freeradius doesn't see user in group (Active Directory) but user belong to this group

Brendan Kearney bpk678 at gmail.com
Sat Jul 4 17:44:01 CEST 2015


On 07/04/2015 03:17 AM, stefan nowak wrote:
> Hi All,
>
> since few days I've stocked with configuration freeradius. All works good
> except one thing. I can't get info from Active Directory to freeradius in
> which group user belong  (this one I need to set vlan depend on group).
> My version freeradius is 3.0.4
>
> as you can see below user "newuser" participate in group "computers",
> here`s output from ldapsearch:
>
> dn: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: newuser
> givenName: newuser
> distinguishedName: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
> instanceType: 4
> whenCreated: 20150702132126.0Z
> whenChanged: 20150703105127.0Z
> displayName: newuser
> uSNCreated: 82039
> memberOf: CN=computers,CN=Users,DC=test,DC=ad,DC=com
> uSNChanged: 90187
> name: newuser
> objectGUID:: XX+6g4wMJEGdDfEOZF5Rgw==
> userAccountControl: 66048
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 130803168865078125
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAR3zVX0Ki+LP5AMXOVQQAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: newuser
> sAMAccountType: 805306368
> userPrincipalName: newuser at test.ad.com
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=ad,DC=com
> dSCorePropagationData: 16010101000000.0Z
> lastLogonTimestamp: 130803172388710937
>
>
> from log output I see that user "newuser" get access-accept but freeradius
> didn`t find him in group "computers" here is output:
>
> Received Access-Request Id 182 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 129
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          EAP-Message = 0x0200000c016e657775736572
>          Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
> (0) Received Access-Request packet from host 192.168.0.2 port 1812, id=182,
> length=129
> (0)     NAS-IP-Address = 192.168.0.2
> (0)     NAS-Port = 50024
> (0)     NAS-Port-Type = Ethernet
> (0)     User-Name = 'newuser'
> (0)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (0)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (0)     Service-Type = Framed-User
> (0)     Framed-MTU = 1500
> (0)     EAP-Message = 0x0200000c016e657775736572
> (0)     Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (0)   authorize {
> (0)   filter_username filter_username {
> (0)     if (!&User-Name)
> (0)     if (!&User-Name)  -> FALSE
> (0)     if (&User-Name =~ / /)
> (0)     if (&User-Name =~ / /)  -> FALSE
> (0)     if (&User-Name =~ /@.*@/ )
> (0)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (0)     if (&User-Name =~ /\\.\\./ )
> (0)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (0)     if (&User-Name =~ /\\.$/)
> (0)     if (&User-Name =~ /\\.$/)   -> FALSE
> (0)     if (&User-Name =~ /@\\./)
> (0)     if (&User-Name =~ /@\\./)   -> FALSE
> (0)   } # filter_username filter_username = notfound
> (0)   [preprocess] = ok
> (0)   [chap] = noop
> (0)   [mschap] = noop
> (0)   [digest] = noop
> (0)  suffix : Checking for suffix after "@"
> (0)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (0)  suffix : No such realm "NULL"
> (0)   [suffix] = noop
> (0)  eap : Peer sent code Response (2) ID 0 length 12
> (0)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0)   [eap] = ok
> (0)  } #  authorize = ok
> (0) Found Auth-Type = EAP
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   authenticate {
> (0)  eap : Peer sent method Identity (1)
> (0)  eap : Calling eap_peap to process EAP data
> (0)  eap_peap : Flushing SSL sessions (of #0)
> (0)  eap_peap : Initiate
> (0)  eap_peap : Start returned 1
> (0)  eap : New EAP session, adding 'State' attribute to reply
> 0x0e9027300e913e66
> (0)   [eap] = handled
> (0)  } #  authenticate = handled
> (0) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=182,
> length=0
> (0)     EAP-Message = 0x010100061920
> (0)     Message-Authenticator = 0x00000000000000000000000000000000
> (0)     State = 0x0e9027300e913e6603c734ef610afcab
> Sending Access-Challenge Id 182 from 192.168.0.10:1812 to 192.168.0.2:1812
>          EAP-Message = 0x010100061920
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x0e9027300e913e6603c734ef610afcab
> (0) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 183 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 276
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          State = 0x0e9027300e913e6603c734ef610afcab
>          EAP-Message =
> 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
>          Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
> (1) Received Access-Request packet from host 192.168.0.2 port 1812, id=183,
> length=276
> (1)     NAS-IP-Address = 192.168.0.2
> (1)     NAS-Port = 50024
> (1)     NAS-Port-Type = Ethernet
> (1)     User-Name = 'newuser'
> (1)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (1)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (1)     Service-Type = Framed-User
> (1)     Framed-MTU = 1500
> (1)     State = 0x0e9027300e913e6603c734ef610afcab
> (1)     EAP-Message =
> 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
> (1)     Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
> (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (1)   authorize {
> (1)   filter_username filter_username {
> (1)     if (!&User-Name)
> (1)     if (!&User-Name)  -> FALSE
> (1)     if (&User-Name =~ / /)
> (1)     if (&User-Name =~ / /)  -> FALSE
> (1)     if (&User-Name =~ /@.*@/ )
> (1)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (1)     if (&User-Name =~ /\\.\\./ )
> (1)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (1)     if (&User-Name =~ /\\.$/)
> (1)     if (&User-Name =~ /\\.$/)   -> FALSE
> (1)     if (&User-Name =~ /@\\./)
> (1)     if (&User-Name =~ /@\\./)   -> FALSE
> (1)   } # filter_username filter_username = notfound
> (1)   [preprocess] = ok
> (1)   [chap] = noop
> (1)   [mschap] = noop
> (1)   [digest] = noop
> (1)  suffix : Checking for suffix after "@"
> (1)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (1)  suffix : No such realm "NULL"
> (1)   [suffix] = noop
> (1)  eap : Peer sent code Response (2) ID 1 length 141
> (1)  eap : Continuing tunnel setup
> (1)   [eap] = ok
> (1)  } #  authorize = ok
> (1) Found Auth-Type = EAP
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1)   authenticate {
> (1)  eap : Expiring EAP session with state 0x0e9027300e913e66
> (1)  eap : Finished EAP session with state 0x0e9027300e913e66
> (1)  eap : Previous EAP request found for state 0x0e9027300e913e66,
> released from the list
> (1)  eap : Peer sent method PEAP (25)
> (1)  eap : EAP PEAP (25)
> (1)  eap : Calling eap_peap to process EAP data
> (1)  eap_peap : processing EAP-TLS
>    TLS Length 131
> (1)  eap_peap : Length Included
> (1)  eap_peap : eaptls_verify returned 11
> (1)  eap_peap : (other): before/accept initialization
> (1)  eap_peap : TLS_accept: before/accept initialization
> (1)  eap_peap : <<< TLS 1.0 Handshake [length 007e], ClientHello
>    SSL: Client requested cached session
> fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d94
> (1)  eap_peap : TLS_accept: SSLv3 read client hello A
> (1)  eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello
> (1)  eap_peap : TLS_accept: SSLv3 write server hello A
> (1)  eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
> (1)  eap_peap : TLS_accept: SSLv3 write certificate A
> (1)  eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> (1)  eap_peap : TLS_accept: SSLv3 write server done A
> (1)  eap_peap : TLS_accept: SSLv3 flush data
> (1)  eap_peap : TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> (1)  eap_peap : eaptls_process returned 13
> (1)  eap_peap : FR_TLS_HANDLED
> (1)  eap : New EAP session, adding 'State' attribute to reply
> 0x0e9027300f923e66
> (1)   [eap] = handled
> (1)  } #  authenticate = handled
> (1) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=183,
> length=0
> (1)     EAP-Message =
> 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2c
> (1)     Message-Authenticator = 0x00000000000000000000000000000000
> (1)     State = 0x0e9027300f923e6603c734ef610afcab
> Sending Access-Challenge Id 183 from 192.168.0.10:1812 to 192.168.0.2:1812
>          EAP-Message =
> 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x0e9027300f923e6603c734ef610afcab
> (1) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 184 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 141
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          State = 0x0e9027300f923e6603c734ef610afcab
>          EAP-Message = 0x020200061900
>          Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
> (2) Received Access-Request packet from host 192.168.0.2 port 1812, id=184,
> length=141
> (2)     NAS-IP-Address = 192.168.0.2
> (2)     NAS-Port = 50024
> (2)     NAS-Port-Type = Ethernet
> (2)     User-Name = 'newuser'
> (2)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (2)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (2)     Service-Type = Framed-User
> (2)     Framed-MTU = 1500
> (2)     State = 0x0e9027300f923e6603c734ef610afcab
> (2)     EAP-Message = 0x020200061900
> (2)     Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
> (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (2)   authorize {
> (2)   filter_username filter_username {
> (2)     if (!&User-Name)
> (2)     if (!&User-Name)  -> FALSE
> (2)     if (&User-Name =~ / /)
> (2)     if (&User-Name =~ / /)  -> FALSE
> (2)     if (&User-Name =~ /@.*@/ )
> (2)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (2)     if (&User-Name =~ /\\.\\./ )
> (2)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (2)     if (&User-Name =~ /\\.$/)
> (2)     if (&User-Name =~ /\\.$/)   -> FALSE
> (2)     if (&User-Name =~ /@\\./)
> (2)     if (&User-Name =~ /@\\./)   -> FALSE
> (2)   } # filter_username filter_username = notfound
> (2)   [preprocess] = ok
> (2)   [chap] = noop
> (2)   [mschap] = noop
> (2)   [digest] = noop
> (2)  suffix : Checking for suffix after "@"
> (2)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (2)  suffix : No such realm "NULL"
> (2)   [suffix] = noop
> (2)  eap : Peer sent code Response (2) ID 2 length 6
> (2)  eap : Continuing tunnel setup
> (2)   [eap] = ok
> (2)  } #  authorize = ok
> (2) Found Auth-Type = EAP
> (2) # Executing group from file /etc/raddb/sites-enabled/default
> (2)   authenticate {
> (2)  eap : Expiring EAP session with state 0x0e9027300f923e66
> (2)  eap : Finished EAP session with state 0x0e9027300f923e66
> (2)  eap : Previous EAP request found for state 0x0e9027300f923e66,
> released from the list
> (2)  eap : Peer sent method PEAP (25)
> (2)  eap : EAP PEAP (25)
> (2)  eap : Calling eap_peap to process EAP data
> (2)  eap_peap : processing EAP-TLS
> (2)  eap_peap : Received TLS ACK
> (2)  eap_peap : Received TLS ACK
> (2)  eap_peap : ACK handshake fragment handler
> (2)  eap_peap : eaptls_verify returned 1
> (2)  eap_peap : eaptls_process returned 13
> (2)  eap_peap : FR_TLS_HANDLED
> (2)  eap : New EAP session, adding 'State' attribute to reply
> 0x0e9027300c933e66
> (2)   [eap] = handled
> (2)  } #  authenticate = handled
> (2) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=184,
> length=0
> (2)     EAP-Message =
> 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082
> (2)     Message-Authenticator = 0x00000000000000000000000000000000
> (2)     State = 0x0e9027300c933e6603c734ef610afcab
> Sending Access-Challenge Id 184 from 192.168.0.10:1812 to 192.168.0.2:1812
>          EAP-Message =
> 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f00308
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x0e9027300c933e6603c734ef610afcab
> (2) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 185 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 141
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          State = 0x0e9027300c933e6603c734ef610afcab
>          EAP-Message = 0x020300061900
>          Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
> (3) Received Access-Request packet from host 192.168.0.2 port 1812, id=185,
> length=141
> (3)     NAS-IP-Address = 192.168.0.2
> (3)     NAS-Port = 50024
> (3)     NAS-Port-Type = Ethernet
> (3)     User-Name = 'newuser'
> (3)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (3)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (3)     Service-Type = Framed-User
> (3)     Framed-MTU = 1500
> (3)     State = 0x0e9027300c933e6603c734ef610afcab
> (3)     EAP-Message = 0x020300061900
> (3)     Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
> (3) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (3)   authorize {
> (3)   filter_username filter_username {
> (3)     if (!&User-Name)
> (3)     if (!&User-Name)  -> FALSE
> (3)     if (&User-Name =~ / /)
> (3)     if (&User-Name =~ / /)  -> FALSE
> (3)     if (&User-Name =~ /@.*@/ )
> (3)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (3)     if (&User-Name =~ /\\.\\./ )
> (3)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (3)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (3)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (3)     if (&User-Name =~ /\\.$/)
> (3)     if (&User-Name =~ /\\.$/)   -> FALSE
> (3)     if (&User-Name =~ /@\\./)
> (3)     if (&User-Name =~ /@\\./)   -> FALSE
> (3)   } # filter_username filter_username = notfound
> (3)   [preprocess] = ok
> (3)   [chap] = noop
> (3)   [mschap] = noop
> (3)   [digest] = noop
> (3)  suffix : Checking for suffix after "@"
> (3)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (3)  suffix : No such realm "NULL"
> (3)   [suffix] = noop
> (3)  eap : Peer sent code Response (2) ID 3 length 6
> (3)  eap : Continuing tunnel setup
> (3)   [eap] = ok
> (3)  } #  authorize = ok
> (3) Found Auth-Type = EAP
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3)   authenticate {
> (3)  eap : Expiring EAP session with state 0x0e9027300c933e66
> (3)  eap : Finished EAP session with state 0x0e9027300c933e66
> (3)  eap : Previous EAP request found for state 0x0e9027300c933e66,
> released from the list
> (3)  eap : Peer sent method PEAP (25)
> (3)  eap : EAP PEAP (25)
> (3)  eap : Calling eap_peap to process EAP data
> (3)  eap_peap : processing EAP-TLS
> (3)  eap_peap : Received TLS ACK
> (3)  eap_peap : Received TLS ACK
> (3)  eap_peap : ACK handshake fragment handler
> (3)  eap_peap : eaptls_verify returned 1
> (3)  eap_peap : eaptls_process returned 13
> (3)  eap_peap : FR_TLS_HANDLED
> (3)  eap : New EAP session, adding 'State' attribute to reply
> 0x0e9027300d943e66
> (3)   [eap] = handled
> (3)  } #  authenticate = handled
> (3) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=185,
> length=0
> (3)     EAP-Message =
> 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
> (3)     Message-Authenticator = 0x00000000000000000000000000000000
> (3)     State = 0x0e9027300d943e6603c734ef610afcab
> Sending Access-Challenge Id 185 from 192.168.0.10:1812 to 192.168.0.2:1812
>          EAP-Message =
> 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x0e9027300d943e6603c734ef610afcab
> (3) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 186 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 473
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          State = 0x0e9027300d943e6603c734ef610afcab
>          EAP-Message =
> 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
>          Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
> (4) Received Access-Request packet from host 192.168.0.2 port 1812, id=186,
> length=473
> (4)     NAS-IP-Address = 192.168.0.2
> (4)     NAS-Port = 50024
> (4)     NAS-Port-Type = Ethernet
> (4)     User-Name = 'newuser'
> (4)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (4)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (4)     Service-Type = Framed-User
> (4)     Framed-MTU = 1500
> (4)     State = 0x0e9027300d943e6603c734ef610afcab
> (4)     EAP-Message =
> 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
> (4)     Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
> (4) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (4)   authorize {
> (4)   filter_username filter_username {
> (4)     if (!&User-Name)
> (4)     if (!&User-Name)  -> FALSE
> (4)     if (&User-Name =~ / /)
> (4)     if (&User-Name =~ / /)  -> FALSE
> (4)     if (&User-Name =~ /@.*@/ )
> (4)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (4)     if (&User-Name =~ /\\.\\./ )
> (4)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (4)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (4)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (4)     if (&User-Name =~ /\\.$/)
> (4)     if (&User-Name =~ /\\.$/)   -> FALSE
> (4)     if (&User-Name =~ /@\\./)
> (4)     if (&User-Name =~ /@\\./)   -> FALSE
> (4)   } # filter_username filter_username = notfound
> (4)   [preprocess] = ok
> (4)   [chap] = noop
> (4)   [mschap] = noop
> (4)   [digest] = noop
> (4)  suffix : Checking for suffix after "@"
> (4)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (4)  suffix : No such realm "NULL"
> (4)   [suffix] = noop
> (4)  eap : Peer sent code Response (2) ID 4 length 336
> (4)  eap : Continuing tunnel setup
> (4)   [eap] = ok
> (4)  } #  authorize = ok
> (4) Found Auth-Type = EAP
> (4) # Executing group from file /etc/raddb/sites-enabled/default
> (4)   authenticate {
> (4)  eap : Expiring EAP session with state 0x0e9027300d943e66
> (4)  eap : Finished EAP session with state 0x0e9027300d943e66
> (4)  eap : Previous EAP request found for state 0x0e9027300d943e66,
> released from the list
> (4)  eap : Peer sent method PEAP (25)
> (4)  eap : EAP PEAP (25)
> (4)  eap : Calling eap_peap to process EAP data
> (4)  eap_peap : processing EAP-TLS
>    TLS Length 326
> (4)  eap_peap : Length Included
> (4)  eap_peap : eaptls_verify returned 11
> (4)  eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
> (4)  eap_peap : TLS_accept: SSLv3 read client key exchange A
> (4)  eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
> (4)  eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
> (4)  eap_peap : TLS_accept: SSLv3 read finished A
> (4)  eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
> (4)  eap_peap : TLS_accept: SSLv3 write change cipher spec A
> (4)  eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
> (4)  eap_peap : TLS_accept: SSLv3 write finished A
> (4)  eap_peap : TLS_accept: SSLv3 flush data
>    SSL: adding session
> 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 to cache
> (4)  eap_peap : (other): SSL negotiation finished successfully
> SSL Connection Established
> (4)  eap_peap : eaptls_process returned 13
> (4)  eap_peap : FR_TLS_HANDLED
> (4)  eap : New EAP session, adding 'State' attribute to reply
> 0x0e9027300a953e66
> (4)   [eap] = handled
> (4)  } #  authenticate = handled
> (4) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=186,
> length=0
> (4)     EAP-Message =
> 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
> (4)     Message-Authenticator = 0x00000000000000000000000000000000
> (4)     State = 0x0e9027300a953e6603c734ef610afcab
> Sending Access-Challenge Id 186 from 192.168.0.10:1812 to 192.168.0.2:1812
>          EAP-Message =
> 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x0e9027300a953e6603c734ef610afcab
> (4) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 187 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 141
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          State = 0x0e9027300a953e6603c734ef610afcab
>          EAP-Message = 0x020500061900
>          Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
> (5) Received Access-Request packet from host 192.168.0.2 port 1812, id=187,
> length=141
> (5)     NAS-IP-Address = 192.168.0.2
> (5)     NAS-Port = 50024
> (5)     NAS-Port-Type = Ethernet
> (5)     User-Name = 'newuser'
> (5)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (5)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (5)     Service-Type = Framed-User
> (5)     Framed-MTU = 1500
> (5)     State = 0x0e9027300a953e6603c734ef610afcab
> (5)     EAP-Message = 0x020500061900
> (5)     Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
> (5) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (5)   authorize {
> (5)   filter_username filter_username {
> (5)     if (!&User-Name)
> (5)     if (!&User-Name)  -> FALSE
> (5)     if (&User-Name =~ / /)
> (5)     if (&User-Name =~ / /)  -> FALSE
> (5)     if (&User-Name =~ /@.*@/ )
> (5)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (5)     if (&User-Name =~ /\\.\\./ )
> (5)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (5)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (5)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (5)     if (&User-Name =~ /\\.$/)
> (5)     if (&User-Name =~ /\\.$/)   -> FALSE
> (5)     if (&User-Name =~ /@\\./)
> (5)     if (&User-Name =~ /@\\./)   -> FALSE
> (5)   } # filter_username filter_username = notfound
> (5)   [preprocess] = ok
> (5)   [chap] = noop
> (5)   [mschap] = noop
> (5)   [digest] = noop
> (5)  suffix : Checking for suffix after "@"
> (5)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (5)  suffix : No such realm "NULL"
> (5)   [suffix] = noop
> (5)  eap : Peer sent code Response (2) ID 5 length 6
> (5)  eap : Continuing tunnel setup
> (5)   [eap] = ok
> (5)  } #  authorize = ok
> (5) Found Auth-Type = EAP
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5)   authenticate {
> (5)  eap : Expiring EAP session with state 0x0e9027300a953e66
> (5)  eap : Finished EAP session with state 0x0e9027300a953e66
> (5)  eap : Previous EAP request found for state 0x0e9027300a953e66,
> released from the list
> (5)  eap : Peer sent method PEAP (25)
> (5)  eap : EAP PEAP (25)
> (5)  eap : Calling eap_peap to process EAP data
> (5)  eap_peap : processing EAP-TLS
> (5)  eap_peap : Received TLS ACK
> (5)  eap_peap : Received TLS ACK
> (5)  eap_peap : ACK handshake is finished
> (5)  eap_peap : eaptls_verify returned 3
> (5)  eap_peap : eaptls_process returned 3
> (5)  eap_peap : FR_TLS_SUCCESS
> (5)  eap_peap : Session established.  Decoding tunneled attributes
> (5)  eap_peap : Peap state TUNNEL ESTABLISHED
> (5)  eap : New EAP session, adding 'State' attribute to reply
> 0x0e9027300b963e66
> (5)   [eap] = handled
> (5)  } #  authenticate = handled
> (5) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=187,
> length=0
> (5)     EAP-Message =
> 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
> (5)     Message-Authenticator = 0x00000000000000000000000000000000
> (5)     State = 0x0e9027300b963e6603c734ef610afcab
> Sending Access-Challenge Id 187 from 192.168.0.10:1812 to 192.168.0.2:1812
>          EAP-Message =
> 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x0e9027300b963e6603c734ef610afcab
> (5) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 188 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 178
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          State = 0x0e9027300b963e6603c734ef610afcab
>          EAP-Message =
> 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
>          Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
> (6) Received Access-Request packet from host 192.168.0.2 port 1812, id=188,
> length=178
> (6)     NAS-IP-Address = 192.168.0.2
> (6)     NAS-Port = 50024
> (6)     NAS-Port-Type = Ethernet
> (6)     User-Name = 'newuser'
> (6)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (6)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (6)     Service-Type = Framed-User
> (6)     Framed-MTU = 1500
> (6)     State = 0x0e9027300b963e6603c734ef610afcab
> (6)     EAP-Message =
> 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
> (6)     Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
> (6) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (6)   authorize {
> (6)   filter_username filter_username {
> (6)     if (!&User-Name)
> (6)     if (!&User-Name)  -> FALSE
> (6)     if (&User-Name =~ / /)
> (6)     if (&User-Name =~ / /)  -> FALSE
> (6)     if (&User-Name =~ /@.*@/ )
> (6)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (6)     if (&User-Name =~ /\\.\\./ )
> (6)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (6)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (6)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (6)     if (&User-Name =~ /\\.$/)
> (6)     if (&User-Name =~ /\\.$/)   -> FALSE
> (6)     if (&User-Name =~ /@\\./)
> (6)     if (&User-Name =~ /@\\./)   -> FALSE
> (6)   } # filter_username filter_username = notfound
> (6)   [preprocess] = ok
> (6)   [chap] = noop
> (6)   [mschap] = noop
> (6)   [digest] = noop
> (6)  suffix : Checking for suffix after "@"
> (6)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (6)  suffix : No such realm "NULL"
> (6)   [suffix] = noop
> (6)  eap : Peer sent code Response (2) ID 6 length 43
> (6)  eap : Continuing tunnel setup
> (6)   [eap] = ok
> (6)  } #  authorize = ok
> (6) Found Auth-Type = EAP
> (6) # Executing group from file /etc/raddb/sites-enabled/default
> (6)   authenticate {
> (6)  eap : Expiring EAP session with state 0x0e9027300b963e66
> (6)  eap : Finished EAP session with state 0x0e9027300b963e66
> (6)  eap : Previous EAP request found for state 0x0e9027300b963e66,
> released from the list
> (6)  eap : Peer sent method PEAP (25)
> (6)  eap : EAP PEAP (25)
> (6)  eap : Calling eap_peap to process EAP data
> (6)  eap_peap : processing EAP-TLS
> (6)  eap_peap : eaptls_verify returned 7
> (6)  eap_peap : Done initial handshake
> (6)  eap_peap : eaptls_process returned 7
> (6)  eap_peap : FR_TLS_OK
> (6)  eap_peap : Session established.  Decoding tunneled attributes
> (6)  eap_peap : Peap state WAITING FOR INNER IDENTITY
> (6)  eap_peap : Identity - newuser
> (6)  eap_peap : Got inner identity 'newuser'
> (6)  eap_peap : Setting default EAP type for tunneled EAP session
> (6)  eap_peap : Got tunneled request
>          EAP-Message = 0x0206000c016e657775736572
> server default {
> (6)  eap_peap : Setting User-Name to newuser
> Sending tunneled request
>          EAP-Message = 0x0206000c016e657775736572
>          FreeRADIUS-Proxied-To = 127.0.0.1
>          User-Name = 'newuser'
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
> server inner-tunnel {
> (6)  server inner-tunnel {
> (6)    Request:
>          EAP-Message = 0x0206000c016e657775736572
>          FreeRADIUS-Proxied-To = 127.0.0.1
>          User-Name = 'newuser'
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
> (6)  # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> (6)    authorize {
> (6)    [chap] = noop
> (6)    [mschap] = noop
> (6)   suffix : Checking for suffix after "@"
> (6)   suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (6)   suffix : No such realm "NULL"
> (6)    [suffix] = noop
> (6)    update control {
> (6)     Proxy-To-Realm := 'LOCAL'
> (6)    } # update control = noop
> (6)   eap : Peer sent code Response (2) ID 6 length 12
> (6)   eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (6)    [eap] = ok
> (6)   } #  authorize = ok
> (6)  Found Auth-Type = EAP
> (6)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (6)    authenticate {
> (6)   eap : Peer sent method Identity (1)
> (6)   eap : Calling eap_mschapv2 to process EAP data
> (6)   eap_mschapv2 : Issuing Challenge
> (6)   eap : New EAP session, adding 'State' attribute to reply
> 0x51469e48514184c8
> (6)    [eap] = handled
> (6)   } #  authenticate = handled
> (6)    Reply:
>          EAP-Message =
> 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x51469e48514184c89c06397edfb2b9f6
> (6)  } # server inner-tunnel
> } # server inner-tunnel
> (6)  eap_peap : Got tunneled reply code 11
>          EAP-Message =
> 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x51469e48514184c89c06397edfb2b9f6
> (6)  eap_peap : Got tunneled reply RADIUS code 11
>          EAP-Message =
> 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x51469e48514184c89c06397edfb2b9f6
> (6)  eap_peap : Got tunneled Access-Challenge
> (6)  eap : New EAP session, adding 'State' attribute to reply
> 0x0e90273008973e66
> (6)   [eap] = handled
> (6)  } #  authenticate = handled
> (6) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=188,
> length=0
> (6)     EAP-Message =
> 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
> (6)     Message-Authenticator = 0x00000000000000000000000000000000
> (6)     State = 0x0e90273008973e6603c734ef610afcab
> Sending Access-Challenge Id 188 from 192.168.0.10:1812 to 192.168.0.2:1812
>          EAP-Message =
> 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x0e90273008973e6603c734ef610afcab
> (6) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 189 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 242
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          State = 0x0e90273008973e6603c734ef610afcab
>          EAP-Message =
> 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
>          Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
> (7) Received Access-Request packet from host 192.168.0.2 port 1812, id=189,
> length=242
> (7)     NAS-IP-Address = 192.168.0.2
> (7)     NAS-Port = 50024
> (7)     NAS-Port-Type = Ethernet
> (7)     User-Name = 'newuser'
> (7)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (7)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (7)     Service-Type = Framed-User
> (7)     Framed-MTU = 1500
> (7)     State = 0x0e90273008973e6603c734ef610afcab
> (7)     EAP-Message =
> 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
> (7)     Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (7)   authorize {
> (7)   filter_username filter_username {
> (7)     if (!&User-Name)
> (7)     if (!&User-Name)  -> FALSE
> (7)     if (&User-Name =~ / /)
> (7)     if (&User-Name =~ / /)  -> FALSE
> (7)     if (&User-Name =~ /@.*@/ )
> (7)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (7)     if (&User-Name =~ /\\.\\./ )
> (7)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (7)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (7)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (7)     if (&User-Name =~ /\\.$/)
> (7)     if (&User-Name =~ /\\.$/)   -> FALSE
> (7)     if (&User-Name =~ /@\\./)
> (7)     if (&User-Name =~ /@\\./)   -> FALSE
> (7)   } # filter_username filter_username = notfound
> (7)   [preprocess] = ok
> (7)   [chap] = noop
> (7)   [mschap] = noop
> (7)   [digest] = noop
> (7)  suffix : Checking for suffix after "@"
> (7)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (7)  suffix : No such realm "NULL"
> (7)   [suffix] = noop
> (7)  eap : Peer sent code Response (2) ID 7 length 107
> (7)  eap : Continuing tunnel setup
> (7)   [eap] = ok
> (7)  } #  authorize = ok
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/raddb/sites-enabled/default
> (7)   authenticate {
> (7)  eap : Expiring EAP session with state 0x51469e48514184c8
> (7)  eap : Finished EAP session with state 0x0e90273008973e66
> (7)  eap : Previous EAP request found for state 0x0e90273008973e66,
> released from the list
> (7)  eap : Peer sent method PEAP (25)
> (7)  eap : EAP PEAP (25)
> (7)  eap : Calling eap_peap to process EAP data
> (7)  eap_peap : processing EAP-TLS
> (7)  eap_peap : eaptls_verify returned 7
> (7)  eap_peap : Done initial handshake
> (7)  eap_peap : eaptls_process returned 7
> (7)  eap_peap : FR_TLS_OK
> (7)  eap_peap : Session established.  Decoding tunneled attributes
> (7)  eap_peap : Peap state phase2
> (7)  eap_peap : EAP type MSCHAPv2 (26)
> (7)  eap_peap : Got tunneled request
>          EAP-Message =
> 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
> server default {
> (7)  eap_peap : Setting User-Name to newuser
> Sending tunneled request
>          EAP-Message =
> 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
>          FreeRADIUS-Proxied-To = 127.0.0.1
>          User-Name = 'newuser'
>          State = 0x51469e48514184c89c06397edfb2b9f6
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
> server inner-tunnel {
> (7)  server inner-tunnel {
> (7)    Request:
>          EAP-Message =
> 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
>          FreeRADIUS-Proxied-To = 127.0.0.1
>          User-Name = 'newuser'
>          State = 0x51469e48514184c89c06397edfb2b9f6
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
> (7)  # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> (7)    authorize {
> (7)    [chap] = noop
> (7)    [mschap] = noop
> (7)   suffix : Checking for suffix after "@"
> (7)   suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (7)   suffix : No such realm "NULL"
> (7)    [suffix] = noop
> (7)    update control {
> (7)     Proxy-To-Realm := 'LOCAL'
> (7)    } # update control = noop
> (7)   eap : Peer sent code Response (2) ID 7 length 66
> (7)   eap : No EAP Start, assuming it's an on-going EAP conversation
> (7)    [eap] = updated
> (7)    [files] = noop
> rlm_ldap (ldap): Reserved connection (4)
> (7)   ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (7)   ldap :    --> (uid=newuser)
> (7)   ldap : EXPAND dc=test,dc=ad,dc=com
> (7)   ldap :    --> dc=test,dc=ad,dc=com
> (7)   ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> '(uid=newuser)', scope 'sub'
> (7)   ldap : Waiting for search result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> (7)   ldap : Search returned no results
> rlm_ldap (ldap): Deleting connection (4)
> (7)    [ldap] = notfound
> (7)    [expiration] = noop
> (7)    [logintime] = noop
> (7)    [pap] = noop
> (7)   } #  authorize = updated
> (7)  Found Auth-Type = EAP
> (7)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7)    authenticate {
> (7)   eap : Expiring EAP session with state 0x51469e48514184c8
> (7)   eap : Finished EAP session with state 0x51469e48514184c8
> (7)   eap : Previous EAP request found for state 0x51469e48514184c8,
> released from the list
> (7)   eap : Peer sent method MSCHAPv2 (26)
> (7)   eap : EAP MSCHAPv2 (26)
> (7)   eap : Calling eap_mschapv2 to process EAP data
> (7)   eap_mschapv2 : # Executing group from file
> /etc/raddb/sites-enabled/inner-tunnel
> (7)   eap_mschapv2 :  Auth-Type MS-CHAP {
> (7)    mschap : Creating challenge hash with username: newuser
> (7)    mschap : Client is using MS-CHAPv2
> Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (7)    mschap : EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (7)    mschap :    --> --username=newuser
> (7)    mschap : Creating challenge hash with username: newuser
> (7)    mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (7)    mschap :    --> --challenge=141c75ef267aec37
> (7)    mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (7)    mschap :    -->
> --nt-response=8e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e
> Program returned code (0) and output 'NT_KEY:
> 917FDA71960ECCF4DF81D38405F86F42'
> (7)    mschap : Adding MS-CHAPv2 MPPE keys
> (7)     [mschap] = ok
> (7)    } # Auth-Type MS-CHAP = ok
> MSCHAP Success
> (7)   eap : New EAP session, adding 'State' attribute to reply
> 0x51469e48504e84c8
> (7)    [eap] = handled
> (7)   } #  authenticate = handled
> (7)    Reply:
>          EAP-Message =
> 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x51469e48504e84c89c06397edfb2b9f6
> (7)  } # server inner-tunnel
> } # server inner-tunnel
> (7)  eap_peap : Got tunneled reply code 11
>          EAP-Message =
> 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x51469e48504e84c89c06397edfb2b9f6
> (7)  eap_peap : Got tunneled reply RADIUS code 11
>          EAP-Message =
> 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x51469e48504e84c89c06397edfb2b9f6
> (7)  eap_peap : Got tunneled Access-Challenge
> (7)  eap : New EAP session, adding 'State' attribute to reply
> 0x0e90273009983e66
> (7)   [eap] = handled
> (7)  } #  authenticate = handled
> (7) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=189,
> length=0
> (7)     EAP-Message =
> 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
> (7)     Message-Authenticator = 0x00000000000000000000000000000000
> (7)     State = 0x0e90273009983e6603c734ef610afcab
> Sending Access-Challenge Id 189 from 192.168.0.10:1812 to 192.168.0.2:1812
>          EAP-Message =
> 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x0e90273009983e6603c734ef610afcab
> (7) Finished request
> Waking up in 4.5 seconds.
> Received Access-Request Id 190 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 178
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          State = 0x0e90273009983e6603c734ef610afcab
>          EAP-Message =
> 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
>          Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
> (8) Received Access-Request packet from host 192.168.0.2 port 1812, id=190,
> length=178
> (8)     NAS-IP-Address = 192.168.0.2
> (8)     NAS-Port = 50024
> (8)     NAS-Port-Type = Ethernet
> (8)     User-Name = 'newuser'
> (8)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (8)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (8)     Service-Type = Framed-User
> (8)     Framed-MTU = 1500
> (8)     State = 0x0e90273009983e6603c734ef610afcab
> (8)     EAP-Message =
> 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
> (8)     Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
> (8) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (8)   authorize {
> (8)   filter_username filter_username {
> (8)     if (!&User-Name)
> (8)     if (!&User-Name)  -> FALSE
> (8)     if (&User-Name =~ / /)
> (8)     if (&User-Name =~ / /)  -> FALSE
> (8)     if (&User-Name =~ /@.*@/ )
> (8)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (8)     if (&User-Name =~ /\\.\\./ )
> (8)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (8)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (8)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (8)     if (&User-Name =~ /\\.$/)
> (8)     if (&User-Name =~ /\\.$/)   -> FALSE
> (8)     if (&User-Name =~ /@\\./)
> (8)     if (&User-Name =~ /@\\./)   -> FALSE
> (8)   } # filter_username filter_username = notfound
> (8)   [preprocess] = ok
> (8)   [chap] = noop
> (8)   [mschap] = noop
> (8)   [digest] = noop
> (8)  suffix : Checking for suffix after "@"
> (8)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (8)  suffix : No such realm "NULL"
> (8)   [suffix] = noop
> (8)  eap : Peer sent code Response (2) ID 8 length 43
> (8)  eap : Continuing tunnel setup
> (8)   [eap] = ok
> (8)  } #  authorize = ok
> (8) Found Auth-Type = EAP
> (8) # Executing group from file /etc/raddb/sites-enabled/default
> (8)   authenticate {
> (8)  eap : Expiring EAP session with state 0x51469e48504e84c8
> (8)  eap : Finished EAP session with state 0x0e90273009983e66
> (8)  eap : Previous EAP request found for state 0x0e90273009983e66,
> released from the list
> (8)  eap : Peer sent method PEAP (25)
> (8)  eap : EAP PEAP (25)
> (8)  eap : Calling eap_peap to process EAP data
> (8)  eap_peap : processing EAP-TLS
> (8)  eap_peap : eaptls_verify returned 7
> (8)  eap_peap : Done initial handshake
> (8)  eap_peap : eaptls_process returned 7
> (8)  eap_peap : FR_TLS_OK
> (8)  eap_peap : Session established.  Decoding tunneled attributes
> (8)  eap_peap : Peap state phase2
> (8)  eap_peap : EAP type MSCHAPv2 (26)
> (8)  eap_peap : Got tunneled request
>          EAP-Message = 0x020800061a03
> server default {
> (8)  eap_peap : Setting User-Name to newuser
> Sending tunneled request
>          EAP-Message = 0x020800061a03
>          FreeRADIUS-Proxied-To = 127.0.0.1
>          User-Name = 'newuser'
>          State = 0x51469e48504e84c89c06397edfb2b9f6
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
> server inner-tunnel {
> (8)  server inner-tunnel {
> (8)    Request:
>          EAP-Message = 0x020800061a03
>          FreeRADIUS-Proxied-To = 127.0.0.1
>          User-Name = 'newuser'
>          State = 0x51469e48504e84c89c06397edfb2b9f6
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          Event-Timestamp = 'Jul  3 2015 14:28:13 CEST'
> (8)  # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> (8)    authorize {
> (8)    [chap] = noop
> (8)    [mschap] = noop
> (8)   suffix : Checking for suffix after "@"
> (8)   suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (8)   suffix : No such realm "NULL"
> (8)    [suffix] = noop
> (8)    update control {
> (8)     Proxy-To-Realm := 'LOCAL'
> (8)    } # update control = noop
> (8)   eap : Peer sent code Response (2) ID 8 length 6
> (8)   eap : No EAP Start, assuming it's an on-going EAP conversation
> (8)    [eap] = updated
> (8)    [files] = noop
> rlm_ldap (ldap): Reserved connection (3)
> (8)   ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (8)   ldap :    --> (uid=newuser)
> (8)   ldap : EXPAND dc=test,dc=ad,dc=com
> (8)   ldap :    --> dc=test,dc=ad,dc=com
> (8)   ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> '(uid=newuser)', scope 'sub'
> (8)   ldap : Waiting for search result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> (8)   ldap : Search returned no results
> rlm_ldap (ldap): Deleting connection (3)
> rlm_ldap (ldap): 0 of 3 connections in use.  Need more spares
> rlm_ldap (ldap): Opening additional connection (5)
> rlm_ldap (ldap): Connecting to 192.168.0.20:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (8)    [ldap] = notfound
> (8)    [expiration] = noop
> (8)    [logintime] = noop
> (8)    [pap] = noop
> (8)   } #  authorize = updated
> (8)  Found Auth-Type = EAP
> (8)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (8)    authenticate {
> (8)   eap : Expiring EAP session with state 0x51469e48504e84c8
> (8)   eap : Finished EAP session with state 0x51469e48504e84c8
> (8)   eap : Previous EAP request found for state 0x51469e48504e84c8,
> released from the list
> (8)   eap : Peer sent method MSCHAPv2 (26)
> (8)   eap : EAP MSCHAPv2 (26)
> (8)   eap : Calling eap_mschapv2 to process EAP data
> (8)   eap : Freeing handler
> (8)    [eap] = ok
> (8)   } #  authenticate = ok
> (8)  # Executing section post-auth from file
> /etc/raddb/sites-enabled/inner-tunnel
> (8)    post-auth {
> (8)   ldap : EXPAND .
> (8)   ldap :    --> .
> (8)   ldap : EXPAND Authenticated at %S
> (8)   ldap :    --> Authenticated at 2015-07-03 14:28:13
> rlm_ldap (ldap): Reserved connection (5)
> (8)   ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (8)   ldap :    --> (uid=newuser)
> (8)   ldap : EXPAND dc=test,dc=ad,dc=com
> (8)   ldap :    --> dc=test,dc=ad,dc=com
> (8)   ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> '(uid=newuser)', scope 'sub'
> (8)   ldap : Waiting for search result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> (8)   ldap : Search returned no results
> rlm_ldap (ldap): Deleting connection (5)
> (8)    [ldap] = notfound
> (8)   } #  post-auth = notfound
> (8)    Reply:
>          MS-MPPE-Encryption-Policy = Encryption-Required
>          MS-MPPE-Encryption-Types = 4
>          MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
>          MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
>          EAP-Message = 0x03080004
>          Message-Authenticator = 0x00000000000000000000000000000000
>          User-Name = 'newuser'
> (8)  } # server inner-tunnel
> } # server inner-tunnel
> (8)  eap_peap : Got tunneled reply code 2
>          MS-MPPE-Encryption-Policy = Encryption-Required
>          MS-MPPE-Encryption-Types = 4
>          MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
>          MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
>          EAP-Message = 0x03080004
>          Message-Authenticator = 0x00000000000000000000000000000000
>          User-Name = 'newuser'
> (8)  eap_peap : Got tunneled reply RADIUS code 2
>          MS-MPPE-Encryption-Policy = Encryption-Required
>          MS-MPPE-Encryption-Types = 4
>          MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
>          MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
>          EAP-Message = 0x03080004
>          Message-Authenticator = 0x00000000000000000000000000000000
>          User-Name = 'newuser'
> (8)  eap_peap : Tunneled authentication was successful
> (8)  eap_peap : SUCCESS
> (8)  eap_peap : Saving tunneled attributes for later
> (8)  eap : New EAP session, adding 'State' attribute to reply
> 0x0e90273006993e66
> (8)   [eap] = handled
> (8)  } #  authenticate = handled
> (8) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=190,
> length=0
> (8)     EAP-Message =
> 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
> (8)     Message-Authenticator = 0x00000000000000000000000000000000
> (8)     State = 0x0e90273006993e6603c734ef610afcab
> Sending Access-Challenge Id 190 from 192.168.0.10:1812 to 192.168.0.2:1812
>          EAP-Message =
> 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x0e90273006993e6603c734ef610afcab
> (8) Finished request
> Waking up in 3.8 seconds.
> Received Access-Request Id 191 from 192.168.0.2:1812 to 192.168.0.10:1812
> length 178
>          NAS-IP-Address = 192.168.0.2
>          NAS-Port = 50024
>          NAS-Port-Type = Ethernet
>          User-Name = 'newuser'
>          Called-Station-Id = '00-16-9D-D3-40-D8'
>          Calling-Station-Id = '68-B5-99-C8-B0-5E'
>          Service-Type = Framed-User
>          Framed-MTU = 1500
>          State = 0x0e90273006993e6603c734ef610afcab
>          EAP-Message =
> 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
>          Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
> (9) Received Access-Request packet from host 192.168.0.2 port 1812, id=191,
> length=178
> (9)     NAS-IP-Address = 192.168.0.2
> (9)     NAS-Port = 50024
> (9)     NAS-Port-Type = Ethernet
> (9)     User-Name = 'newuser'
> (9)     Called-Station-Id = '00-16-9D-D3-40-D8'
> (9)     Calling-Station-Id = '68-B5-99-C8-B0-5E'
> (9)     Service-Type = Framed-User
> (9)     Framed-MTU = 1500
> (9)     State = 0x0e90273006993e6603c734ef610afcab
> (9)     EAP-Message =
> 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
> (9)     Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
> (9) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (9)   authorize {
> (9)   filter_username filter_username {
> (9)     if (!&User-Name)
> (9)     if (!&User-Name)  -> FALSE
> (9)     if (&User-Name =~ / /)
> (9)     if (&User-Name =~ / /)  -> FALSE
> (9)     if (&User-Name =~ /@.*@/ )
> (9)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (9)     if (&User-Name =~ /\\.\\./ )
> (9)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (9)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (9)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
> (9)     if (&User-Name =~ /\\.$/)
> (9)     if (&User-Name =~ /\\.$/)   -> FALSE
> (9)     if (&User-Name =~ /@\\./)
> (9)     if (&User-Name =~ /@\\./)   -> FALSE
> (9)   } # filter_username filter_username = notfound
> (9)   [preprocess] = ok
> (9)   [chap] = noop
> (9)   [mschap] = noop
> (9)   [digest] = noop
> (9)  suffix : Checking for suffix after "@"
> (9)  suffix : No '@' in User-Name = "newuser", looking up realm NULL
> (9)  suffix : No such realm "NULL"
> (9)   [suffix] = noop
> (9)  eap : Peer sent code Response (2) ID 9 length 43
> (9)  eap : Continuing tunnel setup
> (9)   [eap] = ok
> (9)  } #  authorize = ok
> (9) Found Auth-Type = EAP
> (9) # Executing group from file /etc/raddb/sites-enabled/default
> (9)   authenticate {
> (9)  eap : Expiring EAP session with state 0x0e90273006993e66
> (9)  eap : Finished EAP session with state 0x0e90273006993e66
> (9)  eap : Previous EAP request found for state 0x0e90273006993e66,
> released from the list
> (9)  eap : Peer sent method PEAP (25)
> (9)  eap : EAP PEAP (25)
> (9)  eap : Calling eap_peap to process EAP data
> (9)  eap_peap : processing EAP-TLS
> (9)  eap_peap : eaptls_verify returned 7
> (9)  eap_peap : Done initial handshake
> (9)  eap_peap : eaptls_process returned 7
> (9)  eap_peap : FR_TLS_OK
> (9)  eap_peap : Session established.  Decoding tunneled attributes
> (9)  eap_peap : Peap state send tlv success
> (9)  eap_peap : Received EAP-TLV response
> (9)  eap_peap : Success
> (9)  eap_peap : Using saved attributes from the original Access-Accept
>          User-Name = 'newuser'
> (9)  eap_peap : Saving session
> 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 vps
> 0x7f6012aedf20 in the cache
> (9)  eap : Freeing handler
> (9)   [eap] = ok
> (9)  } #  authenticate = ok
> (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
> (9)   post-auth {
> (9)  ldap : EXPAND .
> (9)  ldap :    --> .
> (9)  ldap : EXPAND Authenticated at %S
> (9)  ldap :    --> Authenticated at 2015-07-03 14:28:14
> rlm_ldap (ldap): Reserved connection (2)
> (9)  ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (9)  ldap :    --> (uid=newuser)
> (9)  ldap : EXPAND dc=test,dc=ad,dc=com
> (9)  ldap :    --> dc=test,dc=ad,dc=com
> (9)  ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> '(uid=newuser)', scope 'sub'
> (9)  ldap : Waiting for search result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> (9)  ldap : Search returned no results
> rlm_ldap (ldap): Deleting connection (2)
> (9)   [ldap] = notfound
> (9)    if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com")
> (9) Searching for user in group "cn=computers,cn=Users,dc=test,dc=ad,dc=com"
> rlm_ldap (ldap): Reserved connection (1)
> (9) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (9)    --> (uid=newuser)
> (9) EXPAND dc=test,dc=ad,dc=com
> (9)    --> dc=test,dc=ad,dc=com
> (9) Performing search in 'dc=test,dc=ad,dc=com' with filter
> '(uid=newuser)', scope 'sub'
> (9) Waiting for search result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://
> test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> (9) Search returned no results
> rlm_ldap (ldap): Deleting connection (1)
> (9)    if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") ->
> FALSE
> (9)   [exec] = noop
> (9)   remove_reply_message_if_eap remove_reply_message_if_eap {
> (9)     if (&reply:EAP-Message && &reply:Reply-Message)
> (9)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (9)    else else {
> (9)     [noop] = noop
> (9)    } # else else = noop
> (9)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (9)  } #  post-auth = noop
> (9) Sending Access-Accept packet to host 192.168.0.2 port 1812, id=191,
> length=0
> (9)     User-Name = 'newuser'
> (9)     MS-MPPE-Recv-Key =
> 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
> (9)     MS-MPPE-Send-Key =
> 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
> (9)     EAP-MSK =
> 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda271f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
> (9)     EAP-EMSK =
> 0x1b54d22a41027762199d0673d2024afb9b75034f4486286e1ce600f42266b87c01bf8b7801e44f136c405e7098f74a39062c8d0fd8199ad362af3aa3fd939603
> (9)     EAP-Session-Id =
> 0x19559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f355967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b313
> (9)     EAP-Message = 0x03090004
> (9)     Message-Authenticator = 0x00000000000000000000000000000000
> Sending Access-Accept Id 191 from 192.168.0.10:1812 to 192.168.0.2:1812
>          User-Name = 'newuser'
>          MS-MPPE-Recv-Key =
> 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
>          MS-MPPE-Send-Key =
> 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
>          EAP-Message = 0x03090004
>          Message-Authenticator = 0x00000000000000000000000000000000
> (9) Finished request
>
>
>
> in ldap config file, part related user and groups looks like below:
>
> user {
>   base_dn = "dc=test,dc=ad,dc=com"
> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> }
> group {
>
> base_dn ="dc=test,dc=ad,dc=com"
> filter = "(objectClass=posixGroup)"
> name_attribute = cn
> membership_filter =
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> membership_attribute = "memberOf"
> }
>
>
> Why freeradius can't match group "computers" to user "newuser"?
>
> I would be very glad on any help
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
your filter and membership_filter directives conflict.

the objectClass posixGroup uses the memberUid attribute, while the 
objectClass groupOfNames uses the member attribute.

because you are using AD, it should support RFC 2307bis, which makes the 
posixGroup an auxiliary objectClass, and not structural.  both 
attributes (member and memberUid) can be defined for the same object, 
but it is likely that only one is used.

get our your favorite LDAP browser (phpLdapAdmin, gq, lat, luma, or 
SoftTerra LDAP Browser for windows) and look at the group object you are 
trying to match on.  note the used attributes and adjust your filter and 
membership_filter directives accordingly.




More information about the Freeradius-Users mailing list