freeradius doesn't see user in group (Active Directory) but user belong to this group
stefan nowak
pionartest at gmail.com
Mon Jul 6 14:47:28 CEST 2015
> Message: 1
> Date: Sat, 04 Jul 2015 11:44:01 -0400
> From: Brendan Kearney <bpk678 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: freeradius doesn't see user in group (Active Directory)
> but user belong to this group
> Message-ID: <5597FF41.6050706 at gmail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 07/04/2015 03:17 AM, stefan nowak wrote:
> > Hi All,
> >
> > since few days I've stocked with configuration freeradius. All works good
> > except one thing. I can't get info from Active Directory to freeradius in
> > which group user belong (this one I need to set vlan depend on group).
> > My version freeradius is 3.0.4
> >
> > as you can see below user "newuser" participate in group "computers",
> > here`s output from ldapsearch:
> >
> > dn: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > cn: newuser
> > givenName: newuser
> > distinguishedName: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
> > instanceType: 4
> > whenCreated: 20150702132126.0Z
> > whenChanged: 20150703105127.0Z
> > displayName: newuser
> > uSNCreated: 82039
> > memberOf: CN=computers,CN=Users,DC=test,DC=ad,DC=com
> > uSNChanged: 90187
> > name: newuser
> > objectGUID:: XX+6g4wMJEGdDfEOZF5Rgw==
> > userAccountControl: 66048
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > lastLogon: 0
> > pwdLastSet: 130803168865078125
> > primaryGroupID: 513
> > objectSid:: AQUAAAAAAAUVAAAAR3zVX0Ki+LP5AMXOVQQAAA==
> > accountExpires: 9223372036854775807
> > logonCount: 0
> > sAMAccountName: newuser
> > sAMAccountType: 805306368
> > userPrincipalName: newuser at test.ad.com
> > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=ad,DC=com
> > dSCorePropagationData: 16010101000000.0Z
> > lastLogonTimestamp: 130803172388710937
> >
> >
> > from log output I see that user "newuser" get access-accept but freeradius
> > didn`t find him in group "computers" here is output:
> >
> > Received Access-Request Id 182 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 129
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > EAP-Message = 0x0200000c016e657775736572
> > Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
> > (0) Received Access-Request packet from host 192.168.0.2 port 1812, id=182,
> > length=129
> > (0) NAS-IP-Address = 192.168.0.2
> > (0) NAS-Port = 50024
> > (0) NAS-Port-Type = Ethernet
> > (0) User-Name = 'newuser'
> > (0) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (0) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (0) Service-Type = Framed-User
> > (0) Framed-MTU = 1500
> > (0) EAP-Message = 0x0200000c016e657775736572
> > (0) Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
> > (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (0) authorize {
> > (0) filter_username filter_username {
> > (0) if (!&User-Name)
> > (0) if (!&User-Name) -> FALSE
> > (0) if (&User-Name =~ / /)
> > (0) if (&User-Name =~ / /) -> FALSE
> > (0) if (&User-Name =~ /@.*@/ )
> > (0) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (0) if (&User-Name =~ /\\.\\./ )
> > (0) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (0) if (&User-Name =~ /\\.$/)
> > (0) if (&User-Name =~ /\\.$/) -> FALSE
> > (0) if (&User-Name =~ /@\\./)
> > (0) if (&User-Name =~ /@\\./) -> FALSE
> > (0) } # filter_username filter_username = notfound
> > (0) [preprocess] = ok
> > (0) [chap] = noop
> > (0) [mschap] = noop
> > (0) [digest] = noop
> > (0) suffix : Checking for suffix after "@"
> > (0) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (0) suffix : No such realm "NULL"
> > (0) [suffix] = noop
> > (0) eap : Peer sent code Response (2) ID 0 length 12
> > (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
> > rest of authorize
> > (0) [eap] = ok
> > (0) } # authorize = ok
> > (0) Found Auth-Type = EAP
> > (0) # Executing group from file /etc/raddb/sites-enabled/default
> > (0) authenticate {
> > (0) eap : Peer sent method Identity (1)
> > (0) eap : Calling eap_peap to process EAP data
> > (0) eap_peap : Flushing SSL sessions (of #0)
> > (0) eap_peap : Initiate
> > (0) eap_peap : Start returned 1
> > (0) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300e913e66
> > (0) [eap] = handled
> > (0) } # authenticate = handled
> > (0) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=182,
> > length=0
> > (0) EAP-Message = 0x010100061920
> > (0) Message-Authenticator = 0x00000000000000000000000000000000
> > (0) State = 0x0e9027300e913e6603c734ef610afcab
> > Sending Access-Challenge Id 182 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message = 0x010100061920
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300e913e6603c734ef610afcab
> > (0) Finished request
> > Waking up in 0.3 seconds.
> > Received Access-Request Id 183 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 276
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300e913e6603c734ef610afcab
> > EAP-Message =
> > 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
> > Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
> > (1) Received Access-Request packet from host 192.168.0.2 port 1812, id=183,
> > length=276
> > (1) NAS-IP-Address = 192.168.0.2
> > (1) NAS-Port = 50024
> > (1) NAS-Port-Type = Ethernet
> > (1) User-Name = 'newuser'
> > (1) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (1) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (1) Service-Type = Framed-User
> > (1) Framed-MTU = 1500
> > (1) State = 0x0e9027300e913e6603c734ef610afcab
> > (1) EAP-Message =
> > 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
> > (1) Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
> > (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (1) authorize {
> > (1) filter_username filter_username {
> > (1) if (!&User-Name)
> > (1) if (!&User-Name) -> FALSE
> > (1) if (&User-Name =~ / /)
> > (1) if (&User-Name =~ / /) -> FALSE
> > (1) if (&User-Name =~ /@.*@/ )
> > (1) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (1) if (&User-Name =~ /\\.\\./ )
> > (1) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (1) if (&User-Name =~ /\\.$/)
> > (1) if (&User-Name =~ /\\.$/) -> FALSE
> > (1) if (&User-Name =~ /@\\./)
> > (1) if (&User-Name =~ /@\\./) -> FALSE
> > (1) } # filter_username filter_username = notfound
> > (1) [preprocess] = ok
> > (1) [chap] = noop
> > (1) [mschap] = noop
> > (1) [digest] = noop
> > (1) suffix : Checking for suffix after "@"
> > (1) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (1) suffix : No such realm "NULL"
> > (1) [suffix] = noop
> > (1) eap : Peer sent code Response (2) ID 1 length 141
> > (1) eap : Continuing tunnel setup
> > (1) [eap] = ok
> > (1) } # authorize = ok
> > (1) Found Auth-Type = EAP
> > (1) # Executing group from file /etc/raddb/sites-enabled/default
> > (1) authenticate {
> > (1) eap : Expiring EAP session with state 0x0e9027300e913e66
> > (1) eap : Finished EAP session with state 0x0e9027300e913e66
> > (1) eap : Previous EAP request found for state 0x0e9027300e913e66,
> > released from the list
> > (1) eap : Peer sent method PEAP (25)
> > (1) eap : EAP PEAP (25)
> > (1) eap : Calling eap_peap to process EAP data
> > (1) eap_peap : processing EAP-TLS
> > TLS Length 131
> > (1) eap_peap : Length Included
> > (1) eap_peap : eaptls_verify returned 11
> > (1) eap_peap : (other): before/accept initialization
> > (1) eap_peap : TLS_accept: before/accept initialization
> > (1) eap_peap : <<< TLS 1.0 Handshake [length 007e], ClientHello
> > SSL: Client requested cached session
> > fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d94
> > (1) eap_peap : TLS_accept: SSLv3 read client hello A
> > (1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello
> > (1) eap_peap : TLS_accept: SSLv3 write server hello A
> > (1) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
> > (1) eap_peap : TLS_accept: SSLv3 write certificate A
> > (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> > (1) eap_peap : TLS_accept: SSLv3 write server done A
> > (1) eap_peap : TLS_accept: SSLv3 flush data
> > (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client
> > certificate A
> > In SSL Handshake Phase
> > In SSL Accept mode
> > (1) eap_peap : eaptls_process returned 13
> > (1) eap_peap : FR_TLS_HANDLED
> > (1) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300f923e66
> > (1) [eap] = handled
> > (1) } # authenticate = handled
> > (1) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=183,
> > length=0
> > (1) EAP-Message =
> > 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2c
> > (1) Message-Authenticator = 0x00000000000000000000000000000000
> > (1) State = 0x0e9027300f923e6603c734ef610afcab
> > Sending Access-Challenge Id 183 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300f923e6603c734ef610afcab
> > (1) Finished request
> > Waking up in 0.3 seconds.
> > Received Access-Request Id 184 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 141
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300f923e6603c734ef610afcab
> > EAP-Message = 0x020200061900
> > Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
> > (2) Received Access-Request packet from host 192.168.0.2 port 1812, id=184,
> > length=141
> > (2) NAS-IP-Address = 192.168.0.2
> > (2) NAS-Port = 50024
> > (2) NAS-Port-Type = Ethernet
> > (2) User-Name = 'newuser'
> > (2) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (2) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (2) Service-Type = Framed-User
> > (2) Framed-MTU = 1500
> > (2) State = 0x0e9027300f923e6603c734ef610afcab
> > (2) EAP-Message = 0x020200061900
> > (2) Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
> > (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (2) authorize {
> > (2) filter_username filter_username {
> > (2) if (!&User-Name)
> > (2) if (!&User-Name) -> FALSE
> > (2) if (&User-Name =~ / /)
> > (2) if (&User-Name =~ / /) -> FALSE
> > (2) if (&User-Name =~ /@.*@/ )
> > (2) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (2) if (&User-Name =~ /\\.\\./ )
> > (2) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (2) if (&User-Name =~ /\\.$/)
> > (2) if (&User-Name =~ /\\.$/) -> FALSE
> > (2) if (&User-Name =~ /@\\./)
> > (2) if (&User-Name =~ /@\\./) -> FALSE
> > (2) } # filter_username filter_username = notfound
> > (2) [preprocess] = ok
> > (2) [chap] = noop
> > (2) [mschap] = noop
> > (2) [digest] = noop
> > (2) suffix : Checking for suffix after "@"
> > (2) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (2) suffix : No such realm "NULL"
> > (2) [suffix] = noop
> > (2) eap : Peer sent code Response (2) ID 2 length 6
> > (2) eap : Continuing tunnel setup
> > (2) [eap] = ok
> > (2) } # authorize = ok
> > (2) Found Auth-Type = EAP
> > (2) # Executing group from file /etc/raddb/sites-enabled/default
> > (2) authenticate {
> > (2) eap : Expiring EAP session with state 0x0e9027300f923e66
> > (2) eap : Finished EAP session with state 0x0e9027300f923e66
> > (2) eap : Previous EAP request found for state 0x0e9027300f923e66,
> > released from the list
> > (2) eap : Peer sent method PEAP (25)
> > (2) eap : EAP PEAP (25)
> > (2) eap : Calling eap_peap to process EAP data
> > (2) eap_peap : processing EAP-TLS
> > (2) eap_peap : Received TLS ACK
> > (2) eap_peap : Received TLS ACK
> > (2) eap_peap : ACK handshake fragment handler
> > (2) eap_peap : eaptls_verify returned 1
> > (2) eap_peap : eaptls_process returned 13
> > (2) eap_peap : FR_TLS_HANDLED
> > (2) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300c933e66
> > (2) [eap] = handled
> > (2) } # authenticate = handled
> > (2) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=184,
> > length=0
> > (2) EAP-Message =
> > 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082
> > (2) Message-Authenticator = 0x00000000000000000000000000000000
> > (2) State = 0x0e9027300c933e6603c734ef610afcab
> > Sending Access-Challenge Id 184 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f00308
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300c933e6603c734ef610afcab
> > (2) Finished request
> > Waking up in 0.3 seconds.
> > Received Access-Request Id 185 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 141
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300c933e6603c734ef610afcab
> > EAP-Message = 0x020300061900
> > Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
> > (3) Received Access-Request packet from host 192.168.0.2 port 1812, id=185,
> > length=141
> > (3) NAS-IP-Address = 192.168.0.2
> > (3) NAS-Port = 50024
> > (3) NAS-Port-Type = Ethernet
> > (3) User-Name = 'newuser'
> > (3) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (3) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (3) Service-Type = Framed-User
> > (3) Framed-MTU = 1500
> > (3) State = 0x0e9027300c933e6603c734ef610afcab
> > (3) EAP-Message = 0x020300061900
> > (3) Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
> > (3) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (3) authorize {
> > (3) filter_username filter_username {
> > (3) if (!&User-Name)
> > (3) if (!&User-Name) -> FALSE
> > (3) if (&User-Name =~ / /)
> > (3) if (&User-Name =~ / /) -> FALSE
> > (3) if (&User-Name =~ /@.*@/ )
> > (3) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (3) if (&User-Name =~ /\\.\\./ )
> > (3) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (3) if (&User-Name =~ /\\.$/)
> > (3) if (&User-Name =~ /\\.$/) -> FALSE
> > (3) if (&User-Name =~ /@\\./)
> > (3) if (&User-Name =~ /@\\./) -> FALSE
> > (3) } # filter_username filter_username = notfound
> > (3) [preprocess] = ok
> > (3) [chap] = noop
> > (3) [mschap] = noop
> > (3) [digest] = noop
> > (3) suffix : Checking for suffix after "@"
> > (3) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (3) suffix : No such realm "NULL"
> > (3) [suffix] = noop
> > (3) eap : Peer sent code Response (2) ID 3 length 6
> > (3) eap : Continuing tunnel setup
> > (3) [eap] = ok
> > (3) } # authorize = ok
> > (3) Found Auth-Type = EAP
> > (3) # Executing group from file /etc/raddb/sites-enabled/default
> > (3) authenticate {
> > (3) eap : Expiring EAP session with state 0x0e9027300c933e66
> > (3) eap : Finished EAP session with state 0x0e9027300c933e66
> > (3) eap : Previous EAP request found for state 0x0e9027300c933e66,
> > released from the list
> > (3) eap : Peer sent method PEAP (25)
> > (3) eap : EAP PEAP (25)
> > (3) eap : Calling eap_peap to process EAP data
> > (3) eap_peap : processing EAP-TLS
> > (3) eap_peap : Received TLS ACK
> > (3) eap_peap : Received TLS ACK
> > (3) eap_peap : ACK handshake fragment handler
> > (3) eap_peap : eaptls_verify returned 1
> > (3) eap_peap : eaptls_process returned 13
> > (3) eap_peap : FR_TLS_HANDLED
> > (3) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300d943e66
> > (3) [eap] = handled
> > (3) } # authenticate = handled
> > (3) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=185,
> > length=0
> > (3) EAP-Message =
> > 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
> > (3) Message-Authenticator = 0x00000000000000000000000000000000
> > (3) State = 0x0e9027300d943e6603c734ef610afcab
> > Sending Access-Challenge Id 185 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300d943e6603c734ef610afcab
> > (3) Finished request
> > Waking up in 0.2 seconds.
> > Received Access-Request Id 186 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 473
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300d943e6603c734ef610afcab
> > EAP-Message =
> > 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
> > Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
> > (4) Received Access-Request packet from host 192.168.0.2 port 1812, id=186,
> > length=473
> > (4) NAS-IP-Address = 192.168.0.2
> > (4) NAS-Port = 50024
> > (4) NAS-Port-Type = Ethernet
> > (4) User-Name = 'newuser'
> > (4) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (4) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (4) Service-Type = Framed-User
> > (4) Framed-MTU = 1500
> > (4) State = 0x0e9027300d943e6603c734ef610afcab
> > (4) EAP-Message =
> > 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
> > (4) Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
> > (4) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (4) authorize {
> > (4) filter_username filter_username {
> > (4) if (!&User-Name)
> > (4) if (!&User-Name) -> FALSE
> > (4) if (&User-Name =~ / /)
> > (4) if (&User-Name =~ / /) -> FALSE
> > (4) if (&User-Name =~ /@.*@/ )
> > (4) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (4) if (&User-Name =~ /\\.\\./ )
> > (4) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (4) if (&User-Name =~ /\\.$/)
> > (4) if (&User-Name =~ /\\.$/) -> FALSE
> > (4) if (&User-Name =~ /@\\./)
> > (4) if (&User-Name =~ /@\\./) -> FALSE
> > (4) } # filter_username filter_username = notfound
> > (4) [preprocess] = ok
> > (4) [chap] = noop
> > (4) [mschap] = noop
> > (4) [digest] = noop
> > (4) suffix : Checking for suffix after "@"
> > (4) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (4) suffix : No such realm "NULL"
> > (4) [suffix] = noop
> > (4) eap : Peer sent code Response (2) ID 4 length 336
> > (4) eap : Continuing tunnel setup
> > (4) [eap] = ok
> > (4) } # authorize = ok
> > (4) Found Auth-Type = EAP
> > (4) # Executing group from file /etc/raddb/sites-enabled/default
> > (4) authenticate {
> > (4) eap : Expiring EAP session with state 0x0e9027300d943e66
> > (4) eap : Finished EAP session with state 0x0e9027300d943e66
> > (4) eap : Previous EAP request found for state 0x0e9027300d943e66,
> > released from the list
> > (4) eap : Peer sent method PEAP (25)
> > (4) eap : EAP PEAP (25)
> > (4) eap : Calling eap_peap to process EAP data
> > (4) eap_peap : processing EAP-TLS
> > TLS Length 326
> > (4) eap_peap : Length Included
> > (4) eap_peap : eaptls_verify returned 11
> > (4) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
> > (4) eap_peap : TLS_accept: SSLv3 read client key exchange A
> > (4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
> > (4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
> > (4) eap_peap : TLS_accept: SSLv3 read finished A
> > (4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
> > (4) eap_peap : TLS_accept: SSLv3 write change cipher spec A
> > (4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
> > (4) eap_peap : TLS_accept: SSLv3 write finished A
> > (4) eap_peap : TLS_accept: SSLv3 flush data
> > SSL: adding session
> > 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 to cache
> > (4) eap_peap : (other): SSL negotiation finished successfully
> > SSL Connection Established
> > (4) eap_peap : eaptls_process returned 13
> > (4) eap_peap : FR_TLS_HANDLED
> > (4) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300a953e66
> > (4) [eap] = handled
> > (4) } # authenticate = handled
> > (4) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=186,
> > length=0
> > (4) EAP-Message =
> > 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
> > (4) Message-Authenticator = 0x00000000000000000000000000000000
> > (4) State = 0x0e9027300a953e6603c734ef610afcab
> > Sending Access-Challenge Id 186 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300a953e6603c734ef610afcab
> > (4) Finished request
> > Waking up in 0.2 seconds.
> > Received Access-Request Id 187 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 141
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300a953e6603c734ef610afcab
> > EAP-Message = 0x020500061900
> > Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
> > (5) Received Access-Request packet from host 192.168.0.2 port 1812, id=187,
> > length=141
> > (5) NAS-IP-Address = 192.168.0.2
> > (5) NAS-Port = 50024
> > (5) NAS-Port-Type = Ethernet
> > (5) User-Name = 'newuser'
> > (5) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (5) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (5) Service-Type = Framed-User
> > (5) Framed-MTU = 1500
> > (5) State = 0x0e9027300a953e6603c734ef610afcab
> > (5) EAP-Message = 0x020500061900
> > (5) Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
> > (5) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (5) authorize {
> > (5) filter_username filter_username {
> > (5) if (!&User-Name)
> > (5) if (!&User-Name) -> FALSE
> > (5) if (&User-Name =~ / /)
> > (5) if (&User-Name =~ / /) -> FALSE
> > (5) if (&User-Name =~ /@.*@/ )
> > (5) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (5) if (&User-Name =~ /\\.\\./ )
> > (5) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (5) if (&User-Name =~ /\\.$/)
> > (5) if (&User-Name =~ /\\.$/) -> FALSE
> > (5) if (&User-Name =~ /@\\./)
> > (5) if (&User-Name =~ /@\\./) -> FALSE
> > (5) } # filter_username filter_username = notfound
> > (5) [preprocess] = ok
> > (5) [chap] = noop
> > (5) [mschap] = noop
> > (5) [digest] = noop
> > (5) suffix : Checking for suffix after "@"
> > (5) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (5) suffix : No such realm "NULL"
> > (5) [suffix] = noop
> > (5) eap : Peer sent code Response (2) ID 5 length 6
> > (5) eap : Continuing tunnel setup
> > (5) [eap] = ok
> > (5) } # authorize = ok
> > (5) Found Auth-Type = EAP
> > (5) # Executing group from file /etc/raddb/sites-enabled/default
> > (5) authenticate {
> > (5) eap : Expiring EAP session with state 0x0e9027300a953e66
> > (5) eap : Finished EAP session with state 0x0e9027300a953e66
> > (5) eap : Previous EAP request found for state 0x0e9027300a953e66,
> > released from the list
> > (5) eap : Peer sent method PEAP (25)
> > (5) eap : EAP PEAP (25)
> > (5) eap : Calling eap_peap to process EAP data
> > (5) eap_peap : processing EAP-TLS
> > (5) eap_peap : Received TLS ACK
> > (5) eap_peap : Received TLS ACK
> > (5) eap_peap : ACK handshake is finished
> > (5) eap_peap : eaptls_verify returned 3
> > (5) eap_peap : eaptls_process returned 3
> > (5) eap_peap : FR_TLS_SUCCESS
> > (5) eap_peap : Session established. Decoding tunneled attributes
> > (5) eap_peap : Peap state TUNNEL ESTABLISHED
> > (5) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300b963e66
> > (5) [eap] = handled
> > (5) } # authenticate = handled
> > (5) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=187,
> > length=0
> > (5) EAP-Message =
> > 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
> > (5) Message-Authenticator = 0x00000000000000000000000000000000
> > (5) State = 0x0e9027300b963e6603c734ef610afcab
> > Sending Access-Challenge Id 187 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300b963e6603c734ef610afcab
> > (5) Finished request
> > Waking up in 0.2 seconds.
> > Received Access-Request Id 188 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 178
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300b963e6603c734ef610afcab
> > EAP-Message =
> > 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
> > Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
> > (6) Received Access-Request packet from host 192.168.0.2 port 1812, id=188,
> > length=178
> > (6) NAS-IP-Address = 192.168.0.2
> > (6) NAS-Port = 50024
> > (6) NAS-Port-Type = Ethernet
> > (6) User-Name = 'newuser'
> > (6) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (6) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (6) Service-Type = Framed-User
> > (6) Framed-MTU = 1500
> > (6) State = 0x0e9027300b963e6603c734ef610afcab
> > (6) EAP-Message =
> > 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
> > (6) Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
> > (6) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (6) authorize {
> > (6) filter_username filter_username {
> > (6) if (!&User-Name)
> > (6) if (!&User-Name) -> FALSE
> > (6) if (&User-Name =~ / /)
> > (6) if (&User-Name =~ / /) -> FALSE
> > (6) if (&User-Name =~ /@.*@/ )
> > (6) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (6) if (&User-Name =~ /\\.\\./ )
> > (6) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (6) if (&User-Name =~ /\\.$/)
> > (6) if (&User-Name =~ /\\.$/) -> FALSE
> > (6) if (&User-Name =~ /@\\./)
> > (6) if (&User-Name =~ /@\\./) -> FALSE
> > (6) } # filter_username filter_username = notfound
> > (6) [preprocess] = ok
> > (6) [chap] = noop
> > (6) [mschap] = noop
> > (6) [digest] = noop
> > (6) suffix : Checking for suffix after "@"
> > (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (6) suffix : No such realm "NULL"
> > (6) [suffix] = noop
> > (6) eap : Peer sent code Response (2) ID 6 length 43
> > (6) eap : Continuing tunnel setup
> > (6) [eap] = ok
> > (6) } # authorize = ok
> > (6) Found Auth-Type = EAP
> > (6) # Executing group from file /etc/raddb/sites-enabled/default
> > (6) authenticate {
> > (6) eap : Expiring EAP session with state 0x0e9027300b963e66
> > (6) eap : Finished EAP session with state 0x0e9027300b963e66
> > (6) eap : Previous EAP request found for state 0x0e9027300b963e66,
> > released from the list
> > (6) eap : Peer sent method PEAP (25)
> > (6) eap : EAP PEAP (25)
> > (6) eap : Calling eap_peap to process EAP data
> > (6) eap_peap : processing EAP-TLS
> > (6) eap_peap : eaptls_verify returned 7
> > (6) eap_peap : Done initial handshake
> > (6) eap_peap : eaptls_process returned 7
> > (6) eap_peap : FR_TLS_OK
> > (6) eap_peap : Session established. Decoding tunneled attributes
> > (6) eap_peap : Peap state WAITING FOR INNER IDENTITY
> > (6) eap_peap : Identity - newuser
> > (6) eap_peap : Got inner identity 'newuser'
> > (6) eap_peap : Setting default EAP type for tunneled EAP session
> > (6) eap_peap : Got tunneled request
> > EAP-Message = 0x0206000c016e657775736572
> > server default {
> > (6) eap_peap : Setting User-Name to newuser
> > Sending tunneled request
> > EAP-Message = 0x0206000c016e657775736572
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > server inner-tunnel {
> > (6) server inner-tunnel {
> > (6) Request:
> > EAP-Message = 0x0206000c016e657775736572
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > (6) # Executing section authorize from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (6) authorize {
> > (6) [chap] = noop
> > (6) [mschap] = noop
> > (6) suffix : Checking for suffix after "@"
> > (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (6) suffix : No such realm "NULL"
> > (6) [suffix] = noop
> > (6) update control {
> > (6) Proxy-To-Realm := 'LOCAL'
> > (6) } # update control = noop
> > (6) eap : Peer sent code Response (2) ID 6 length 12
> > (6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
> > rest of authorize
> > (6) [eap] = ok
> > (6) } # authorize = ok
> > (6) Found Auth-Type = EAP
> > (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> > (6) authenticate {
> > (6) eap : Peer sent method Identity (1)
> > (6) eap : Calling eap_mschapv2 to process EAP data
> > (6) eap_mschapv2 : Issuing Challenge
> > (6) eap : New EAP session, adding 'State' attribute to reply
> > 0x51469e48514184c8
> > (6) [eap] = handled
> > (6) } # authenticate = handled
> > (6) Reply:
> > EAP-Message =
> > 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > (6) } # server inner-tunnel
> > } # server inner-tunnel
> > (6) eap_peap : Got tunneled reply code 11
> > EAP-Message =
> > 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > (6) eap_peap : Got tunneled reply RADIUS code 11
> > EAP-Message =
> > 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > (6) eap_peap : Got tunneled Access-Challenge
> > (6) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e90273008973e66
> > (6) [eap] = handled
> > (6) } # authenticate = handled
> > (6) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=188,
> > length=0
> > (6) EAP-Message =
> > 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
> > (6) Message-Authenticator = 0x00000000000000000000000000000000
> > (6) State = 0x0e90273008973e6603c734ef610afcab
> > Sending Access-Challenge Id 188 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e90273008973e6603c734ef610afcab
> > (6) Finished request
> > Waking up in 0.2 seconds.
> > Received Access-Request Id 189 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 242
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e90273008973e6603c734ef610afcab
> > EAP-Message =
> > 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
> > Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
> > (7) Received Access-Request packet from host 192.168.0.2 port 1812, id=189,
> > length=242
> > (7) NAS-IP-Address = 192.168.0.2
> > (7) NAS-Port = 50024
> > (7) NAS-Port-Type = Ethernet
> > (7) User-Name = 'newuser'
> > (7) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (7) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (7) Service-Type = Framed-User
> > (7) Framed-MTU = 1500
> > (7) State = 0x0e90273008973e6603c734ef610afcab
> > (7) EAP-Message =
> > 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
> > (7) Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
> > (7) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (7) authorize {
> > (7) filter_username filter_username {
> > (7) if (!&User-Name)
> > (7) if (!&User-Name) -> FALSE
> > (7) if (&User-Name =~ / /)
> > (7) if (&User-Name =~ / /) -> FALSE
> > (7) if (&User-Name =~ /@.*@/ )
> > (7) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (7) if (&User-Name =~ /\\.\\./ )
> > (7) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (7) if (&User-Name =~ /\\.$/)
> > (7) if (&User-Name =~ /\\.$/) -> FALSE
> > (7) if (&User-Name =~ /@\\./)
> > (7) if (&User-Name =~ /@\\./) -> FALSE
> > (7) } # filter_username filter_username = notfound
> > (7) [preprocess] = ok
> > (7) [chap] = noop
> > (7) [mschap] = noop
> > (7) [digest] = noop
> > (7) suffix : Checking for suffix after "@"
> > (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (7) suffix : No such realm "NULL"
> > (7) [suffix] = noop
> > (7) eap : Peer sent code Response (2) ID 7 length 107
> > (7) eap : Continuing tunnel setup
> > (7) [eap] = ok
> > (7) } # authorize = ok
> > (7) Found Auth-Type = EAP
> > (7) # Executing group from file /etc/raddb/sites-enabled/default
> > (7) authenticate {
> > (7) eap : Expiring EAP session with state 0x51469e48514184c8
> > (7) eap : Finished EAP session with state 0x0e90273008973e66
> > (7) eap : Previous EAP request found for state 0x0e90273008973e66,
> > released from the list
> > (7) eap : Peer sent method PEAP (25)
> > (7) eap : EAP PEAP (25)
> > (7) eap : Calling eap_peap to process EAP data
> > (7) eap_peap : processing EAP-TLS
> > (7) eap_peap : eaptls_verify returned 7
> > (7) eap_peap : Done initial handshake
> > (7) eap_peap : eaptls_process returned 7
> > (7) eap_peap : FR_TLS_OK
> > (7) eap_peap : Session established. Decoding tunneled attributes
> > (7) eap_peap : Peap state phase2
> > (7) eap_peap : EAP type MSCHAPv2 (26)
> > (7) eap_peap : Got tunneled request
> > EAP-Message =
> > 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
> > server default {
> > (7) eap_peap : Setting User-Name to newuser
> > Sending tunneled request
> > EAP-Message =
> > 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > server inner-tunnel {
> > (7) server inner-tunnel {
> > (7) Request:
> > EAP-Message =
> > 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > (7) # Executing section authorize from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (7) authorize {
> > (7) [chap] = noop
> > (7) [mschap] = noop
> > (7) suffix : Checking for suffix after "@"
> > (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (7) suffix : No such realm "NULL"
> > (7) [suffix] = noop
> > (7) update control {
> > (7) Proxy-To-Realm := 'LOCAL'
> > (7) } # update control = noop
> > (7) eap : Peer sent code Response (2) ID 7 length 66
> > (7) eap : No EAP Start, assuming it's an on-going EAP conversation
> > (7) [eap] = updated
> > (7) [files] = noop
> > rlm_ldap (ldap): Reserved connection (4)
> > (7) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (7) ldap : --> (uid=newuser)
> > (7) ldap : EXPAND dc=test,dc=ad,dc=com
> > (7) ldap : --> dc=test,dc=ad,dc=com
> > (7) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (7) ldap : Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (7) ldap : Search returned no results
> > rlm_ldap (ldap): Deleting connection (4)
> > (7) [ldap] = notfound
> > (7) [expiration] = noop
> > (7) [logintime] = noop
> > (7) [pap] = noop
> > (7) } # authorize = updated
> > (7) Found Auth-Type = EAP
> > (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> > (7) authenticate {
> > (7) eap : Expiring EAP session with state 0x51469e48514184c8
> > (7) eap : Finished EAP session with state 0x51469e48514184c8
> > (7) eap : Previous EAP request found for state 0x51469e48514184c8,
> > released from the list
> > (7) eap : Peer sent method MSCHAPv2 (26)
> > (7) eap : EAP MSCHAPv2 (26)
> > (7) eap : Calling eap_mschapv2 to process EAP data
> > (7) eap_mschapv2 : # Executing group from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (7) eap_mschapv2 : Auth-Type MS-CHAP {
> > (7) mschap : Creating challenge hash with username: newuser
> > (7) mschap : Client is using MS-CHAPv2
> > Executing: /usr/bin/ntlm_auth --request-nt-key
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > --challenge=%{%{mschap:Challenge}:-00}
> > --nt-response=%{%{mschap:NT-Response}:-00}:
> > (7) mschap : EXPAND
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > (7) mschap : --> --username=newuser
> > (7) mschap : Creating challenge hash with username: newuser
> > (7) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
> > (7) mschap : --> --challenge=141c75ef267aec37
> > (7) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> > (7) mschap : -->
> > --nt-response=8e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e
> > Program returned code (0) and output 'NT_KEY:
> > 917FDA71960ECCF4DF81D38405F86F42'
> > (7) mschap : Adding MS-CHAPv2 MPPE keys
> > (7) [mschap] = ok
> > (7) } # Auth-Type MS-CHAP = ok
> > MSCHAP Success
> > (7) eap : New EAP session, adding 'State' attribute to reply
> > 0x51469e48504e84c8
> > (7) [eap] = handled
> > (7) } # authenticate = handled
> > (7) Reply:
> > EAP-Message =
> > 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > (7) } # server inner-tunnel
> > } # server inner-tunnel
> > (7) eap_peap : Got tunneled reply code 11
> > EAP-Message =
> > 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > (7) eap_peap : Got tunneled reply RADIUS code 11
> > EAP-Message =
> > 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > (7) eap_peap : Got tunneled Access-Challenge
> > (7) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e90273009983e66
> > (7) [eap] = handled
> > (7) } # authenticate = handled
> > (7) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=189,
> > length=0
> > (7) EAP-Message =
> > 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
> > (7) Message-Authenticator = 0x00000000000000000000000000000000
> > (7) State = 0x0e90273009983e6603c734ef610afcab
> > Sending Access-Challenge Id 189 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e90273009983e6603c734ef610afcab
> > (7) Finished request
> > Waking up in 4.5 seconds.
> > Received Access-Request Id 190 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 178
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e90273009983e6603c734ef610afcab
> > EAP-Message =
> > 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
> > Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
> > (8) Received Access-Request packet from host 192.168.0.2 port 1812, id=190,
> > length=178
> > (8) NAS-IP-Address = 192.168.0.2
> > (8) NAS-Port = 50024
> > (8) NAS-Port-Type = Ethernet
> > (8) User-Name = 'newuser'
> > (8) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (8) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (8) Service-Type = Framed-User
> > (8) Framed-MTU = 1500
> > (8) State = 0x0e90273009983e6603c734ef610afcab
> > (8) EAP-Message =
> > 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
> > (8) Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
> > (8) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (8) authorize {
> > (8) filter_username filter_username {
> > (8) if (!&User-Name)
> > (8) if (!&User-Name) -> FALSE
> > (8) if (&User-Name =~ / /)
> > (8) if (&User-Name =~ / /) -> FALSE
> > (8) if (&User-Name =~ /@.*@/ )
> > (8) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (8) if (&User-Name =~ /\\.\\./ )
> > (8) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (8) if (&User-Name =~ /\\.$/)
> > (8) if (&User-Name =~ /\\.$/) -> FALSE
> > (8) if (&User-Name =~ /@\\./)
> > (8) if (&User-Name =~ /@\\./) -> FALSE
> > (8) } # filter_username filter_username = notfound
> > (8) [preprocess] = ok
> > (8) [chap] = noop
> > (8) [mschap] = noop
> > (8) [digest] = noop
> > (8) suffix : Checking for suffix after "@"
> > (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (8) suffix : No such realm "NULL"
> > (8) [suffix] = noop
> > (8) eap : Peer sent code Response (2) ID 8 length 43
> > (8) eap : Continuing tunnel setup
> > (8) [eap] = ok
> > (8) } # authorize = ok
> > (8) Found Auth-Type = EAP
> > (8) # Executing group from file /etc/raddb/sites-enabled/default
> > (8) authenticate {
> > (8) eap : Expiring EAP session with state 0x51469e48504e84c8
> > (8) eap : Finished EAP session with state 0x0e90273009983e66
> > (8) eap : Previous EAP request found for state 0x0e90273009983e66,
> > released from the list
> > (8) eap : Peer sent method PEAP (25)
> > (8) eap : EAP PEAP (25)
> > (8) eap : Calling eap_peap to process EAP data
> > (8) eap_peap : processing EAP-TLS
> > (8) eap_peap : eaptls_verify returned 7
> > (8) eap_peap : Done initial handshake
> > (8) eap_peap : eaptls_process returned 7
> > (8) eap_peap : FR_TLS_OK
> > (8) eap_peap : Session established. Decoding tunneled attributes
> > (8) eap_peap : Peap state phase2
> > (8) eap_peap : EAP type MSCHAPv2 (26)
> > (8) eap_peap : Got tunneled request
> > EAP-Message = 0x020800061a03
> > server default {
> > (8) eap_peap : Setting User-Name to newuser
> > Sending tunneled request
> > EAP-Message = 0x020800061a03
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > server inner-tunnel {
> > (8) server inner-tunnel {
> > (8) Request:
> > EAP-Message = 0x020800061a03
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > (8) # Executing section authorize from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (8) authorize {
> > (8) [chap] = noop
> > (8) [mschap] = noop
> > (8) suffix : Checking for suffix after "@"
> > (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (8) suffix : No such realm "NULL"
> > (8) [suffix] = noop
> > (8) update control {
> > (8) Proxy-To-Realm := 'LOCAL'
> > (8) } # update control = noop
> > (8) eap : Peer sent code Response (2) ID 8 length 6
> > (8) eap : No EAP Start, assuming it's an on-going EAP conversation
> > (8) [eap] = updated
> > (8) [files] = noop
> > rlm_ldap (ldap): Reserved connection (3)
> > (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (8) ldap : --> (uid=newuser)
> > (8) ldap : EXPAND dc=test,dc=ad,dc=com
> > (8) ldap : --> dc=test,dc=ad,dc=com
> > (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (8) ldap : Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (8) ldap : Search returned no results
> > rlm_ldap (ldap): Deleting connection (3)
> > rlm_ldap (ldap): 0 of 3 connections in use. Need more spares
> > rlm_ldap (ldap): Opening additional connection (5)
> > rlm_ldap (ldap): Connecting to 192.168.0.20:389
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > (8) [ldap] = notfound
> > (8) [expiration] = noop
> > (8) [logintime] = noop
> > (8) [pap] = noop
> > (8) } # authorize = updated
> > (8) Found Auth-Type = EAP
> > (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> > (8) authenticate {
> > (8) eap : Expiring EAP session with state 0x51469e48504e84c8
> > (8) eap : Finished EAP session with state 0x51469e48504e84c8
> > (8) eap : Previous EAP request found for state 0x51469e48504e84c8,
> > released from the list
> > (8) eap : Peer sent method MSCHAPv2 (26)
> > (8) eap : EAP MSCHAPv2 (26)
> > (8) eap : Calling eap_mschapv2 to process EAP data
> > (8) eap : Freeing handler
> > (8) [eap] = ok
> > (8) } # authenticate = ok
> > (8) # Executing section post-auth from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (8) post-auth {
> > (8) ldap : EXPAND .
> > (8) ldap : --> .
> > (8) ldap : EXPAND Authenticated at %S
> > (8) ldap : --> Authenticated at 2015-07-03 14:28:13
> > rlm_ldap (ldap): Reserved connection (5)
> > (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (8) ldap : --> (uid=newuser)
> > (8) ldap : EXPAND dc=test,dc=ad,dc=com
> > (8) ldap : --> dc=test,dc=ad,dc=com
> > (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (8) ldap : Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (8) ldap : Search returned no results
> > rlm_ldap (ldap): Deleting connection (5)
> > (8) [ldap] = notfound
> > (8) } # post-auth = notfound
> > (8) Reply:
> > MS-MPPE-Encryption-Policy = Encryption-Required
> > MS-MPPE-Encryption-Types = 4
> > MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
> > MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
> > EAP-Message = 0x03080004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > User-Name = 'newuser'
> > (8) } # server inner-tunnel
> > } # server inner-tunnel
> > (8) eap_peap : Got tunneled reply code 2
> > MS-MPPE-Encryption-Policy = Encryption-Required
> > MS-MPPE-Encryption-Types = 4
> > MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
> > MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
> > EAP-Message = 0x03080004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > User-Name = 'newuser'
> > (8) eap_peap : Got tunneled reply RADIUS code 2
> > MS-MPPE-Encryption-Policy = Encryption-Required
> > MS-MPPE-Encryption-Types = 4
> > MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
> > MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
> > EAP-Message = 0x03080004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > User-Name = 'newuser'
> > (8) eap_peap : Tunneled authentication was successful
> > (8) eap_peap : SUCCESS
> > (8) eap_peap : Saving tunneled attributes for later
> > (8) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e90273006993e66
> > (8) [eap] = handled
> > (8) } # authenticate = handled
> > (8) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=190,
> > length=0
> > (8) EAP-Message =
> > 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
> > (8) Message-Authenticator = 0x00000000000000000000000000000000
> > (8) State = 0x0e90273006993e6603c734ef610afcab
> > Sending Access-Challenge Id 190 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e90273006993e6603c734ef610afcab
> > (8) Finished request
> > Waking up in 3.8 seconds.
> > Received Access-Request Id 191 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 178
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e90273006993e6603c734ef610afcab
> > EAP-Message =
> > 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
> > Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
> > (9) Received Access-Request packet from host 192.168.0.2 port 1812, id=191,
> > length=178
> > (9) NAS-IP-Address = 192.168.0.2
> > (9) NAS-Port = 50024
> > (9) NAS-Port-Type = Ethernet
> > (9) User-Name = 'newuser'
> > (9) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (9) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (9) Service-Type = Framed-User
> > (9) Framed-MTU = 1500
> > (9) State = 0x0e90273006993e6603c734ef610afcab
> > (9) EAP-Message =
> > 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
> > (9) Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
> > (9) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (9) authorize {
> > (9) filter_username filter_username {
> > (9) if (!&User-Name)
> > (9) if (!&User-Name) -> FALSE
> > (9) if (&User-Name =~ / /)
> > (9) if (&User-Name =~ / /) -> FALSE
> > (9) if (&User-Name =~ /@.*@/ )
> > (9) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (9) if (&User-Name =~ /\\.\\./ )
> > (9) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> > (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> > (9) if (&User-Name =~ /\\.$/)
> > (9) if (&User-Name =~ /\\.$/) -> FALSE
> > (9) if (&User-Name =~ /@\\./)
> > (9) if (&User-Name =~ /@\\./) -> FALSE
> > (9) } # filter_username filter_username = notfound
> > (9) [preprocess] = ok
> > (9) [chap] = noop
> > (9) [mschap] = noop
> > (9) [digest] = noop
> > (9) suffix : Checking for suffix after "@"
> > (9) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (9) suffix : No such realm "NULL"
> > (9) [suffix] = noop
> > (9) eap : Peer sent code Response (2) ID 9 length 43
> > (9) eap : Continuing tunnel setup
> > (9) [eap] = ok
> > (9) } # authorize = ok
> > (9) Found Auth-Type = EAP
> > (9) # Executing group from file /etc/raddb/sites-enabled/default
> > (9) authenticate {
> > (9) eap : Expiring EAP session with state 0x0e90273006993e66
> > (9) eap : Finished EAP session with state 0x0e90273006993e66
> > (9) eap : Previous EAP request found for state 0x0e90273006993e66,
> > released from the list
> > (9) eap : Peer sent method PEAP (25)
> > (9) eap : EAP PEAP (25)
> > (9) eap : Calling eap_peap to process EAP data
> > (9) eap_peap : processing EAP-TLS
> > (9) eap_peap : eaptls_verify returned 7
> > (9) eap_peap : Done initial handshake
> > (9) eap_peap : eaptls_process returned 7
> > (9) eap_peap : FR_TLS_OK
> > (9) eap_peap : Session established. Decoding tunneled attributes
> > (9) eap_peap : Peap state send tlv success
> > (9) eap_peap : Received EAP-TLV response
> > (9) eap_peap : Success
> > (9) eap_peap : Using saved attributes from the original Access-Accept
> > User-Name = 'newuser'
> > (9) eap_peap : Saving session
> > 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 vps
> > 0x7f6012aedf20 in the cache
> > (9) eap : Freeing handler
> > (9) [eap] = ok
> > (9) } # authenticate = ok
> > (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
> > (9) post-auth {
> > (9) ldap : EXPAND .
> > (9) ldap : --> .
> > (9) ldap : EXPAND Authenticated at %S
> > (9) ldap : --> Authenticated at 2015-07-03 14:28:14
> > rlm_ldap (ldap): Reserved connection (2)
> > (9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (9) ldap : --> (uid=newuser)
> > (9) ldap : EXPAND dc=test,dc=ad,dc=com
> > (9) ldap : --> dc=test,dc=ad,dc=com
> > (9) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (9) ldap : Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (9) ldap : Search returned no results
> > rlm_ldap (ldap): Deleting connection (2)
> > (9) [ldap] = notfound
> > (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com")
> > (9) Searching for user in group "cn=computers,cn=Users,dc=test,dc=ad,dc=com"
> > rlm_ldap (ldap): Reserved connection (1)
> > (9) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (9) --> (uid=newuser)
> > (9) EXPAND dc=test,dc=ad,dc=com
> > (9) --> dc=test,dc=ad,dc=com
> > (9) Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (9) Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (9) Search returned no results
> > rlm_ldap (ldap): Deleting connection (1)
> > (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") ->
> > FALSE
> > (9) [exec] = noop
> > (9) remove_reply_message_if_eap remove_reply_message_if_eap {
> > (9) if (&reply:EAP-Message && &reply:Reply-Message)
> > (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> > (9) else else {
> > (9) [noop] = noop
> > (9) } # else else = noop
> > (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> > (9) } # post-auth = noop
> > (9) Sending Access-Accept packet to host 192.168.0.2 port 1812, id=191,
> > length=0
> > (9) User-Name = 'newuser'
> > (9) MS-MPPE-Recv-Key =
> > 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
> > (9) MS-MPPE-Send-Key =
> > 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
> > (9) EAP-MSK =
> > 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda271f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
> > (9) EAP-EMSK =
> > 0x1b54d22a41027762199d0673d2024afb9b75034f4486286e1ce600f42266b87c01bf8b7801e44f136c405e7098f74a39062c8d0fd8199ad362af3aa3fd939603
> > (9) EAP-Session-Id =
> > 0x19559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f355967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b313
> > (9) EAP-Message = 0x03090004
> > (9) Message-Authenticator = 0x00000000000000000000000000000000
> > Sending Access-Accept Id 191 from 192.168.0.10:1812 to 192.168.0.2:1812
> > User-Name = 'newuser'
> > MS-MPPE-Recv-Key =
> > 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
> > MS-MPPE-Send-Key =
> > 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
> > EAP-Message = 0x03090004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > (9) Finished request
> >
> >
> >
> > in ldap config file, part related user and groups looks like below:
> >
> > user {
> > base_dn = "dc=test,dc=ad,dc=com"
> > filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> > }
> > group {
> >
> > base_dn ="dc=test,dc=ad,dc=com"
> > filter = "(objectClass=posixGroup)"
> > name_attribute = cn
> > membership_filter =
> > "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> > membership_attribute = "memberOf"
> > }
> >
> >
> > Why freeradius can't match group "computers" to user "newuser"?
> >
> > I would be very glad on any help
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> your filter and membership_filter directives conflict.
>
> the objectClass posixGroup uses the memberUid attribute, while the
> objectClass groupOfNames uses the member attribute.
>
> because you are using AD, it should support RFC 2307bis, which makes the
> posixGroup an auxiliary objectClass, and not structural. both
> attributes (member and memberUid) can be defined for the same object,
> but it is likely that only one is used.
>
> get our your favorite LDAP browser (phpLdapAdmin, gq, lat, luma, or
> SoftTerra LDAP Browser for windows) and look at the group object you are
> trying to match on. note the used attributes and adjust your filter and
> membership_filter directives accordingly.
Thank you for reply,
as I understood I've changed :
filter = "(objectClass=posixgroup)" to->
filter = "(objectClass=group)"
and
membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
to ->
membership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
and still nothing.
by the way I can't figure out in freeradius output logs part where
system is trying match this filters.
does my configuration is correct to searching groups?
More information about the Freeradius-Users
mailing list