eap_peap : processing EAP-TLS
(2)  eap_peap : Received TLS ACK
(2)  eap_peap : Received TLS ACK
(2)  eap_peap : ACK handshake fragment handler
(2)  eap_peap : eaptls_verify returned 1
(2)  eap_peap : eaptls_process returned 13
(2)  eap_peap : FR_TLS_HANDLED
(2)  eap : New EAP session, adding 'State' attribute to reply
0x0e9027300c933e66
(2)   [eap] = handled
(2)  } #  authenticate = handled
(2) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=184,
length=0
(2)     EAP-Message =
0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082
(2)     Message-Authenticator = 0x00000000000000000000000000000000
(2)     State = 0x0e9027300c933e6603c734ef610afcab
Sending Access-Challenge Id 184 from 192.168.0.10:1812 to 192.168.0.2:1812
        EAP-Message =
0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f00308
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0e9027300c933e6603c734ef610afcab
(2) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 185 from 192.168.0.2:1812 to 192.168.0.10:1812
length 141
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0e9027300c933e6603c734ef610afcab
        EAP-Message = 0x020300061900
        Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
(3) Received Access-Request packet from host 192.168.0.2 port 1812, id=185,
length=141
(3)     NAS-IP-Address = 192.168.0.2
(3)     NAS-Port = 50024
(3)     NAS-Port-Type = Ethernet
(3)     User-Name = 'newuser'
(3)     Called-Station-Id = '00-16-9D-D3-40-D8'
(3)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(3)     Service-Type = Framed-User
(3)     Framed-MTU = 1500
(3)     State = 0x0e9027300c933e6603c734ef610afcab
(3)     EAP-Message = 0x020300061900
(3)     Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3)   authorize {
(3)   filter_username filter_username {
(3)     if (!&User-Name)
(3)     if (!&User-Name)  -> FALSE
(3)     if (&User-Name =~ / /)
(3)     if (&User-Name =~ / /)  -> FALSE
(3)     if (&User-Name =~ /@.*@/ )
(3)     if (&User-Name =~ /@.*@/ )  -> FALSE
(3)     if (&User-Name =~ /\\.\\./ )
(3)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(3)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(3)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(3)     if (&User-Name =~ /\\.$/)
(3)     if (&User-Name =~ /\\.$/)   -> FALSE
(3)     if (&User-Name =~ /@\\./)
(3)     if (&User-Name =~ /@\\./)   -> FALSE
(3)   } # filter_username filter_username = notfound
(3)   [preprocess] = ok
(3)   [chap] = noop
(3)   [mschap] = noop
(3)   [digest] = noop
(3)  suffix : Checking for suffix after "@"
(3)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(3)  suffix : No such realm "NULL"
(3)   [suffix] = noop
(3)  eap : Peer sent code Response (2) ID 3 length 6
(3)  eap : Continuing tunnel setup
(3)   [eap] = ok
(3)  } #  authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   authenticate {
(3)  eap : Expiring EAP session with state 0x0e9027300c933e66
(3)  eap : Finished EAP session with state 0x0e9027300c933e66
(3)  eap : Previous EAP request found for state 0x0e9027300c933e66,
released from the list
(3)  eap : Peer sent method PEAP (25)
(3)  eap : EAP PEAP (25)
(3)  eap : Calling eap_peap to process EAP data
(3)  eap_peap : processing EAP-TLS
(3)  eap_peap : Received TLS ACK
(3)  eap_peap : Received TLS ACK
(3)  eap_peap : ACK handshake fragment handler
(3)  eap_peap : eaptls_verify returned 1
(3)  eap_peap : eaptls_process returned 13
(3)  eap_peap : FR_TLS_HANDLED
(3)  eap : New EAP session, adding 'State' attribute to reply
0x0e9027300d943e66
(3)   [eap] = handled
(3)  } #  authenticate = handled
(3) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=185,
length=0
(3)     EAP-Message =
0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
(3)     Message-Authenticator = 0x00000000000000000000000000000000
(3)     State = 0x0e9027300d943e6603c734ef610afcab
Sending Access-Challenge Id 185 from 192.168.0.10:1812 to 192.168.0.2:1812
        EAP-Message =
0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0e9027300d943e6603c734ef610afcab
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 186 from 192.168.0.2:1812 to 192.168.0.10:1812
length 473
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0e9027300d943e6603c734ef610afcab
        EAP-Message =
0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
        Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
(4) Received Access-Request packet from host 192.168.0.2 port 1812, id=186,
length=473
(4)     NAS-IP-Address = 192.168.0.2
(4)     NAS-Port = 50024
(4)     NAS-Port-Type = Ethernet
(4)     User-Name = 'newuser'
(4)     Called-Station-Id = '00-16-9D-D3-40-D8'
(4)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(4)     Service-Type = Framed-User
(4)     Framed-MTU = 1500
(4)     State = 0x0e9027300d943e6603c734ef610afcab
(4)     EAP-Message =
0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
(4)     Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4)   authorize {
(4)   filter_username filter_username {
(4)     if (!&User-Name)
(4)     if (!&User-Name)  -> FALSE
(4)     if (&User-Name =~ / /)
(4)     if (&User-Name =~ / /)  -> FALSE
(4)     if (&User-Name =~ /@.*@/ )
(4)     if (&User-Name =~ /@.*@/ )  -> FALSE
(4)     if (&User-Name =~ /\\.\\./ )
(4)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(4)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(4)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(4)     if (&User-Name =~ /\\.$/)
(4)     if (&User-Name =~ /\\.$/)   -> FALSE
(4)     if (&User-Name =~ /@\\./)
(4)     if (&User-Name =~ /@\\./)   -> FALSE
(4)   } # filter_username filter_username = notfound
(4)   [preprocess] = ok
(4)   [chap] = noop
(4)   [mschap] = noop
(4)   [digest] = noop
(4)  suffix : Checking for suffix after "@"
(4)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(4)  suffix : No such realm "NULL"
(4)   [suffix] = noop
(4)  eap : Peer sent code Response (2) ID 4 length 336
(4)  eap : Continuing tunnel setup
(4)   [eap] = ok
(4)  } #  authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   authenticate {
(4)  eap : Expiring EAP session with state 0x0e9027300d943e66
(4)  eap : Finished EAP session with state 0x0e9027300d943e66
(4)  eap : Previous EAP request found for state 0x0e9027300d943e66,
released from the list
(4)  eap : Peer sent method PEAP (25)
(4)  eap : EAP PEAP (25)
(4)  eap : Calling eap_peap to process EAP data
(4)  eap_peap : processing EAP-TLS
  TLS Length 326
(4)  eap_peap : Length Included
(4)  eap_peap : eaptls_verify returned 11
(4)  eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(4)  eap_peap : TLS_accept: SSLv3 read client key exchange A
(4)  eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4)  eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(4)  eap_peap : TLS_accept: SSLv3 read finished A
(4)  eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4)  eap_peap : TLS_accept: SSLv3 write change cipher spec A
(4)  eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(4)  eap_peap : TLS_accept: SSLv3 write finished A
(4)  eap_peap : TLS_accept: SSLv3 flush data
  SSL: adding session
48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 to cache
(4)  eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(4)  eap_peap : eaptls_process returned 13
(4)  eap_peap : FR_TLS_HANDLED
(4)  eap : New EAP session, adding 'State' attribute to reply
0x0e9027300a953e66
(4)   [eap] = handled
(4)  } #  authenticate = handled
(4) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=186,
length=0
(4)     EAP-Message =
0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
(4)     Message-Authenticator = 0x00000000000000000000000000000000
(4)     State = 0x0e9027300a953e6603c734ef610afcab
Sending Access-Challenge Id 186 from 192.168.0.10:1812 to 192.168.0.2:1812
        EAP-Message =
0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0e9027300a953e6603c734ef610afcab
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 187 from 192.168.0.2:1812 to 192.168.0.10:1812
length 141
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0e9027300a953e6603c734ef610afcab
        EAP-Message = 0x020500061900
        Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
(5) Received Access-Request packet from host 192.168.0.2 port 1812, id=187,
length=141
(5)     NAS-IP-Address = 192.168.0.2
(5)     NAS-Port = 50024
(5)     NAS-Port-Type = Ethernet
(5)     User-Name = 'newuser'
(5)     Called-Station-Id = '00-16-9D-D3-40-D8'
(5)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(5)     Service-Type = Framed-User
(5)     Framed-MTU = 1500
(5)     State = 0x0e9027300a953e6603c734ef610afcab
(5)     EAP-Message = 0x020500061900
(5)     Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5)   authorize {
(5)   filter_username filter_username {
(5)     if (!&User-Name)
(5)     if (!&User-Name)  -> FALSE
(5)     if (&User-Name =~ / /)
(5)     if (&User-Name =~ / /)  -> FALSE
(5)     if (&User-Name =~ /@.*@/ )
(5)     if (&User-Name =~ /@.*@/ )  -> FALSE
(5)     if (&User-Name =~ /\\.\\./ )
(5)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(5)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(5)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(5)     if (&User-Name =~ /\\.$/)
(5)     if (&User-Name =~ /\\.$/)   -> FALSE
(5)     if (&User-Name =~ /@\\./)
(5)     if (&User-Name =~ /@\\./)   -> FALSE
(5)   } # filter_username filter_username = notfound
(5)   [preprocess] = ok
(5)   [chap] = noop
(5)   [mschap] = noop
(5)   [digest] = noop
(5)  suffix : Checking for suffix after "@"
(5)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(5)  suffix : No such realm "NULL"
(5)   [suffix] = noop
(5)  eap : Peer sent code Response (2) ID 5 length 6
(5)  eap : Continuing tunnel setup
(5)   [eap] = ok
(5)  } #  authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5)  eap : Expiring EAP session with state 0x0e9027300a953e66
(5)  eap : Finished EAP session with state 0x0e9027300a953e66
(5)  eap : Previous EAP request found for state 0x0e9027300a953e66,
released from the list
(5)  eap : Peer sent method PEAP (25)
(5)  eap : EAP PEAP (25)
(5)  eap : Calling eap_peap to process EAP data
(5)  eap_peap : processing EAP-TLS
(5)  eap_peap : Received TLS ACK
(5)  eap_peap : Received TLS ACK
(5)  eap_peap : ACK handshake is finished
(5)  eap_peap : eaptls_verify returned 3
(5)  eap_peap : eaptls_process returned 3
(5)  eap_peap : FR_TLS_SUCCESS
(5)  eap_peap : Session established.  Decoding tunneled attributes
(5)  eap_peap : Peap state TUNNEL ESTABLISHED
(5)  eap : New EAP session, adding 'State' attribute to reply
0x0e9027300b963e66
(5)   [eap] = handled
(5)  } #  authenticate = handled
(5) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=187,
length=0
(5)     EAP-Message =
0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
(5)     Message-Authenticator = 0x00000000000000000000000000000000
(5)     State = 0x0e9027300b963e6603c734ef610afcab
Sending Access-Challenge Id 187 from 192.168.0.10:1812 to 192.168.0.2:1812
        EAP-Message =
0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0e9027300b963e6603c734ef610afcab
(5) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 188 from 192.168.0.2:1812 to 192.168.0.10:1812
length 178
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0e9027300b963e6603c734ef610afcab
        EAP-Message =
0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
        Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
(6) Received Access-Request packet from host 192.168.0.2 port 1812, id=188,
length=178
(6)     NAS-IP-Address = 192.168.0.2
(6)     NAS-Port = 50024
(6)     NAS-Port-Type = Ethernet
(6)     User-Name = 'newuser'
(6)     Called-Station-Id = '00-16-9D-D3-40-D8'
(6)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(6)     Service-Type = Framed-User
(6)     Framed-MTU = 1500
(6)     State = 0x0e9027300b963e6603c734ef610afcab
(6)     EAP-Message =
0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
(6)     Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
(6)   filter_username filter_username {
(6)     if (!&User-Name)
(6)     if (!&User-Name)  -> FALSE
(6)     if (&User-Name =~ / /)
(6)     if (&User-Name =~ / /)  -> FALSE
(6)     if (&User-Name =~ /@.*@/ )
(6)     if (&User-Name =~ /@.*@/ )  -> FALSE
(6)     if (&User-Name =~ /\\.\\./ )
(6)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(6)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(6)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(6)     if (&User-Name =~ /\\.$/)
(6)     if (&User-Name =~ /\\.$/)   -> FALSE
(6)     if (&User-Name =~ /@\\./)
(6)     if (&User-Name =~ /@\\./)   -> FALSE
(6)   } # filter_username filter_username = notfound
(6)   [preprocess] = ok
(6)   [chap] = noop
(6)   [mschap] = noop
(6)   [digest] = noop
(6)  suffix : Checking for suffix after "@"
(6)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(6)  suffix : No such realm "NULL"
(6)   [suffix] = noop
(6)  eap : Peer sent code Response (2) ID 6 length 43
(6)  eap : Continuing tunnel setup
(6)   [eap] = ok
(6)  } #  authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   authenticate {
(6)  eap : Expiring EAP session with state 0x0e9027300b963e66
(6)  eap : Finished EAP session with state 0x0e9027300b963e66
(6)  eap : Previous EAP request found for state 0x0e9027300b963e66,
released from the list
(6)  eap : Peer sent method PEAP (25)
(6)  eap : EAP PEAP (25)
(6)  eap : Calling eap_peap to process EAP data
(6)  eap_peap : processing EAP-TLS
(6)  eap_peap : eaptls_verify returned 7
(6)  eap_peap : Done initial handshake
(6)  eap_peap : eaptls_process returned 7
(6)  eap_peap : FR_TLS_OK
(6)  eap_peap : Session established.  Decoding tunneled attributes
(6)  eap_peap : Peap state WAITING FOR INNER IDENTITY
(6)  eap_peap : Identity - newuser
(6)  eap_peap : Got inner identity 'newuser'
(6)  eap_peap : Setting default EAP type for tunneled EAP session
(6)  eap_peap : Got tunneled request
        EAP-Message = 0x0206000c016e657775736572
server default {
(6)  eap_peap : Setting User-Name to newuser
Sending tunneled request
        EAP-Message = 0x0206000c016e657775736572
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'newuser'
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
server inner-tunnel {
(6)  server inner-tunnel {
(6)    Request:
        EAP-Message = 0x0206000c016e657775736572
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'newuser'
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
(6)  # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6)    authorize {
(6)    [chap] = noop
(6)    [mschap] = noop
(6)   suffix : Checking for suffix after "@"
(6)   suffix : No '@' in User-Name = "newuser", looking up realm NULL
(6)   suffix : No such realm "NULL"
(6)    [suffix] = noop
(6)    update control {
(6)     Proxy-To-Realm := 'LOCAL'
(6)    } # update control = noop
(6)   eap : Peer sent code Response (2) ID 6 length 12
(6)   eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6)    [eap] = ok
(6)   } #  authorize = ok
(6)  Found Auth-Type = EAP
(6)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)    authenticate {
(6)   eap : Peer sent method Identity (1)
(6)   eap : Calling eap_mschapv2 to process EAP data
(6)   eap_mschapv2 : Issuing Challenge
(6)   eap : New EAP session, adding 'State' attribute to reply
0x51469e48514184c8
(6)    [eap] = handled
(6)   } #  authenticate = handled
(6)    Reply:
        EAP-Message =
0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x51469e48514184c89c06397edfb2b9f6
(6)  } # server inner-tunnel
} # server inner-tunnel
(6)  eap_peap : Got tunneled reply code 11
        EAP-Message =
0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x51469e48514184c89c06397edfb2b9f6
(6)  eap_peap : Got tunneled reply RADIUS code 11
        EAP-Message =
0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x51469e48514184c89c06397edfb2b9f6
(6)  eap_peap : Got tunneled Access-Challenge
(6)  eap : New EAP session, adding 'State' attribute to reply
0x0e90273008973e66
(6)   [eap] = handled
(6)  } #  authenticate = handled
(6) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=188,
length=0
(6)     EAP-Message =
0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
(6)     Message-Authenticator = 0x00000000000000000000000000000000
(6)     State = 0x0e90273008973e6603c734ef610afcab
Sending Access-Challenge Id 188 from 192.168.0.10:1812 to 192.168.0.2:1812
        EAP-Message =
0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0e90273008973e6603c734ef610afcab
(6) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 189 from 192.168.0.2:1812 to 192.168.0.10:1812
length 242
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0e90273008973e6603c734ef610afcab
        EAP-Message =
0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
        Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
(7) Received Access-Request packet from host 192.168.0.2 port 1812, id=189,
length=242
(7)     NAS-IP-Address = 192.168.0.2
(7)     NAS-Port = 50024
(7)     NAS-Port-Type = Ethernet
(7)     User-Name = 'newuser'
(7)     Called-Station-Id = '00-16-9D-D3-40-D8'
(7)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(7)     Service-Type = Framed-User
(7)     Framed-MTU = 1500
(7)     State = 0x0e90273008973e6603c734ef610afcab
(7)     EAP-Message =
0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
(7)     Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)   filter_username filter_username {
(7)     if (!&User-Name)
(7)     if (!&User-Name)  -> FALSE
(7)     if (&User-Name =~ / /)
(7)     if (&User-Name =~ / /)  -> FALSE
(7)     if (&User-Name =~ /@.*@/ )
(7)     if (&User-Name =~ /@.*@/ )  -> FALSE
(7)     if (&User-Name =~ /\\.\\./ )
(7)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(7)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(7)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(7)     if (&User-Name =~ /\\.$/)
(7)     if (&User-Name =~ /\\.$/)   -> FALSE
(7)     if (&User-Name =~ /@\\./)
(7)     if (&User-Name =~ /@\\./)   -> FALSE
(7)   } # filter_username filter_username = notfound
(7)   [preprocess] = ok
(7)   [chap] = noop
(7)   [mschap] = noop
(7)   [digest] = noop
(7)  suffix : Checking for suffix after "@"
(7)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(7)  suffix : No such realm "NULL"
(7)   [suffix] = noop
(7)  eap : Peer sent code Response (2) ID 7 length 107
(7)  eap : Continuing tunnel setup
(7)   [eap] = ok
(7)  } #  authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   authenticate {
(7)  eap : Expiring EAP session with state 0x51469e48514184c8
(7)  eap : Finished EAP session with state 0x0e90273008973e66
(7)  eap : Previous EAP request found for state 0x0e90273008973e66,
released from the list
(7)  eap : Peer sent method PEAP (25)
(7)  eap : EAP PEAP (25)
(7)  eap : Calling eap_peap to process EAP data
(7)  eap_peap : processing EAP-TLS
(7)  eap_peap : eaptls_verify returned 7
(7)  eap_peap : Done initial handshake
(7)  eap_peap : eaptls_process returned 7
(7)  eap_peap : FR_TLS_OK
(7)  eap_peap : Session established.  Decoding tunneled attributes
(7)  eap_peap : Peap state phase2
(7)  eap_peap : EAP type MSCHAPv2 (26)
(7)  eap_peap : Got tunneled request
        EAP-Message =
0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
server default {
(7)  eap_peap : Setting User-Name to newuser
Sending tunneled request
        EAP-Message =
0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'newuser'
        State = 0x51469e48514184c89c06397edfb2b9f6
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
server inner-tunnel {
(7)  server inner-tunnel {
(7)    Request:
        EAP-Message =
0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'newuser'
        State = 0x51469e48514184c89c06397edfb2b9f6
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
(7)  # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7)    authorize {
(7)    [chap] = noop
(7)    [mschap] = noop
(7)   suffix : Checking for suffix after "@"
(7)   suffix : No '@' in User-Name = "newuser", looking up realm NULL
(7)   suffix : No such realm "NULL"
(7)    [suffix] = noop
(7)    update control {
(7)     Proxy-To-Realm := 'LOCAL'
(7)    } # update control = noop
(7)   eap : Peer sent code Response (2) ID 7 length 66
(7)   eap : No EAP Start, assuming it's an on-going EAP conversation
(7)    [eap] = updated
(7)    [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(7)   ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7)   ldap :    --> (uid=newuser)
(7)   ldap : EXPAND dc=test,dc=ad,dc=com
(7)   ldap :    --> dc=test,dc=ad,dc=com
(7)   ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(7)   ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7)   ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (4)
(7)    [ldap] = notfound
(7)    [expiration] = noop
(7)    [logintime] = noop
(7)    [pap] = noop
(7)   } #  authorize = updated
(7)  Found Auth-Type = EAP
(7)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)    authenticate {
(7)   eap : Expiring EAP session with state 0x51469e48514184c8
(7)   eap : Finished EAP session with state 0x51469e48514184c8
(7)   eap : Previous EAP request found for state 0x51469e48514184c8,
released from the list
(7)   eap : Peer sent method MSCHAPv2 (26)
(7)   eap : EAP MSCHAPv2 (26)
(7)   eap : Calling eap_mschapv2 to process EAP data
(7)   eap_mschapv2 : # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(7)   eap_mschapv2 :  Auth-Type MS-CHAP {
(7)    mschap : Creating challenge hash with username: newuser
(7)    mschap : Client is using MS-CHAPv2
Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(7)    mschap : EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(7)    mschap :    --> --username=newuser
(7)    mschap : Creating challenge hash with username: newuser
(7)    mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7)    mschap :    --> --challenge=141c75ef267aec37
(7)    mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7)    mschap :    -->
--nt-response=8e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e
Program returned code (0) and output 'NT_KEY:
917FDA71960ECCF4DF81D38405F86F42'
(7)    mschap : Adding MS-CHAPv2 MPPE keys
(7)     [mschap] = ok
(7)    } # Auth-Type MS-CHAP = ok
MSCHAP Success
(7)   eap : New EAP session, adding 'State' attribute to reply
0x51469e48504e84c8
(7)    [eap] = handled
(7)   } #  authenticate = handled
(7)    Reply:
        EAP-Message =
0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x51469e48504e84c89c06397edfb2b9f6
(7)  } # server inner-tunnel
} # server inner-tunnel
(7)  eap_peap : Got tunneled reply code 11
        EAP-Message =
0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x51469e48504e84c89c06397edfb2b9f6
(7)  eap_peap : Got tunneled reply RADIUS code 11
        EAP-Message =
0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x51469e48504e84c89c06397edfb2b9f6
(7)  eap_peap : Got tunneled Access-Challenge
(7)  eap : New EAP session, adding 'State' attribute to reply
0x0e90273009983e66
(7)   [eap] = handled
(7)  } #  authenticate = handled
(7) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=189,
length=0
(7)     EAP-Message =
0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
(7)     Message-Authenticator = 0x00000000000000000000000000000000
(7)     State = 0x0e90273009983e6603c734ef610afcab
Sending Access-Challenge Id 189 from 192.168.0.10:1812 to 192.168.0.2:1812
        EAP-Message =
0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0e90273009983e6603c734ef610afcab
(7) Finished request
Waking up in 4.5 seconds.
Received Access-Request Id 190 from 192.168.0.2:1812 to 192.168.0.10:1812
length 178
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0e90273009983e6603c734ef610afcab
        EAP-Message =
0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
        Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
(8) Received Access-Request packet from host 192.168.0.2 port 1812, id=190,
length=178
(8)     NAS-IP-Address = 192.168.0.2
(8)     NAS-Port = 50024
(8)     NAS-Port-Type = Ethernet
(8)     User-Name = 'newuser'
(8)     Called-Station-Id = '00-16-9D-D3-40-D8'
(8)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(8)     Service-Type = Framed-User
(8)     Framed-MTU = 1500
(8)     State = 0x0e90273009983e6603c734ef610afcab
(8)     EAP-Message =
0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
(8)     Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8)   authorize {
(8)   filter_username filter_username {
(8)     if (!&User-Name)
(8)     if (!&User-Name)  -> FALSE
(8)     if (&User-Name =~ / /)
(8)     if (&User-Name =~ / /)  -> FALSE
(8)     if (&User-Name =~ /@.*@/ )
(8)     if (&User-Name =~ /@.*@/ )  -> FALSE
(8)     if (&User-Name =~ /\\.\\./ )
(8)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(8)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(8)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(8)     if (&User-Name =~ /\\.$/)
(8)     if (&User-Name =~ /\\.$/)   -> FALSE
(8)     if (&User-Name =~ /@\\./)
(8)     if (&User-Name =~ /@\\./)   -> FALSE
(8)   } # filter_username filter_username = notfound
(8)   [preprocess] = ok
(8)   [chap] = noop
(8)   [mschap] = noop
(8)   [digest] = noop
(8)  suffix : Checking for suffix after "@"
(8)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(8)  suffix : No such realm "NULL"
(8)   [suffix] = noop
(8)  eap : Peer sent code Response (2) ID 8 length 43
(8)  eap : Continuing tunnel setup
(8)   [eap] = ok
(8)  } #  authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   authenticate {
(8)  eap : Expiring EAP session with state 0x51469e48504e84c8
(8)  eap : Finished EAP session with state 0x0e90273009983e66
(8)  eap : Previous EAP request found for state 0x0e90273009983e66,
released from the list
(8)  eap : Peer sent method PEAP (25)
(8)  eap : EAP PEAP (25)
(8)  eap : Calling eap_peap to process EAP data
(8)  eap_peap : processing EAP-TLS
(8)  eap_peap : eaptls_verify returned 7
(8)  eap_peap : Done initial handshake
(8)  eap_peap : eaptls_process returned 7
(8)  eap_peap : FR_TLS_OK
(8)  eap_peap : Session established.  Decoding tunneled attributes
(8)  eap_peap : Peap state phase2
(8)  eap_peap : EAP type MSCHAPv2 (26)
(8)  eap_peap : Got tunneled request
        EAP-Message = 0x020800061a03
server default {
(8)  eap_peap : Setting User-Name to newuser
Sending tunneled request
        EAP-Message = 0x020800061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'newuser'
        State = 0x51469e48504e84c89c06397edfb2b9f6
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
server inner-tunnel {
(8)  server inner-tunnel {
(8)    Request:
        EAP-Message = 0x020800061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'newuser'
        State = 0x51469e48504e84c89c06397edfb2b9f6
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
(8)  # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8)    authorize {
(8)    [chap] = noop
(8)    [mschap] = noop
(8)   suffix : Checking for suffix after "@"
(8)   suffix : No '@' in User-Name = "newuser", looking up realm NULL
(8)   suffix : No such realm "NULL"
(8)    [suffix] = noop
(8)    update control {
(8)     Proxy-To-Realm := 'LOCAL'
(8)    } # update control = noop
(8)   eap : Peer sent code Response (2) ID 8 length 6
(8)   eap : No EAP Start, assuming it's an on-going EAP conversation
(8)    [eap] = updated
(8)    [files] = noop
rlm_ldap (ldap): Reserved connection (3)
(8)   ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8)   ldap :    --> (uid=newuser)
(8)   ldap : EXPAND dc=test,dc=ad,dc=com
(8)   ldap :    --> dc=test,dc=ad,dc=com
(8)   ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(8)   ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(8)   ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (3)
rlm_ldap (ldap): 0 of 3 connections in use.  Need more spares
rlm_ldap (ldap): Opening additional connection (5)
rlm_ldap (ldap): Connecting to 192.168.0.20:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8)    [ldap] = notfound
(8)    [expiration] = noop
(8)    [logintime] = noop
(8)    [pap] = noop
(8)   } #  authorize = updated
(8)  Found Auth-Type = EAP
(8)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)    authenticate {
(8)   eap : Expiring EAP session with state 0x51469e48504e84c8
(8)   eap : Finished EAP session with state 0x51469e48504e84c8
(8)   eap : Previous EAP request found for state 0x51469e48504e84c8,
released from the list
(8)   eap : Peer sent method MSCHAPv2 (26)
(8)   eap : EAP MSCHAPv2 (26)
(8)   eap : Calling eap_mschapv2 to process EAP data
(8)   eap : Freeing handler
(8)    [eap] = ok
(8)   } #  authenticate = ok
(8)  # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(8)    post-auth {
(8)   ldap : EXPAND .
(8)   ldap :    --> .
(8)   ldap : EXPAND Authenticated at %S
(8)   ldap :    --> Authenticated at 2015-07-03 14:28:13
rlm_ldap (ldap): Reserved connection (5)
(8)   ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8)   ldap :    --> (uid=newuser)
(8)   ldap : EXPAND dc=test,dc=ad,dc=com
(8)   ldap :    --> dc=test,dc=ad,dc=com
(8)   ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(8)   ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(8)   ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (5)
(8)    [ldap] = notfound
(8)   } #  post-auth = notfound
(8)    Reply:
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4
        MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
        MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
        EAP-Message = 0x03080004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'newuser'
(8)  } # server inner-tunnel
} # server inner-tunnel
(8)  eap_peap : Got tunneled reply code 2
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4
        MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
        MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
        EAP-Message = 0x03080004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'newuser'
(8)  eap_peap : Got tunneled reply RADIUS code 2
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4
        MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
        MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
        EAP-Message = 0x03080004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'newuser'
(8)  eap_peap : Tunneled authentication was successful
(8)  eap_peap : SUCCESS
(8)  eap_peap : Saving tunneled attributes for later
(8)  eap : New EAP session, adding 'State' attribute to reply
0x0e90273006993e66
(8)   [eap] = handled
(8)  } #  authenticate = handled
(8) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=190,
length=0
(8)     EAP-Message =
0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
(8)     Message-Authenticator = 0x00000000000000000000000000000000
(8)     State = 0x0e90273006993e6603c734ef610afcab
Sending Access-Challenge Id 190 from 192.168.0.10:1812 to 192.168.0.2:1812
        EAP-Message =
0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0e90273006993e6603c734ef610afcab
(8) Finished request
Waking up in 3.8 seconds.
Received Access-Request Id 191 from 192.168.0.2:1812 to 192.168.0.10:1812
length 178
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 50024
        NAS-Port-Type = Ethernet
        User-Name = 'newuser'
        Called-Station-Id = '00-16-9D-D3-40-D8'
        Calling-Station-Id = '68-B5-99-C8-B0-5E'
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0e90273006993e6603c734ef610afcab
        EAP-Message =
0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
        Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
(9) Received Access-Request packet from host 192.168.0.2 port 1812, id=191,
length=178
(9)     NAS-IP-Address = 192.168.0.2
(9)     NAS-Port = 50024
(9)     NAS-Port-Type = Ethernet
(9)     User-Name = 'newuser'
(9)     Called-Station-Id = '00-16-9D-D3-40-D8'
(9)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
(9)     Service-Type = Framed-User
(9)     Framed-MTU = 1500
(9)     State = 0x0e90273006993e6603c734ef610afcab
(9)     EAP-Message =
0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
(9)     Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9)   authorize {
(9)   filter_username filter_username {
(9)     if (!&User-Name)
(9)     if (!&User-Name)  -> FALSE
(9)     if (&User-Name =~ / /)
(9)     if (&User-Name =~ / /)  -> FALSE
(9)     if (&User-Name =~ /@.*@/ )
(9)     if (&User-Name =~ /@.*@/ )  -> FALSE
(9)     if (&User-Name =~ /\\.\\./ )
(9)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(9)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(9)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(9)     if (&User-Name =~ /\\.$/)
(9)     if (&User-Name =~ /\\.$/)   -> FALSE
(9)     if (&User-Name =~ /@\\./)
(9)     if (&User-Name =~ /@\\./)   -> FALSE
(9)   } # filter_username filter_username = notfound
(9)   [preprocess] = ok
(9)   [chap] = noop
(9)   [mschap] = noop
(9)   [digest] = noop
(9)  suffix : Checking for suffix after "@"
(9)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
(9)  suffix : No such realm "NULL"
(9)   [suffix] = noop
(9)  eap : Peer sent code Response (2) ID 9 length 43
(9)  eap : Continuing tunnel setup
(9)   [eap] = ok
(9)  } #  authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9)  eap : Expiring EAP session with state 0x0e90273006993e66
(9)  eap : Finished EAP session with state 0x0e90273006993e66
(9)  eap : Previous EAP request found for state 0x0e90273006993e66,
released from the list
(9)  eap : Peer sent method PEAP (25)
(9)  eap : EAP PEAP (25)
(9)  eap : Calling eap_peap to process EAP data
(9)  eap_peap : processing EAP-TLS
(9)  eap_peap : eaptls_verify returned 7
(9)  eap_peap : Done initial handshake
(9)  eap_peap : eaptls_process returned 7
(9)  eap_peap : FR_TLS_OK
(9)  eap_peap : Session established.  Decoding tunneled attributes
(9)  eap_peap : Peap state send tlv success
(9)  eap_peap : Received EAP-TLV response
(9)  eap_peap : Success
(9)  eap_peap : Using saved attributes from the original Access-Accept
        User-Name = 'newuser'
(9)  eap_peap : Saving session
48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 vps
0x7f6012aedf20 in the cache
(9)  eap : Freeing handler
(9)   [eap] = ok
(9)  } #  authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9)   post-auth {
(9)  ldap : EXPAND .
(9)  ldap :    --> .
(9)  ldap : EXPAND Authenticated at %S
(9)  ldap :    --> Authenticated at 2015-07-03 14:28:14
rlm_ldap (ldap): Reserved connection (2)
(9)  ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(9)  ldap :    --> (uid=newuser)
(9)  ldap : EXPAND dc=test,dc=ad,dc=com
(9)  ldap :    --> dc=test,dc=ad,dc=com
(9)  ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(9)  ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(9)  ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (2)
(9)   [ldap] = notfound
(9)    if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com")
(9) Searching for user in group "cn=computers,cn=Users,dc=test,dc=ad,dc=com"
rlm_ldap (ldap): Reserved connection (1)
(9) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(9)    --> (uid=newuser)
(9) EXPAND dc=test,dc=ad,dc=com
(9)    --> dc=test,dc=ad,dc=com
(9) Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(9) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(9) Search returned no results
rlm_ldap (ldap): Deleting connection (1)
(9)    if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") ->
FALSE
(9)   [exec] = noop
(9)   remove_reply_message_if_eap remove_reply_message_if_eap {
(9)     if (&reply:EAP-Message && &reply:Reply-Message)
(9)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)    else else {
(9)     [noop] = noop
(9)    } # else else = noop
(9)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(9)  } #  post-auth = noop
(9) Sending Access-Accept packet to host 192.168.0.2 port 1812, id=191,
length=0
(9)     User-Name = 'newuser'
(9)     MS-MPPE-Recv-Key =
0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
(9)     MS-MPPE-Send-Key =
0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
(9)     EAP-MSK =
0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda271f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
(9)     EAP-EMSK =
0x1b54d22a41027762199d0673d2024afb9b75034f4486286e1ce600f42266b87c01bf8b7801e44f136c405e7098f74a39062c8d0fd8199ad362af3aa3fd939603
(9)     EAP-Session-Id =
0x19559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f355967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b313
(9)     EAP-Message = 0x03090004
(9)     Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Accept Id 191 from 192.168.0.10:1812 to 192.168.0.2:1812
        User-Name = 'newuser'
        MS-MPPE-Recv-Key =
0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
        MS-MPPE-Send-Key =
0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request



in ldap config file, part related user and groups looks like below:

user {
 base_dn = "dc=test,dc=ad,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {

base_dn ="dc=test,dc=ad,dc=com"
filter = "(objectClass=posixGroup)"
name_attribute = cn
membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = "memberOf"
}


Why freeradius can't match group "computers" to user "newuser"?

I would be very glad on any help


More information about the Freeradius-Users mailing list